Suspicious
Unsigned tool exhibiting process injection and direct-IP contact; no tier-1 consensus or malicious hosts detected, but heuristic signals warrant caution.
0e01904957d0d45f3a…bacc366a11The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
This unsigned executable exhibits suspicious heuristic patterns — process injection and direct-IP contact — that typically indicate evasive malware. However, the complete absence of detections from tier-1 engines (Kaspersky, Microsoft, BitDefender, ESET-NOD32, Fortinet, F-Secure, Ikarus, GData, Emsisoft, DrWeb, Avira) and zero malicious host cache hits argue against active malware. The 21 ambient MITRE techniques (system discovery, registry access, file enumeration) are consistent with legitimate system-monitoring or scripting tools. The file's 1284-day submission history and medium prevalence (47 submitters) suggest an established tool rather than a zero-day. The heuristic rules are evidence of suspicious behaviour, not verdicts; they require corroboration from detections or sandbox consensus, which is absent here.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
tier1Malicious=0 across 14 tier-1 engines (Kaspersky, Microsoft, BitDefender, ESET-NOD32, Fortinet, F-Secure, Ikarus, GData, Emsisoft, DrWeb, Avira all undetected)
triggeredHeuristics: MalwareTips.Synth.ProcessInjection (T1055) and MalwareTips.Synth.DirectIpC2 fired, but no tier-1 consensus on family and no malicious host cache hits for 11 contacted IPs
behaviour: 1 offensive technique (T1055) + 21 ambient techniques (T1082, T1083, T1087, T1112, T1113, T1115, T1129, T1497, T1564.003, T1614, T1071, T1056.001, T1059, T1027.002, T1027.005, T1010, T1012, T1027, T1033, T1115, T1497.001) — mixed profile inconsistent with pure malware
prevalence: medium (47 submitters, 51 submissions since Dec 2022); no external-intel hits (CIRCL, MalwareBazaar, YARA)
unsigned, no signer history, no brand mismatch; filename 'ZEN Scripter' does not trigger security-software or research-tool classifiers
- Zero tier-1 engine detections across 14 high-trust vendors (Kaspersky, Microsoft, BitDefender, ESET-NOD32, Fortinet, F-Secure, Ikarus, GData, Emsisoft, DrWeb, Avira)
- No malicious host cache hits for 11 contacted IPs; several are known CDN/cloud ranges
- 1284-day submission history with medium prevalence (47 submitters, 51 submissions) — established tool, not zero-day
- No malicious sandbox verdict, no dropped children, no persistence indicators
- 21 ambient MITRE techniques consistent with legitimate system-monitoring or scripting tools
- Process injection (T1055) observed — payload smuggled into legitimate process
- Direct-IP C2 contact pattern — 11 external IPs contacted, zero DNS domains
- Unsigned executable — no publisher identity or code-signing certificate
- Heuristic rule triggers — MalwareTips.Synth.ProcessInjection and MalwareTips.Synth.DirectIpC2
Treat as suspicious pending manual review. The heuristic signals (process injection, direct-IP contact) are legitimate malware indicators, but the complete absence of tier-1 consensus and malicious host hits suggest a false positive or legitimate tool with unusual behaviour. If the source is trusted, execution in an isolated environment is acceptable; otherwise, isolate and monitor.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 23.216.147.76
- 20.99.184.37
- 23.40.197.184
- a83f:8110:5013:4d00:100:0:100:0
- 192.168.0.42
- 23.213.37.172
- 192.168.0.49
- 151.101.22.172
- 20.69.140.28
- 23.196.145.221
- C:\Windows\System32\Tasks\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector
- C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser
- C:\Windows\System32\spp\store\2.0\cache\cache.dat
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER342A.tmp.WERInternalMetadata.xml
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER34D6.tmp.csv
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER3506.tmp.txt
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A07.tmp.WERInternalMetadata.xml
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence"C:\Users\<USER>\Desktop\file.exe"Sample contacted 11 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence23.216.147.76 · 20.99.184.37 · 23.40.197.184
0 detections across 66 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- ZEN Scripter
- Size
- 8.66 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 0e01904957d0d45f3a548085d7e6ae97d036c931e4447ad3c3e3c3bacc366a11
- MD5
- 9ede236cbd864af39bff861b57368554
- SHA-1
- bef048d54c2b4d714af51c966b828af64c883342
- PE imphash
- 65ce057600e3d9ea4ed37f5f68912c21
- First seen (VT)
- 12/15/2022, 4:46:04 PM
- Last analysis (VT)
- 4/21/2026, 1:08:12 AM
- First scan (MalwareTips)
- 6/22/2026, 5:13:18 AM
- Last scan (MalwareTips)
- 6/22/2026, 5:13:18 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.