File name:

Zenith-Installer.exe

Full analysis: https://app.any.run/tasks/fc6c1c6b-bb3b-4dbc-8b88-04df3a6d1e2c
Verdict: Malicious activity
Analysis date: October 25, 2025, 15:37:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
generic
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

4A64CDA3F00E2734B5BC1F30E5D35E07

SHA1:

5816A454E4501F90C422071FB277302B648D8E87

SHA256:

DE3EB53305E2C495D467040BBEEC8AD632E950BD807783CCEB8498F968411A12

SSDEEP:

393216:btZMDrBDOMX93mv+Se4RCsQmoevHC15aGaWp4jLDByFIZ:btZMnBbXJw/5WYHCWvjHDB8s

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • Zenith-Installer.exe (PID: 8108)

    • Changes the autorun value in the registry

      • VC_redist.x64.exe (PID: 7868)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Zenith-Installer.exe (PID: 8108)

    • The process creates files with name similar to system file names

      • Zenith-Installer.exe (PID: 8108)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 6140)
      • MicrosoftEdgeUpdate.exe (PID: 6740)
      • VC_redist.x64.exe (PID: 7816)
      • vc_redist.x64.exe (PID: 2784)
      • VC_redist.x64.exe (PID: 7868)

    • Process drops legitimate windows executable

      • Zenith-Installer.exe (PID: 8108)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6140)
      • MicrosoftEdgeUpdate.exe (PID: 6740)
      • VC_redist.x64.exe (PID: 7816)
      • vc_redist.x64.exe (PID: 2784)
      • VC_redist.x64.exe (PID: 7868)
      • msiexec.exe (PID: 272)
      • VC_redist.x64.exe (PID: 7856)

    • Executable content was dropped or overwritten

      • MicrosoftEdgeWebview2Setup.exe (PID: 6140)
      • Zenith-Installer.exe (PID: 8108)
      • VC_redist.x64.exe (PID: 7816)
      • vc_redist.x64.exe (PID: 2784)
      • VC_redist.x64.exe (PID: 7868)
      • VC_redist.x64.exe (PID: 3392)
      • VC_redist.x64.exe (PID: 7232)
      • VC_redist.x64.exe (PID: 7856)

    • Disables SEHOP

      • MicrosoftEdgeUpdate.exe (PID: 6740)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 6740)
      • vc_redist.x64.exe (PID: 2784)
      • VC_redist.x64.exe (PID: 7232)

    • Starts itself from another location

      • vc_redist.x64.exe (PID: 2784)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7928)

    • Searches for installed software

      • dllhost.exe (PID: 7920)
      • vc_redist.x64.exe (PID: 2784)
      • VC_redist.x64.exe (PID: 7692)
      • VC_redist.x64.exe (PID: 7232)
      • VC_redist.x64.exe (PID: 7856)
      • VC_redist.x64.exe (PID: 3392)

    • Application launched itself

      • VC_redist.x64.exe (PID: 7692)
      • VC_redist.x64.exe (PID: 752)
      • VC_redist.x64.exe (PID: 2156)
      • VC_redist.x64.exe (PID: 7232)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 272)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 272)

  • INFO

    • Reads the computer name

      • Zenith-Installer.exe (PID: 8108)
      • MicrosoftEdgeUpdate.exe (PID: 6740)
      • VC_redist.x64.exe (PID: 7816)
      • VC_redist.x64.exe (PID: 7868)
      • vc_redist.x64.exe (PID: 2784)
      • msiexec.exe (PID: 272)
      • VC_redist.x64.exe (PID: 7232)
      • VC_redist.x64.exe (PID: 7856)
      • VC_redist.x64.exe (PID: 3392)

    • Checks supported languages

      • Zenith-Installer.exe (PID: 8108)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6140)
      • MicrosoftEdgeUpdate.exe (PID: 6740)
      • VC_redist.x64.exe (PID: 7816)
      • VC_redist.x64.exe (PID: 7868)
      • vc_redist.x64.exe (PID: 2784)
      • msiexec.exe (PID: 272)
      • VC_redist.x64.exe (PID: 7692)
      • VC_redist.x64.exe (PID: 752)
      • VC_redist.x64.exe (PID: 3392)
      • VC_redist.x64.exe (PID: 7232)
      • VC_redist.x64.exe (PID: 7856)
      • VC_redist.x64.exe (PID: 2156)

    • Creates files or folders in the user directory

      • Zenith-Installer.exe (PID: 8108)

    • Create files in a temporary directory

      • Zenith-Installer.exe (PID: 8108)
      • vc_redist.x64.exe (PID: 2784)
      • VC_redist.x64.exe (PID: 7868)
      • VC_redist.x64.exe (PID: 7232)
      • VC_redist.x64.exe (PID: 3392)

    • The sample compiled with english language support

      • Zenith-Installer.exe (PID: 8108)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6140)
      • MicrosoftEdgeUpdate.exe (PID: 6740)
      • VC_redist.x64.exe (PID: 7816)
      • vc_redist.x64.exe (PID: 2784)
      • VC_redist.x64.exe (PID: 7868)
      • VC_redist.x64.exe (PID: 3392)
      • msiexec.exe (PID: 272)
      • VC_redist.x64.exe (PID: 7232)
      • VC_redist.x64.exe (PID: 7856)

    • Creates files in the program directory

      • MicrosoftEdgeWebview2Setup.exe (PID: 6140)
      • VC_redist.x64.exe (PID: 7868)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 6740)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 6740)
      • wermgr.exe (PID: 7192)
      • msiexec.exe (PID: 272)
      • slui.exe (PID: 1300)

    • Checks proxy server information

      • MicrosoftEdgeUpdate.exe (PID: 6740)
      • wermgr.exe (PID: 7192)
      • slui.exe (PID: 1300)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 6740)
      • vc_redist.x64.exe (PID: 2784)
      • VC_redist.x64.exe (PID: 7232)

    • Manages system restore points

      • SrTasks.exe (PID: 5276)

    • Creates a software uninstall entry

      • VC_redist.x64.exe (PID: 7868)
      • msiexec.exe (PID: 272)

    • Launching a file from a Registry key

      • VC_redist.x64.exe (PID: 7868)

    • Reads the machine GUID from the registry

      • VC_redist.x64.exe (PID: 7868)
      • msiexec.exe (PID: 272)

    • Manual execution by a user

      • VC_redist.x64.exe (PID: 7692)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:08 23:05:20+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 184832
UninitializedDataSize: 2048
EntryPoint: 0x358d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
163
Monitored processes
20
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start zenith-installer.exe microsoftedgewebview2setup.exe microsoftedgeupdate.exe wermgr.exe vc_redist.x64.exe vc_redist.x64.exe vc_redist.x64.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe vc_redist.x64.exe no specs vc_redist.x64.exe no specs vc_redist.x64.exe vc_redist.x64.exe no specs vc_redist.x64.exe vc_redist.x64.exe slui.exe zenith-installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
272C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
752"C:\ProgramData\Package Cache\{a8cc5541-021a-45c0-a308-ad0035979d45}\VC_redist.x64.exe" /quiet /norestart /burn.log.append "C:\Users\admin\AppData\Local\Temp\dd_vcredist_amd64_20251025153814.log"C:\ProgramData\Package Cache\{a8cc5541-021a-45c0-a308-ad0035979d45}\VC_redist.x64.exeVC_redist.x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35112
Exit code:
3010
Version:
14.44.35112.1
Modules
Images
c:\programdata\package cache\{a8cc5541-021a-45c0-a308-ad0035979d45}\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1300C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2156"C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={a8cc5541-021a-45c0-a308-ad0035979d45} -burn.filehandle.self=1196 -burn.embedded BurnPipe.{66F1C11D-3838-47FC-8D4A-DF40CAD32B62} {475C8D5B-43A6-4C0B-92AC-63615CBA5BD9} 7868C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeVC_redist.x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532
Exit code:
0
Version:
14.36.32532.0
Modules
Images
c:\programdata\package cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2784"C:\WINDOWS\Temp\{6D280438-FBCD-4066-9165-2C8D66077962}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\vc_redist.x64.exe" -burn.filehandle.attached=672 -burn.filehandle.self=680 /passive /norestart /quietC:\Windows\Temp\{6D280438-FBCD-4066-9165-2C8D66077962}\.cr\vc_redist.x64.exe
VC_redist.x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35112
Exit code:
3010
Version:
14.44.35112.1
Modules
Images
c:\windows\temp\{6d280438-fbcd-4066-9165-2c8d66077962}\.cr\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3392"C:\ProgramData\Package Cache\{a8cc5541-021a-45c0-a308-ad0035979d45}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{a8cc5541-021a-45c0-a308-ad0035979d45}\VC_redist.x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=556 /quiet /norestart /burn.log.append "C:\Users\admin\AppData\Local\Temp\dd_vcredist_amd64_20251025153814.log"C:\ProgramData\Package Cache\{a8cc5541-021a-45c0-a308-ad0035979d45}\VC_redist.x64.exe
VC_redist.x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35112
Exit code:
3010
Version:
14.44.35112.1
Modules
Images
c:\programdata\package cache\{a8cc5541-021a-45c0-a308-ad0035979d45}\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
5276C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:15C:\Windows\System32\SrTasks.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5760\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6140"C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /installC:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
Zenith-Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge Update Setup
Exit code:
2147747592
Version:
1.3.195.59
Modules
Images
c:\users\admin\appdata\local\temp\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6740"C:\Program Files (x86)\Microsoft\Temp\EUF795.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"C:\Program Files (x86)\Microsoft\Temp\EUF795.tmp\MicrosoftEdgeUpdate.exe
MicrosoftEdgeWebview2Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge Update
Exit code:
2147747592
Version:
1.3.195.59
Modules
Images
c:\program files (x86)\microsoft\temp\euf795.tmp\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
Total events
25 983
Read events
24 947
Write events
656
Delete events
380

Modification events

(PID) Process:(6740) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\PersistedPings\{46B81C4C-D354-4970-93DB-6F8DC4D13AB7}
Operation:writeName:PersistedPingString
Value:
<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" updater="Omaha" updaterversion="1.3.195.59" shell_version="1.3.147.37" ismachine="1" sessionid="{D71438B0-CFC4-4840-ABEE-091DBD5F67E7}" userid="{FD984739-A122-4DB0-BE5B-46E3E09D84E4}" installsource="otherinstallcmd" requestid="{46B81C4C-D354-4970-93DB-6F8DC4D13AB7}" dedup="cr" domainjoined="0"><hw logical_cpus="6" physmemory="6" disk_type="2" sse="1" sse2="1" sse3="1" ssse3="1" sse41="1" sse42="1" avx="1"/><os platform="win" version="10.0.19045.4046" sp="" arch="x64" product_type="48" is_wip="0" is_in_lockdown_mode="0"/><oem product_manufacturer="DELL" product_name="DELL"/><exp etag="&quot;r452t1+k2Tgq/HXzjvFNBRhopBWR9sbjXxqeUDH9uX0=&quot;"/><app appid="{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}" version="1.3.195.43" nextversion="1.3.195.59" lang="" brand="" client=""><event eventtype="2" eventresult="1" errorcode="0" extracode1="0" system_uptime_ticks="10474950481" install_time_ms="219"/></app></request>
(PID) Process:(6740) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\PersistedPings\{46B81C4C-D354-4970-93DB-6F8DC4D13AB7}
Operation:writeName:PersistedPingTime
Value:
134058802905199773
(PID) Process:(6740) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\PersistedPings\{46B81C4C-D354-4970-93DB-6F8DC4D13AB7}
Operation:delete keyName:(default)
Value:
(PID) Process:(6740) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe
Operation:writeName:DisableExceptionChainValidation
Value:
0
(PID) Process:(6740) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\proxy
Operation:writeName:source
Value:
auto
(PID) Process:(6740) MicrosoftEdgeUpdate.exeKey:\REGISTRY\A\{0cc9cc85-3d30-2b9e-c1d0-776128c91870}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(6740) MicrosoftEdgeUpdate.exeKey:\REGISTRY\A\{0cc9cc85-3d30-2b9e-c1d0-776128c91870}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(7192) wermgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:writeName:ClockTimeSeconds
Value:
E3EEFC6800000000
(PID) Process:(7192) wermgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:writeName:TickCount
Value:
7901100000000000
(PID) Process:(6740) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Timings
Operation:writeName:setup_lock_acquire_ms
Value:
0400000000000000000000000000000000000000000000000000000000000000
Executable files
274
Suspicious files
64
Text files
104
Unknown types
0

Dropped files

PID
Process
Filename
Type
6140MicrosoftEdgeWebview2Setup.exeC:\Program Files (x86)\Microsoft\Temp\EUF795.tmp\MicrosoftEdgeUpdate.exeexecutable
MD5:52A0C448A057C2674DE784ECEA18A442
SHA256:6EE82A270824390FA5C8940007E7E45D633A7FA62A91C8E3A0E662BE1862F2C2
8108Zenith-Installer.exeC:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exeexecutable
MD5:F146CF881FADB709D547221FDE6D6232
SHA256:FB8545049E401EA8A01D1E32561C82D6B07127F4B6BF92C9AFE9C03F3C0474F8
8108Zenith-Installer.exeC:\Users\admin\Desktop\Zenith\zenith.exeexecutable
MD5:586EE2368AF64BC919699E8E90901D53
SHA256:4DF91EBD02F2FBA3DB355F28CFA22ED5CFB6FD16E5374208AFE0E72A07217476
6140MicrosoftEdgeWebview2Setup.exeC:\Program Files (x86)\Microsoft\Temp\EUF795.tmp\msedgeupdate.dllexecutable
MD5:D5E53F1C10FAB383EE6D2F88E62CF536
SHA256:30BFDF2DADB4EDE5659543946BE8EEB7D0848A23E3FB47469CA056C138D07750
8108Zenith-Installer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Zenith\Uninstall.lnkbinary
MD5:D52FAF4C71F51DE971BFA1ADAD4C5BA8
SHA256:90AFBD9DF15B49B77A60F34F58B0D7F0DF808F44B75E9A634352246A03F95E72
6140MicrosoftEdgeWebview2Setup.exeC:\Program Files (x86)\Microsoft\Temp\EUF795.tmp\MicrosoftEdgeUpdateBroker.exeexecutable
MD5:64DECED86987DF0E92E532C97278D00C
SHA256:6090E580F0682BCB61D1990E6DD7415AABCB543FFD5E3AF13B3A253A55C3DEAF
6140MicrosoftEdgeWebview2Setup.exeC:\Program Files (x86)\Microsoft\Temp\EUF795.tmp\MicrosoftEdgeUpdateOnDemand.exeexecutable
MD5:7C24DF5DD1D20B877169F31FC5C0231E
SHA256:294377E4C13D283D108B7DCE57A185395904C851790F1F8C9084E34B47152969
6140MicrosoftEdgeWebview2Setup.exeC:\Program Files (x86)\Microsoft\Temp\EUF795.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeexecutable
MD5:A393683D22B138969705A2E163C45831
SHA256:591E90EDB5D54C68C7639B3B3CD007D31DE4BC7686DE6EE05FEF94FACAA5725F
8108Zenith-Installer.exeC:\Users\admin\AppData\Local\Temp\nslD346.tmp\nsDialogs.dllexecutable
MD5:8F0E7415F33843431DF308BB8E06AF81
SHA256:BB49F15FA83452370047A7801E39FC7F64E70C7545B8999BB85AA4749EAA048B
8108Zenith-Installer.exeC:\Users\admin\AppData\Local\Temp\nslD346.tmp\modern-wizard.bmpimage
MD5:BF9E39C2A3B14615A3CE52203AE6EFC7
SHA256:87B05FE6B38651A660BB1DAFBD7E23E831131C1FC5C5542E8B034089647B4D03
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
76
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.106.218:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Suggestions?qry=&setlang=en-US&cc=US&nohs=1&qfm=1&cp=0&cvid=d78f227ba78a4992a181fb0a7816f5a0&ig=c5fdd2984993493480d5dc6edb019ef9
unknown
488 b
unknown
POST
200
20.190.160.132:443
https://login.live.com/RST2.srf
US
11.0 Kb
unknown
GET
200
2.16.106.218:443
https://www.bing.com/dsb/scenario?name=TrendingSearchWithCache&cc=us&setlang=en-us
unknown
633 b
unknown
POST
200
20.190.160.17:443
https://login.live.com/RST2.srf
US
11.3 Kb
unknown
5424
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
POST
200
20.190.160.132:443
https://login.live.com/RST2.srf
US
11.3 Kb
unknown
POST
200
20.190.160.2:443
https://login.live.com/RST2.srf
US
11.3 Kb
unknown
POST
200
20.190.160.5:443
https://login.live.com/RST2.srf
US
10.3 Kb
unknown
GET
200
20.223.36.55:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=88000045&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251025T153750Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=e2e4dec0b63e4ecb8b31adf05fd15604&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=47.3&dispvertres=768&fosver=16299&isu=0&lo=4277257&metered=false&nettype=ethernet&npid=sc-88000045&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1667786&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
US
3.21 Kb
unknown
GET
200
20.223.36.55:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251025T153750Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=c2e535b9b00240f09eb410b4fbf19536&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=47.3&dispvertres=768&fosver=16299&isu=0&lo=4277257&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1667786&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
US
3.20 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5424
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.241.207:443
www.bing.com
Akamai International B.V.
DE
whitelisted
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7088
SearchApp.exe
2.16.241.207:443
www.bing.com
Akamai International B.V.
DE
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
192.168.100.255:138
whitelisted
5424
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.128
  • 20.190.159.68
  • 40.126.31.1
  • 20.190.159.23
  • 40.126.31.73
  • 40.126.31.3
  • 40.126.31.131
whitelisted
www.bing.com
  • 2.16.241.207
  • 2.16.241.201
  • 2.16.241.206
  • 2.16.241.218
  • 2.16.241.222
  • 2.16.241.213
  • 2.16.241.204
  • 2.16.241.211
  • 2.16.241.205
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
google.com
  • 142.250.74.206
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
arc.msn.com
  • 20.223.35.26
  • 20.199.58.43
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted
watson.events.data.microsoft.com
  • 172.178.240.162
whitelisted

Threats

No threats detected
Process
Message
msiexec.exe
Failed to release Service
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Zenith-Installer.exe