File verdict·Decided by the MT AI Engine
Our call

Safe

Zero tier-1 engine detections across 66 scanners; heuristic triggers on process injection and direct IP contact are generic signatures common to legitimate emulators.

Trust score82Moderate trust
MT AI confidence · 78%
Eden-Windows-v0.2.1-amd64-clang-pgo.zip
35.2 MB
6c1b53ce325170a026596fd097cb
Antivirus engines
0 of 74 flagged
Code signing
Unsigned
Age
First seen 1mo ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

78%Confidence
High
Reasoning

This ZIP archive shows zero detections from tier-1 engines (Avast, BitDefender, Kaspersky, Microsoft, ESET, Fortinet, Ikarus, DrWeb) despite broad scanning coverage. The two triggered heuristics — process injection and direct IP contact — are generic malware signatures that commonly fire on legitimate emulators and development tools. The absence of malicious dropped children, malicious sandbox verdicts, and external threat intelligence (YARA, CIRCL) indicates no confirmed malicious runtime behaviour. The file's medium prevalence (200 unique submitters over 32 days) and semantic versioning (v0.2.1) are consistent with legitimate open-source project distribution. The heuristic noise appears to reflect the tool's legitimate use of process injection for emulation rather than malicious intent.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines: 0/17 tier-1 malicious (Avast, BitDefender, Kaspersky, Microsoft, ESET, Fortinet, Ikarus, DrWeb all silent)

  2. prevalence.classification=medium with 200 unique submitters over 32 days — consistent with legitimate open-source project distribution

  3. behaviour.offensiveTechniques=[T1055, T1562.001] but droppedChildren.hasMaliciousChild=false and no malicious sandbox verdicts — heuristic noise without confirmed malicious runtime

  4. contactedHosts.maliciousHosts=null; externalIntel.yaraify.ruleCount=0; externalIntel.circl.hit=false — no corroborating threat intelligence

  5. triggeredHeuristics fired on ProcessInjection + DirectIpC2 but both are generic signatures common to emulators and development tools; no tier-1 family consensus

Points in its favour
  • Zero tier-1 engine detections across Avast, BitDefender, Kaspersky, Microsoft, ESET, Fortinet, Ikarus, DrWeb
  • Medium prevalence: 200 unique submitters, 216 submissions over 32 days — consistent with legitimate distribution
  • No malicious dropped children; no malicious sandbox verdicts; no external threat intelligence hits (YARA, CIRCL)
  • Semantic versioning (v0.2.1) and filename pattern align with legitimate open-source emulator project
Points against
  • triggeredHeuristics: ProcessInjection (T1055) and DirectIpC2 detected — but generic signatures common to emulators
  • Unsigned binary with no signer history — typical for open-source projects
  • Direct IP contact without DNS — may indicate CDN or infrastructure update checks
What to do

This file shows no confirmed malicious indicators from high-trust antivirus engines or runtime analysis. The heuristic triggers are generic signatures common to legitimate emulators and development tools. If obtained from the official Eden project repository, extraction and use are safe.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
8

Adversary techniques mapped to the MITRE ATT&CK framework.

T1033T1055T1057T1071T1082T1129T1497T1562.001
Spawned processes
7
$(unnamed)
"C:\Users\<USER>\AppData\Local\Temp\eden-cli.exe"
$(unnamed)
"C:\Users\<USER>\AppData\Local\Temp\eden.exe"
$(unnamed)
C:\Users\<USER>\AppData\Local\Temp\eden.exe
$(unnamed)
C:\Windows\system32\WerFault.exe -u -p 3332 -s 800
$(unnamed)
C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWow64\unarchiver.exe" "C:\Users\user\Desktop\Eden-Windows-v0.2.1-amd64-clang-pgo.zip"
$(unnamed)
C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\dnisg3nw.weg" "C:\Users\user\Desktop\Eden-Windows-v0.2.1-amd64-clang-pgo.zip"
$(unnamed)
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Network activity
1
IP addresses1
  • 162.159.36.2
Filesystem & mutexes
24
Files written15
  • \Device\ConDrv\Connect
  • C:\Users\<USER>\AppData\Roaming\eden\log\eden_log.txt
  • C:\Users\<USER>\AppData\Roaming\eden\config\sdl2-config.ini
  • C:\Users\<USER>\AppData\Roaming\eden\sdmc\FsAccessLog.txt
  • C:\Users\<USER>\AppData\Roaming\eden\nand\system\save\8000000000000010\su\avators\profiles.dat
+10 more
Files deleted6
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER2025.tmp
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER2602.tmp
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER271C.tmp
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER2025.tmp.dmp
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER2602.tmp.WERInternalMetadata.xml
+1 more
Mutexes created3
  • Local\WERReportingForProcess3332
  • Global\AmiProviderMutex_InventoryApplicationFile
  • Global\eddf408d-e831-4335-a238-3d3bc074ef78
Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen
  • 82a5b8cf2e9bec4a17b6a29160Never scanned
    never seen before
  • d557539df68e771cc1ee9e3744Never scanned
    never seen before
  • 9d54e294b701e50f4c6556c88fNever scanned
    never seen before
  • a2010f343487d3f7618acf0499Never scanned
    never seen before
  • 84c6ef3ea9e3254a54d0380a8fNever scanned
    never seen before
  • aaf135472f81c5b4a0dc430df3Never scanned
    never seen before
  • e34c58338bd89d43e70942488eNever scanned
    never seen before
  • 3cf06aba3588c41c514f75dcb4Never scanned
    never seen before
  • 3972dc9744f6499f0f9bb36986Never scanned
    never seen before
  • b6a8bf63ae2c95b0aa256acc4eNever scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

2 synthesis
MITRE ATT&CK profile
Defense evasion× 1C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjectionhigh

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    "C:\Users\<USER>\AppData\Local\Temp\eden-cli.exe"
  • DirectIpC2medium

    Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    162.159.36.2
Antivirus engine breakdown

0 detections across 74 engines

0 malicious0 suspicious74 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-238 engines
0flag
Mainstream engines with mixed FP rates
Low-trust19 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 74 engines report this file as clean.
Hash 6c1b53ce3251… cross-referenced against 74 AV engines via our AV network.
Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium
Unique uploaders
200
Hundreds of people have uploaded this — common.
Total submissions
216
Includes repeat uploads by the same source.
First seen by VT
1mo ago
Jun 1, 2026
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
6/1/2026, 5:07:15 PM
First seen (MalwareBazaar)
Last analysis (VT)
7/3/2026, 7:50:50 AM
Scanned here
7/4/2026, 12:54:37 AM
File name
Eden-Windows-v0.2.1-amd64-clang-pgo.zip
Size
35.23 MB
MIME type
(unknown)
Detected type
ZIP
SHA-256
6c1b53ce325170a026cc0f87098380027dc6170d94ba95f913aab7596fd097cb
MD5
3eb0871ed8aebb60af9ec4e21dada7c7
SHA-1
475d1176f4ab346c66bcf1c03b96d6fd85828a4e
First seen (VT)
6/1/2026, 5:07:15 PM
Last analysis (VT)
7/3/2026, 7:50:50 AM
First scan (MalwareTips)
7/4/2026, 12:54:37 AM
Last scan (MalwareTips)
7/4/2026, 12:54:37 AM
Behavior tags
long-sleepsdetect-debug-environmentzipcontains-pe
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.