File name:

eMule0.50a-Installer.zip

Full analysis: https://app.any.run/tasks/0139b007-bbeb-43b1-b651-f17e085de68d
Verdict: Malicious activity
Analysis date: March 06, 2024, 22:08:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
spam
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

1C416A77E481E135271C69773FCBAD59

SHA1:

02231CDC83625493126B73B8660C7A24E4BDF217

SHA256:

E2CB6DAC1CCBACB27479D738030CAF4F27BDCB5EE3CB0C16D5F75F50B9290D4D

SSDEEP:

98304:e+6X1W8GgIipbV/qCEvQs1PaWBT4VoENdSsxRB3AZAhAnZ1HtTXZe720kp/FqmLh:VOgjz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3672)
      • eMule0.50a-Installer.exe (PID: 2328)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • eMule0.50a-Installer.exe (PID: 2328)

    • The process creates files with name similar to system file names

      • eMule0.50a-Installer.exe (PID: 2328)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • eMule0.50a-Installer.exe (PID: 2328)

    • Creates a software uninstall entry

      • eMule0.50a-Installer.exe (PID: 2328)

    • Connects to unusual port

      • emule.exe (PID: 4004)

  • INFO

    • Manual execution by a user

      • eMule0.50a-Installer.exe (PID: 3708)
      • eMule0.50a-Installer.exe (PID: 2328)
      • emule.exe (PID: 4004)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3672)

    • Checks supported languages

      • eMule0.50a-Installer.exe (PID: 2328)
      • emule.exe (PID: 4004)

    • Reads the computer name

      • eMule0.50a-Installer.exe (PID: 2328)
      • emule.exe (PID: 4004)

    • Reads Environment values

      • eMule0.50a-Installer.exe (PID: 2328)

    • Create files in a temporary directory

      • eMule0.50a-Installer.exe (PID: 2328)

    • Creates files in the program directory

      • eMule0.50a-Installer.exe (PID: 2328)
      • emule.exe (PID: 4004)

    • Creates files or folders in the user directory

      • eMule0.50a-Installer.exe (PID: 2328)
      • emule.exe (PID: 4004)

    • Reads the machine GUID from the registry

      • emule.exe (PID: 4004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2010:04:07 18:44:06
ZipCRC: 0xadc638ea
ZipCompressedSize: 3350074
ZipUncompressedSize: 3389035
ZipFileName: eMule0.50a-Installer.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe emule0.50a-installer.exe no specs emule0.50a-installer.exe emule.exe

Process information

PID
CMD
Path
Indicators
Parent process
2328"C:\Users\admin\AppData\Local\Temp\eMule0.50a-Installer\eMule0.50a-Installer.exe" C:\Users\admin\AppData\Local\Temp\eMule0.50a-Installer\eMule0.50a-Installer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\emule0.50a-installer\emule0.50a-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3672"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\eMule0.50a-Installer.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3708"C:\Users\admin\AppData\Local\Temp\eMule0.50a-Installer\eMule0.50a-Installer.exe" C:\Users\admin\AppData\Local\Temp\eMule0.50a-Installer\eMule0.50a-Installer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\emule0.50a-installer\emule0.50a-installer.exe
c:\windows\system32\ntdll.dll
4004"C:\Program Files\eMule\emule.exe" C:\Program Files\eMule\emule.exe
explorer.exe
User:
admin
Company:
http://www.emule-project.net
Integrity Level:
MEDIUM
Description:
eMule
Exit code:
0
Version:
0.50.0 Unicode
Modules
Images
c:\program files\emule\emule.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
6 606
Read events
6 582
Write events
22
Delete events
2

Modification events

(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\eMule0.50a-Installer.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
52
Suspicious files
7
Text files
208
Unknown types
3

Dropped files

PID
Process
Filename
Type
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\eMule0.50a-Installer\eMule0.50a-Installer.exeexecutable
MD5:A31156B8D80A68E8F4354C63E0747BEB
SHA256:28411261CB3F27081F910190D1C7742FB805185430AF10131D5B39FD2E39C832
2328eMule0.50a-Installer.exeC:\Users\admin\AppData\Local\Temp\nsc2055.tmp\modern-wizard.bmpimage
MD5:68699225156C7D85732FA1848AC58591
SHA256:8A13A6E150E847516E154F83D7B0432C32EF5242A2647CEBEA0A3D6918254E0B
2328eMule0.50a-Installer.exeC:\Program Files\eMule\lang\bg_BG.dllexecutable
MD5:3E18A8F704C1EBE14EFF07F2BA1FE0AD
SHA256:F81420BB6E3BFDC182A868946E198C5975A559D954714D182827D182885FABC7
2328eMule0.50a-Installer.exeC:\Program Files\eMule\changelog.txttext
MD5:26E95F81FE2A97B87D17364FE1CC6B16
SHA256:C6917D0B7D66FCCACD5FE24D1A3C4B6DA43549C4B54449042A94E1D83F6BE714
2328eMule0.50a-Installer.exeC:\Program Files\eMule\license-GER.txttext
MD5:322645413D6F14782DC5C9210002B1A0
SHA256:EB42675913039C1885509AEE48CCC52AB29553A4769E7A25BB6FA36FBEA23F52
2328eMule0.50a-Installer.exeC:\Program Files\eMule\license.txttext
MD5:4D62AC8B7DEAE276FC253ABC90BF564B
SHA256:9CCB32BCF0183B09D884DACDD6106FB553075E2DC4483DA96597283A6712582E
2328eMule0.50a-Installer.exeC:\Program Files\eMule\readme.txttext
MD5:96567A7EAE3E04D80982A5A7F5F038DB
SHA256:2A7932781684C7C350507A62B36E6BDEFCAAFEE7771ED22F01C41E7157F17373
2328eMule0.50a-Installer.exeC:\Program Files\eMule\LinkCreator.exeexecutable
MD5:9F18F88AD53B4E424A118B06EDAED811
SHA256:DEC5F9BE2593E80A4F00E1290CE026EAB7327EA89A6CBB63EF1558DEE9FA5D04
2328eMule0.50a-Installer.exeC:\Program Files\eMule\eMule.tmplhtml
MD5:457F731698AE8CEBC9BEACC51BD5C731
SHA256:380FB92B65AEF7C3E73CA944446C39142E2C038FD75ADF8DF2A92382DFBC3472
2328eMule0.50a-Installer.exeC:\Program Files\eMule\lang\ar_AE.dllexecutable
MD5:51920BB83259B54D268E4D111C5AB263
SHA256:7B124389D2A034205AA85B05EC9436ECD61AC8C2589EF298119E49E7282D93A2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
11
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
4004
emule.exe
91.194.40.23:4184
UA
unknown
4004
emule.exe
88.191.81.111:7111
Free SAS
FR
unknown
4004
emule.exe
212.63.206.35:4242
SpaceDump IT AB
SE
unknown

DNS requests

Domain
IP
Reputation
vcdns2.emule-project.org
  • 5.0.50.0
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
eMule0.50a-Installer.zip