File name:

H3Ze9Uj.exe

Full analysis: https://app.any.run/tasks/ef3617ca-c004-42e8-aa9d-cbd5f56804e7
Verdict: Malicious activity
Analysis date: February 15, 2025, 16:51:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

0252E4B7D794B447F2625A8EDD396FA3

SHA1:

B242300432FF9AA87C152CB89D3B103177044F97

SHA256:

A6805D2D8ACF695A6831F5B310520902EC988D7116DADB424AF7667C4E648F81

SSDEEP:

98304:LP/h/5E1SZVY4MGflqD0uC8PlHzUn1OdLpAgU/0u22LcPfJseYBhf/lyLsBFL/eX:E8z7mt9eX+8vQhYRUOdleR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • TiVoServer.exe (PID: 6500)
      • TiVoServer.exe (PID: 6524)

  • SUSPICIOUS

    • Starts itself from another location

      • H3Ze9Uj.exe (PID: 6444)
      • TiVoServer.exe (PID: 6500)

    • Executable content was dropped or overwritten

      • H3Ze9Uj.exe (PID: 6444)
      • H3Ze9Uj.exe (PID: 6468)
      • cmd.exe (PID: 6548)
      • TiVoServer.exe (PID: 6500)

    • Process drops legitimate windows executable

      • H3Ze9Uj.exe (PID: 6468)

    • Starts CMD.EXE for commands execution

      • TiVoServer.exe (PID: 6524)

    • The executable file from the user directory is run by the CMD process

      • Toolpatch_dbg.exe (PID: 5752)

    • Reads the date of Windows installation

      • Toolpatch_dbg.exe (PID: 5752)

  • INFO

    • Checks supported languages

      • H3Ze9Uj.exe (PID: 6444)
      • H3Ze9Uj.exe (PID: 6468)
      • TiVoServer.exe (PID: 6500)
      • Toolpatch_dbg.exe (PID: 5752)
      • TiVoServer.exe (PID: 6524)

    • The sample compiled with english language support

      • H3Ze9Uj.exe (PID: 6444)
      • H3Ze9Uj.exe (PID: 6468)
      • TiVoServer.exe (PID: 6500)

    • Create files in a temporary directory

      • H3Ze9Uj.exe (PID: 6444)
      • H3Ze9Uj.exe (PID: 6468)
      • TiVoServer.exe (PID: 6524)

    • Reads the computer name

      • H3Ze9Uj.exe (PID: 6468)
      • TiVoServer.exe (PID: 6524)
      • TiVoServer.exe (PID: 6500)
      • Toolpatch_dbg.exe (PID: 5752)

    • Creates files or folders in the user directory

      • TiVoServer.exe (PID: 6500)

    • Reads the machine GUID from the registry

      • Toolpatch_dbg.exe (PID: 5752)

    • Reads the software policy settings

      • Toolpatch_dbg.exe (PID: 5752)

    • Checks proxy server information

      • Toolpatch_dbg.exe (PID: 5752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:11:18 22:00:38+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.11
CodeSize: 301568
InitializedDataSize: 160768
UninitializedDataSize: -
EntryPoint: 0x2e2a6
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 6.3.4.0
ProductVersionNumber: 6.3.4.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Prison
FileDescription: Impenitency
FileVersion: 6.3.4.0
InternalName: setup
LegalCopyright: Copyright (c) Prison. All rights reserved.
OriginalFileName: chicken.exe
ProductName: Impenitency
ProductVersion: 6.3.4.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
7
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start h3ze9uj.exe h3ze9uj.exe tivoserver.exe tivoserver.exe no specs cmd.exe conhost.exe no specs toolpatch_dbg.exe

Process information

PID
CMD
Path
Indicators
Parent process
5752C:\Users\admin\AppData\Local\Temp\Toolpatch_dbg.exeC:\Users\admin\AppData\Local\Temp\Toolpatch_dbg.exe
cmd.exe
User:
admin
Company:
Nenad Hrg (SoftwareOK.com)
Integrity Level:
MEDIUM
Description:
Q-Dir
Version:
11,4,4,0
Modules
Images
c:\users\admin\appdata\local\temp\pffwbywnnxx
c:\users\admin\appdata\local\temp\toolpatch_dbg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6444"C:\Users\admin\AppData\Local\Temp\H3Ze9Uj.exe" C:\Users\admin\AppData\Local\Temp\H3Ze9Uj.exe
explorer.exe
User:
admin
Company:
Prison
Integrity Level:
MEDIUM
Description:
Impenitency
Exit code:
0
Version:
6.3.4.0
Modules
Images
c:\users\admin\appdata\local\temp\h3ze9uj.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6468"C:\Users\admin\AppData\Local\Temp\{4ED74B50-35CF-40DF-994A-2EFF012871F4}\.cr\H3Ze9Uj.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\H3Ze9Uj.exe" -burn.filehandle.attached=596 -burn.filehandle.self=592 C:\Users\admin\AppData\Local\Temp\{4ED74B50-35CF-40DF-994A-2EFF012871F4}\.cr\H3Ze9Uj.exe
H3Ze9Uj.exe
User:
admin
Company:
Prison
Integrity Level:
MEDIUM
Description:
Impenitency
Exit code:
0
Version:
6.3.4.0
Modules
Images
c:\users\admin\appdata\local\temp\{4ed74b50-35cf-40df-994a-2eff012871f4}\.cr\h3ze9uj.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6500C:\Users\admin\AppData\Local\Temp\{364A2A59-0C05-4FA1-BD8F-B6E27DAB9BC7}\.ba\TiVoServer.exeC:\Users\admin\AppData\Local\Temp\{364A2A59-0C05-4FA1-BD8F-B6E27DAB9BC7}\.ba\TiVoServer.exe
H3Ze9Uj.exe
User:
admin
Company:
TiVo Inc.
Integrity Level:
MEDIUM
Description:
TiVo Server Service Process
Exit code:
0
Version:
2.8.3
Modules
Images
c:\users\admin\appdata\local\temp\{364a2a59-0c05-4fa1-bd8f-b6e27dab9bc7}\.ba\tivoserver.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6524C:\Users\admin\AppData\Roaming\Servicewriter\TiVoServer.exeC:\Users\admin\AppData\Roaming\Servicewriter\TiVoServer.exeTiVoServer.exe
User:
admin
Company:
TiVo Inc.
Integrity Level:
MEDIUM
Description:
TiVo Server Service Process
Exit code:
1
Version:
2.8.3
Modules
Images
c:\users\admin\appdata\roaming\servicewriter\tivoserver.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6548C:\WINDOWS\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
TiVoServer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6580\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
750
Read events
750
Write events
0
Delete events
0

Modification events

No data
Executable files
21
Suspicious files
5
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6468H3Ze9Uj.exeC:\Users\admin\AppData\Local\Temp\{364A2A59-0C05-4FA1-BD8F-B6E27DAB9BC7}\.ba\leprosarium.mpg
MD5:
SHA256:
6468H3Ze9Uj.exeC:\Users\admin\AppData\Local\Temp\{364A2A59-0C05-4FA1-BD8F-B6E27DAB9BC7}\.ba\trickery.tifbinary
MD5:75CB48AA01699DFB70697A2DBC7ECF9D
SHA256:0230E7CE21826A2E275EBFC92C5580C1CBA7CA39BCB4E2C6DFF43EEDF8495D61
6468H3Ze9Uj.exeC:\Users\admin\AppData\Local\Temp\{364A2A59-0C05-4FA1-BD8F-B6E27DAB9BC7}\.ba\wspconfig.dllexecutable
MD5:3FE26D55B0AB178113D000B92950F3AF
SHA256:354A0C7741EEC78E06BE2B2CD5A4A20570E36603CEEEAEE4B5FED1EAB7B426C4
6468H3Ze9Uj.exeC:\Users\admin\AppData\Local\Temp\{364A2A59-0C05-4FA1-BD8F-B6E27DAB9BC7}\.ba\TiVoServer.exeexecutable
MD5:1600D4E66F814372153668378D38AB1E
SHA256:482EC2CFABA9E58435C807CF43F6CFA3EFF0093D0128B066378E103E6DDF69EC
6468H3Ze9Uj.exeC:\Users\admin\AppData\Local\Temp\{364A2A59-0C05-4FA1-BD8F-B6E27DAB9BC7}\.ba\Vcl60.bplbinary
MD5:3C54D0CA35AD94787FE3EB1EFB76FEB5
SHA256:92E2D1CF4DF636AF37F4C50AD3A1F04D7E21EAEB7BFE8478AB7C23F68791826D
6468H3Ze9Uj.exeC:\Users\admin\AppData\Local\Temp\{364A2A59-0C05-4FA1-BD8F-B6E27DAB9BC7}\.ba\Ride.dllexecutable
MD5:F10F6B6EBF31F7B28B2418A9BA69CB91
SHA256:A1FD39B7480F2B16624F8A8BF2FE575AC5A3DC946DDE3D9D3925B16B53DD24EA
6468H3Ze9Uj.exeC:\Users\admin\AppData\Local\Temp\{364A2A59-0C05-4FA1-BD8F-B6E27DAB9BC7}\.ba\libglib-2.0-0.dllexecutable
MD5:226DAF8C1FD88C1A4F89368C7C706457
SHA256:50F1197A25498AF94D9098CDF44BCFED312DB671C3CA7B8845B6B132AFEF8423
6500TiVoServer.exeC:\Users\admin\AppData\Roaming\Servicewriter\leprosarium.mpg
MD5:
SHA256:
6524TiVoServer.exeC:\Users\admin\AppData\Local\Temp\103bd197
MD5:
SHA256:
6468H3Ze9Uj.exeC:\Users\admin\AppData\Local\Temp\{364A2A59-0C05-4FA1-BD8F-B6E27DAB9BC7}\.ba\MindClient.dllexecutable
MD5:C058B36FB6B007C2920604229B1FA0A3
SHA256:37CC3EBFF3B7B7E55E8A8CC8785449152C6B119D25BACC6671B089DCA7998CA2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
33
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2224
svchost.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4128
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4128
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6856
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2224
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.19.96.80:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2224
svchost.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2224
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2224
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
40.126.32.140:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.19.96.80
  • 2.19.96.89
  • 2.19.96.104
  • 2.19.96.27
  • 2.19.96.25
  • 2.19.96.33
  • 2.19.96.50
  • 2.19.96.40
  • 2.19.96.43
whitelisted
google.com
  • 142.250.185.110
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.219.150.101
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
login.live.com
  • 40.126.32.140
  • 20.190.160.17
  • 20.190.160.132
  • 20.190.160.64
  • 40.126.32.136
  • 20.190.160.14
  • 40.126.32.72
  • 40.126.32.76
whitelisted
go.microsoft.com
  • 2.19.106.8
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
H3Ze9Uj.exe