File name:

TTWL.ProtoGibbed.1.0.3.zip

Full analysis: https://app.any.run/tasks/9ef69db5-5993-4f41-b34a-899e322539a9
Verdict: Malicious activity
Analysis date: December 06, 2023, 22:16:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

5480F5A12E560683C100C31F3F8DBCDB

SHA1:

F2BE15F92693A2BDC54DA5C3FD1A5C7047E1F19E

SHA256:

F921C16CC0D0F336D9EB0EF24ED04C42BFFBB43D93702FBF32F579543AE2ECD1

SSDEEP:

98304:/kRfj4fC1EgIVeVDHgRLL7Yb2HPSFaJvrqMnUO/EDTYQito+p7tLTaxOFGhDT7M2:8GzV7Of7Xf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 280)

    • Reads the Internet Settings

      • TTWSaveEditor.exe (PID: 2860)
      • TTWSaveEditor.exe (PID: 1560)

    • Application launched itself

      • TTWSaveEditor.exe (PID: 1560)

  • INFO

    • Reads the machine GUID from the registry

      • TTWSaveEditor.exe (PID: 1560)
      • TTWSaveEditor.exe (PID: 2860)

    • Manual execution by a user

      • TTWSaveEditor.exe (PID: 1560)

    • Checks supported languages

      • TTWSaveEditor.exe (PID: 2860)
      • TTWSaveEditor.exe (PID: 1560)

    • Creates files in the program directory

      • TTWSaveEditor.exe (PID: 1560)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 280)

    • Reads the computer name

      • TTWSaveEditor.exe (PID: 2860)
      • TTWSaveEditor.exe (PID: 1560)

    • Creates files or folders in the user directory

      • TTWSaveEditor.exe (PID: 1560)
      • TTWSaveEditor.exe (PID: 2860)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2021:09:05 05:30:12
ZipCRC: 0xae69641f
ZipCompressedSize: 59634
ZipUncompressedSize: 293888
ZipFileName: TTWL ProtoGibbed 1.0.3/AdonisUI.ClassicTheme.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs ttwsaveeditor.exe no specs ttwsaveeditor.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
280"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\TTWL.ProtoGibbed.1.0.3.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1560"C:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\TTWSaveEditor.exe" C:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\TTWSaveEditor.exeexplorer.exe
User:
admin
Company:
Arwent
Integrity Level:
MEDIUM
Description:
Tiny Tina's Wonderlands Save Editor
Exit code:
0
Version:
0.1.0.0
Modules
Images
c:\users\admin\desktop\ttwl protogibbed 1.0.3\ttwsaveeditor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2860"C:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\TTWSaveEditor.exe" C:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\TTWSaveEditor.exeTTWSaveEditor.exe
User:
admin
Company:
Arwent
Integrity Level:
MEDIUM
Description:
Tiny Tina's Wonderlands Save Editor
Exit code:
0
Version:
0.1.0.0
Modules
Images
c:\users\admin\desktop\ttwl protogibbed 1.0.3\ttwsaveeditor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
3 831
Read events
3 764
Write events
66
Delete events
1

Modification events

(PID) Process:(280) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
39
Suspicious files
8
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\AdonisUI.ClassicTheme.dllexecutable
MD5:8A1B183BCA062F48402C74F2DABA7B92
SHA256:8103F2CCE6A864CEEFE6C5B0C05087AC85AB04A2ABF150E93BC9DB90C54D9D20
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\AutoUpdater.NET.pdbpdb
MD5:898DC328C1F7710E2ECB699BBC2FE777
SHA256:46083191DEDCD7D7BBAFD24246E11E3640EB9060B90938E495B9D19FE667D486
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\Costura.dllexecutable
MD5:38CB301873A0E47FD5B35BD9CBBDBD6C
SHA256:1882DC182FC94367EC9EF13C7E519ADAA900975F739AC32354B61EABD1A3AACB
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\AdonisUI.dllexecutable
MD5:3D4C8B6AAD28EC574E56CCDA22B34EF3
SHA256:DB46B6106DC1B30041CE3F287DED91166895FF3F1928250FC79DD46C444B1E45
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\de\Xceed.Wpf.AvalonDock.resources.dllexecutable
MD5:1F0441B7410AB71F26CBFA9CCA0F1A12
SHA256:53AC12948C2C7431D69B5E3DF0A497DB28572EEC2E53DBB51608DBA6DB355FB5
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\ICSharpCode.SharpZipLib.pdbbinary
MD5:075CEA00617ECB879FB3B08812D2BB45
SHA256:C9BF2401EC0111537C51BF1179439A55D6C8CCC61CB8A70DCF169768F68C9B17
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\fr\Xceed.Wpf.AvalonDock.resources.dllexecutable
MD5:12E582085019429F8816D5917D54E2C6
SHA256:A910AA91939704AD364FF25B46BAF16F4F1F80F5537C7569AA762390DFBEEED1
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\CsvHelper.dllexecutable
MD5:4C6447C5C026BF5D879FF2E0A955B529
SHA256:A126619FD6BF28B322579FF6FC414F2DECDB236EC5C33DC7E2C8EDC7DE6B011A
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\ICSharpCode.SharpZipLib.xmlxml
MD5:D9F6A72A194B5981E3C7F667850104A4
SHA256:262A3DAF3126E799D0AED8C57AF6B94C56967B0F3EC86D8C1C0AC85B5E5E6A13
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\IOTools.dllexecutable
MD5:F3F1D83AC1231DEBF93FA25FAD8E5E1C
SHA256:D9901A15E2A5FA9EC5DA3CDD0760C861BE3927A8F2F33076C3D65A71173CDEDB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
868
svchost.exe
23.211.8.250:80
armmf.adobe.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
armmf.adobe.com
  • 23.211.8.250
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TTWL.ProtoGibbed.1.0.3.zip