File name:

eMule0.50a-Installer.zip

Full analysis: https://app.any.run/tasks/0139b007-bbeb-43b1-b651-f17e085de68d
Verdict: Malicious activity
Analysis date: March 06, 2024, 22:08:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
spam
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

1C416A77E481E135271C69773FCBAD59

SHA1:

02231CDC83625493126B73B8660C7A24E4BDF217

SHA256:

E2CB6DAC1CCBACB27479D738030CAF4F27BDCB5EE3CB0C16D5F75F50B9290D4D

SSDEEP:

98304:e+6X1W8GgIipbV/qCEvQs1PaWBT4VoENdSsxRB3AZAhAnZ1HtTXZe720kp/FqmLh:VOgjz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3672)
      • eMule0.50a-Installer.exe (PID: 2328)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • eMule0.50a-Installer.exe (PID: 2328)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • eMule0.50a-Installer.exe (PID: 2328)

    • The process creates files with name similar to system file names

      • eMule0.50a-Installer.exe (PID: 2328)

    • Creates a software uninstall entry

      • eMule0.50a-Installer.exe (PID: 2328)

    • Connects to unusual port

      • emule.exe (PID: 4004)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3672)

    • Manual execution by a user

      • eMule0.50a-Installer.exe (PID: 2328)
      • eMule0.50a-Installer.exe (PID: 3708)
      • emule.exe (PID: 4004)

    • Reads the computer name

      • eMule0.50a-Installer.exe (PID: 2328)
      • emule.exe (PID: 4004)

    • Checks supported languages

      • eMule0.50a-Installer.exe (PID: 2328)
      • emule.exe (PID: 4004)

    • Reads Environment values

      • eMule0.50a-Installer.exe (PID: 2328)

    • Creates files in the program directory

      • eMule0.50a-Installer.exe (PID: 2328)
      • emule.exe (PID: 4004)

    • Creates files or folders in the user directory

      • eMule0.50a-Installer.exe (PID: 2328)
      • emule.exe (PID: 4004)

    • Reads the machine GUID from the registry

      • emule.exe (PID: 4004)

    • Create files in a temporary directory

      • eMule0.50a-Installer.exe (PID: 2328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2010:04:07 18:44:06
ZipCRC: 0xadc638ea
ZipCompressedSize: 3350074
ZipUncompressedSize: 3389035
ZipFileName: eMule0.50a-Installer.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe emule0.50a-installer.exe no specs emule0.50a-installer.exe emule.exe

Process information

PID
CMD
Path
Indicators
Parent process
2328"C:\Users\admin\AppData\Local\Temp\eMule0.50a-Installer\eMule0.50a-Installer.exe" C:\Users\admin\AppData\Local\Temp\eMule0.50a-Installer\eMule0.50a-Installer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\emule0.50a-installer\emule0.50a-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3672"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\eMule0.50a-Installer.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3708"C:\Users\admin\AppData\Local\Temp\eMule0.50a-Installer\eMule0.50a-Installer.exe" C:\Users\admin\AppData\Local\Temp\eMule0.50a-Installer\eMule0.50a-Installer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\emule0.50a-installer\emule0.50a-installer.exe
c:\windows\system32\ntdll.dll
4004"C:\Program Files\eMule\emule.exe" C:\Program Files\eMule\emule.exe
explorer.exe
User:
admin
Company:
http://www.emule-project.net
Integrity Level:
MEDIUM
Description:
eMule
Exit code:
0
Version:
0.50.0 Unicode
Modules
Images
c:\program files\emule\emule.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
6 606
Read events
6 582
Write events
22
Delete events
2

Modification events

(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\eMule0.50a-Installer.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
52
Suspicious files
7
Text files
208
Unknown types
3

Dropped files

PID
Process
Filename
Type
2328eMule0.50a-Installer.exeC:\Users\admin\AppData\Local\Temp\nsc2055.tmp\InstallOptions.dllexecutable
MD5:14C212BB2FA90FE52A6424B955C86AD6
SHA256:1854AFCCACE3053DCA2707B10609EA78A30F0EE853BDB9F251C076317EE53120
2328eMule0.50a-Installer.exeC:\Program Files\eMule\emule.exeexecutable
MD5:F3F709C2D49DD6636F4EDE5C2CAE5448
SHA256:06CDF814387F627A4BD05A0C68211F715BFA952423E8E8A462E1F47C11A4D20E
2328eMule0.50a-Installer.exeC:\Users\admin\AppData\Local\Temp\nsc2055.tmp\ioSpecial.iniini
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
2328eMule0.50a-Installer.exeC:\Users\admin\AppData\Local\Temp\nsc2055.tmp\eMule_Installer_Page4User.initext
MD5:0C171229C4069499585033721FAAF38D
SHA256:35476F53087BC74F45C709F420CCD05F1F516391358DB99118259F270F5A0D39
2328eMule0.50a-Installer.exeC:\Program Files\eMule\lang\ba_BA.dllexecutable
MD5:2C9715AFFC60FA5E7CD7950B7060A75E
SHA256:0AC0BDCF8DC9C79B20C5B660BDE3AFF137CB2F91E53DA97691CF9F65EFEE3AE9
2328eMule0.50a-Installer.exeC:\Users\admin\AppData\Local\Temp\nsc2055.tmp\System.dllexecutable
MD5:4C0C6163B636F627E0D505DEDA672C90
SHA256:BEA71368433F91E32C597DB990089ECB7599879F76A64F7F3446489578B2D5FB
2328eMule0.50a-Installer.exeC:\Program Files\eMule\license-GER.txttext
MD5:322645413D6F14782DC5C9210002B1A0
SHA256:EB42675913039C1885509AEE48CCC52AB29553A4769E7A25BB6FA36FBEA23F52
2328eMule0.50a-Installer.exeC:\Program Files\eMule\changelog.txttext
MD5:26E95F81FE2A97B87D17364FE1CC6B16
SHA256:C6917D0B7D66FCCACD5FE24D1A3C4B6DA43549C4B54449042A94E1D83F6BE714
2328eMule0.50a-Installer.exeC:\Program Files\eMule\readme.txttext
MD5:96567A7EAE3E04D80982A5A7F5F038DB
SHA256:2A7932781684C7C350507A62B36E6BDEFCAAFEE7771ED22F01C41E7157F17373
2328eMule0.50a-Installer.exeC:\Users\admin\AppData\Local\Temp\nsc2055.tmp\LangDLL.dllexecutable
MD5:7E856702410E5598296A9C056C273DB2
SHA256:394D7D46B5E1EA621CFCC4F0BC8609D5AD8D42074186CDDB737F3ABE10874403
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
11
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
4004
emule.exe
91.194.40.23:4184
UA
unknown
4004
emule.exe
88.191.81.111:7111
Free SAS
FR
unknown
4004
emule.exe
212.63.206.35:4242
SpaceDump IT AB
SE
unknown

DNS requests

Domain
IP
Reputation
vcdns2.emule-project.org
  • 5.0.50.0
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
eMule0.50a-Installer.zip