File name:

TTWL.ProtoGibbed.1.0.3.zip

Full analysis: https://app.any.run/tasks/9ef69db5-5993-4f41-b34a-899e322539a9
Verdict: Malicious activity
Analysis date: December 06, 2023, 22:16:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

5480F5A12E560683C100C31F3F8DBCDB

SHA1:

F2BE15F92693A2BDC54DA5C3FD1A5C7047E1F19E

SHA256:

F921C16CC0D0F336D9EB0EF24ED04C42BFFBB43D93702FBF32F579543AE2ECD1

SSDEEP:

98304:/kRfj4fC1EgIVeVDHgRLL7Yb2HPSFaJvrqMnUO/EDTYQito+p7tLTaxOFGhDT7M2:8GzV7Of7Xf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 280)

    • Application launched itself

      • TTWSaveEditor.exe (PID: 1560)

    • Reads the Internet Settings

      • TTWSaveEditor.exe (PID: 2860)
      • TTWSaveEditor.exe (PID: 1560)

  • INFO

    • Manual execution by a user

      • TTWSaveEditor.exe (PID: 1560)

    • Checks supported languages

      • TTWSaveEditor.exe (PID: 1560)
      • TTWSaveEditor.exe (PID: 2860)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 280)

    • Reads the machine GUID from the registry

      • TTWSaveEditor.exe (PID: 2860)
      • TTWSaveEditor.exe (PID: 1560)

    • Reads the computer name

      • TTWSaveEditor.exe (PID: 2860)
      • TTWSaveEditor.exe (PID: 1560)

    • Creates files or folders in the user directory

      • TTWSaveEditor.exe (PID: 2860)
      • TTWSaveEditor.exe (PID: 1560)

    • Creates files in the program directory

      • TTWSaveEditor.exe (PID: 1560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2021:09:05 05:30:12
ZipCRC: 0xae69641f
ZipCompressedSize: 59634
ZipUncompressedSize: 293888
ZipFileName: TTWL ProtoGibbed 1.0.3/AdonisUI.ClassicTheme.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs ttwsaveeditor.exe no specs ttwsaveeditor.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
280"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\TTWL.ProtoGibbed.1.0.3.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1560"C:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\TTWSaveEditor.exe" C:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\TTWSaveEditor.exeexplorer.exe
User:
admin
Company:
Arwent
Integrity Level:
MEDIUM
Description:
Tiny Tina's Wonderlands Save Editor
Exit code:
0
Version:
0.1.0.0
Modules
Images
c:\users\admin\desktop\ttwl protogibbed 1.0.3\ttwsaveeditor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2860"C:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\TTWSaveEditor.exe" C:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\TTWSaveEditor.exeTTWSaveEditor.exe
User:
admin
Company:
Arwent
Integrity Level:
MEDIUM
Description:
Tiny Tina's Wonderlands Save Editor
Exit code:
0
Version:
0.1.0.0
Modules
Images
c:\users\admin\desktop\ttwl protogibbed 1.0.3\ttwsaveeditor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
3 831
Read events
3 764
Write events
66
Delete events
1

Modification events

(PID) Process:(280) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
39
Suspicious files
8
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\BL3Tools.dllexecutable
MD5:68A24F4EEDC160E29DEDDD7247912F9B
SHA256:779C8FA886B5907B342023BE222358AB2CC47740B5DD5256C5F40F31F46797E1
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\AutoUpdater.NET.dllexecutable
MD5:90FDDE7828DA89E0BD000050E70DCA01
SHA256:491922E6FB3A9D4378F0D185A4B67873606B233EDC903A7BA95193A1FF77F98D
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\BL3Tools.dll.configxml
MD5:8D4BD9D75FB88370838A900AFE2871D6
SHA256:F2CEDFCDA720C7AF643A76B6FC96A89E61104416A63F0876630E8CA660AA8AC9
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\BL3Tools.pdbpdb
MD5:69441F029C405DB265D3C9E8C833A959
SHA256:FE4437E4178BCB86988518EB08F9656E960ABB3C891C5C82E6D5A5DE8CE23FFE
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\AdonisUI.dllexecutable
MD5:3D4C8B6AAD28EC574E56CCDA22B34EF3
SHA256:DB46B6106DC1B30041CE3F287DED91166895FF3F1928250FC79DD46C444B1E45
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\AutoUpdater.NET.pdbpdb
MD5:898DC328C1F7710E2ECB699BBC2FE777
SHA256:46083191DEDCD7D7BBAFD24246E11E3640EB9060B90938E495B9D19FE667D486
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\AdonisUI.ClassicTheme.dllexecutable
MD5:8A1B183BCA062F48402C74F2DABA7B92
SHA256:8103F2CCE6A864CEEFE6C5B0C05087AC85AB04A2ABF150E93BC9DB90C54D9D20
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\es\Xceed.Wpf.AvalonDock.resources.dllexecutable
MD5:ACD5BC73CD93031DC231166EC8BBB4B7
SHA256:E6D51EAFCE081FA301862F214434ECD62EA5950988A2BD861994BA7B8883DD70
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\Costura.pdbbinary
MD5:A6BFA9138A3B9C0EAA9528C8AA5BAF15
SHA256:52266E743A72DBBAB9A08608DF0382430F010343EE19A0478D097D26FDEFC5EA
280WinRAR.exeC:\Users\admin\Desktop\TTWL ProtoGibbed 1.0.3\ICSharpCode.SharpZipLib.pdbbinary
MD5:075CEA00617ECB879FB3B08812D2BB45
SHA256:C9BF2401EC0111537C51BF1179439A55D6C8CCC61CB8A70DCF169768F68C9B17
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
868
svchost.exe
23.211.8.250:80
armmf.adobe.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
armmf.adobe.com
  • 23.211.8.250
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
TTWL.ProtoGibbed.1.0.3.zip