File name:

TTWL.ProtoGibbed.1.0.3.zip

Full analysis: https://app.any.run/tasks/9ef69db5-5993-4f41-b34a-899e322539a9
Verdict: Malicious activity
Analysis date: December 06, 2023, 22:16:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

5480F5A12E560683C100C31F3F8DBCDB

SHA1:

F2BE15F92693A2BDC54DA5C3FD1A5C7047E1F19E

SHA256:

F921C16CC0D0F336D9EB0EF24ED04C42BFFBB43D93702FBF32F579543AE2ECD1

SSDEEP:

98304:/kRfj4fC1EgIVeVDHgRLL7Yb2HPSFaJvrqMnUO/EDTYQito+p7tLTaxOFGhDT7M2:8GzV7Of7Xf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 280)

    • Reads the Internet Settings

      • TTWSaveEditor.exe (PID: 1560)
      • TTWSaveEditor.exe (PID: 2860)

    • Application launched itself

      • TTWSaveEditor.exe (PID: 1560)

  • INFO

    • Manual execution by a user

      • TTWSaveEditor.exe (PID: 1560)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 280)

    • Reads the computer name

      • TTWSaveEditor.exe (PID: 1560)
      • TTWSaveEditor.exe (PID: 2860)

    • Checks supported languages

      • TTWSaveEditor.exe (PID: 1560)
      • TTWSaveEditor.exe (PID: 2860)

    • Reads the machine GUID from the registry

      • TTWSaveEditor.exe (PID: 1560)
      • TTWSaveEditor.exe (PID: 2860)

    • Creates files in the program directory

      • TTWSaveEditor.exe (PID: 1560)

    • Creates files or folders in the user directory

      • TTWSaveEditor.exe (PID: 1560)
      • TTWSaveEditor.exe (PID: 2860)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2021:09:05 05:30:12
ZipCRC: 0xae69641f
ZipCompressedSize: 59634
ZipUncompressedSize: 293888
ZipFileName: TTWL ProtoGibbed 1.0.3/AdonisUI.ClassicTheme.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs ttwsaveeditor.exe no specs ttwsaveeditor.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
280"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\TTWL.ProtoGibbed.1.0.3.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1560"C:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\TTWSaveEditor.exe" C:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\TTWSaveEditor.exeexplorer.exe
User:
admin
Company:
Arwent
Integrity Level:
MEDIUM
Description:
Tiny Tina's Wonderlands Save Editor
Exit code:
0
Version:
0.1.0.0
Modules
Images
c:\users\admin\desktop\ttwl protogibbed 1.0.3\ttwsaveeditor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2860"C:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\TTWSaveEditor.exe" C:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\TTWSaveEditor.exeTTWSaveEditor.exe
User:
admin
Company:
Arwent
Integrity Level:
MEDIUM
Description:
Tiny Tina's Wonderlands Save Editor
Exit code:
0
Version:
0.1.0.0
Modules
Images
c:\users\admin\desktop\ttwl protogibbed 1.0.3\ttwsaveeditor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
3 831
Read events
3 764
Write events
66
Delete events
1

Modification events

(PID) Process:(280) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
39
Suspicious files
8
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\AdonisUI.dllexecutable
MD5:3D4C8B6AAD28EC574E56CCDA22B34EF3
SHA256:DB46B6106DC1B30041CE3F287DED91166895FF3F1928250FC79DD46C444B1E45
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\BL3Tools.dll.configxml
MD5:8D4BD9D75FB88370838A900AFE2871D6
SHA256:F2CEDFCDA720C7AF643A76B6FC96A89E61104416A63F0876630E8CA660AA8AC9
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\AdonisUI.ClassicTheme.dllexecutable
MD5:8A1B183BCA062F48402C74F2DABA7B92
SHA256:8103F2CCE6A864CEEFE6C5B0C05087AC85AB04A2ABF150E93BC9DB90C54D9D20
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\BL3Tools.pdbpdb
MD5:69441F029C405DB265D3C9E8C833A959
SHA256:FE4437E4178BCB86988518EB08F9656E960ABB3C891C5C82E6D5A5DE8CE23FFE
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\BL3Tools.dllexecutable
MD5:68A24F4EEDC160E29DEDDD7247912F9B
SHA256:779C8FA886B5907B342023BE222358AB2CC47740B5DD5256C5F40F31F46797E1
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\Costura.dllexecutable
MD5:38CB301873A0E47FD5B35BD9CBBDBD6C
SHA256:1882DC182FC94367EC9EF13C7E519ADAA900975F739AC32354B61EABD1A3AACB
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\cs-CZ\Xceed.Wpf.AvalonDock.resources.dllexecutable
MD5:5EA2BD330EBB53AA0BEA4975AFF7336B
SHA256:0C19130DE331A9ABBFA057A579654F424B21256C3ADAC8DA0841C76A6A58BA7A
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\Costura.pdbbinary
MD5:A6BFA9138A3B9C0EAA9528C8AA5BAF15
SHA256:52266E743A72DBBAB9A08608DF0382430F010343EE19A0478D097D26FDEFC5EA
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\CsvHelper.dllexecutable
MD5:4C6447C5C026BF5D879FF2E0A955B529
SHA256:A126619FD6BF28B322579FF6FC414F2DECDB236EC5C33DC7E2C8EDC7DE6B011A
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\IOTools.pdbbinary
MD5:EF12001A82CA5F0562AC89960E992660
SHA256:71B3A1FAEBE4C0600B747DFAC001FAE4ACBB81DB2F7B8691E6C8840B78F95FF1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
868
svchost.exe
23.211.8.250:80
armmf.adobe.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
armmf.adobe.com
  • 23.211.8.250
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TTWL.ProtoGibbed.1.0.3.zip