Safe
Zero tier-1 engine detections across 66 scanners; heuristic triggers on process injection and direct IP contact are generic signatures common to legitimate emulators.
6c1b53ce325170a026…596fd097cbThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
This ZIP archive shows zero detections from tier-1 engines (Avast, BitDefender, Kaspersky, Microsoft, ESET, Fortinet, Ikarus, DrWeb) despite broad scanning coverage. The two triggered heuristics — process injection and direct IP contact — are generic malware signatures that commonly fire on legitimate emulators and development tools. The absence of malicious dropped children, malicious sandbox verdicts, and external threat intelligence (YARA, CIRCL) indicates no confirmed malicious runtime behaviour. The file's medium prevalence (200 unique submitters over 32 days) and semantic versioning (v0.2.1) are consistent with legitimate open-source project distribution. The heuristic noise appears to reflect the tool's legitimate use of process injection for emulation rather than malicious intent.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 0/17 tier-1 malicious (Avast, BitDefender, Kaspersky, Microsoft, ESET, Fortinet, Ikarus, DrWeb all silent)
prevalence.classification=medium with 200 unique submitters over 32 days — consistent with legitimate open-source project distribution
behaviour.offensiveTechniques=[T1055, T1562.001] but droppedChildren.hasMaliciousChild=false and no malicious sandbox verdicts — heuristic noise without confirmed malicious runtime
contactedHosts.maliciousHosts=null; externalIntel.yaraify.ruleCount=0; externalIntel.circl.hit=false — no corroborating threat intelligence
triggeredHeuristics fired on ProcessInjection + DirectIpC2 but both are generic signatures common to emulators and development tools; no tier-1 family consensus
- Zero tier-1 engine detections across Avast, BitDefender, Kaspersky, Microsoft, ESET, Fortinet, Ikarus, DrWeb
- Medium prevalence: 200 unique submitters, 216 submissions over 32 days — consistent with legitimate distribution
- No malicious dropped children; no malicious sandbox verdicts; no external threat intelligence hits (YARA, CIRCL)
- Semantic versioning (v0.2.1) and filename pattern align with legitimate open-source emulator project
- triggeredHeuristics: ProcessInjection (T1055) and DirectIpC2 detected — but generic signatures common to emulators
- Unsigned binary with no signer history — typical for open-source projects
- Direct IP contact without DNS — may indicate CDN or infrastructure update checks
This file shows no confirmed malicious indicators from high-trust antivirus engines or runtime analysis. The heuristic triggers are generic signatures common to legitimate emulators and development tools. If obtained from the official Eden project repository, extraction and use are safe.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 162.159.36.2
- \Device\ConDrv\Connect
- C:\Users\<USER>\AppData\Roaming\eden\log\eden_log.txt
- C:\Users\<USER>\AppData\Roaming\eden\config\sdl2-config.ini
- C:\Users\<USER>\AppData\Roaming\eden\sdmc\FsAccessLog.txt
- C:\Users\<USER>\AppData\Roaming\eden\nand\system\save\8000000000000010\su\avators\profiles.dat
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER2025.tmp
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER2602.tmp
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER271C.tmp
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER2025.tmp.dmp
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER2602.tmp.WERInternalMetadata.xml
- Local\WERReportingForProcess3332
- Global\AmiProviderMutex_InventoryApplicationFile
- Global\eddf408d-e831-4335-a238-3d3bc074ef78
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- 82a5b8cf2e9bec4a17b6…a29160Never scannednever seen before
- d557539df68e771cc1ee…9e3744Never scannednever seen before
- 9d54e294b701e50f4c65…56c88fNever scannednever seen before
- a2010f343487d3f7618a…cf0499Never scannednever seen before
- 84c6ef3ea9e3254a54d0…380a8fNever scannednever seen before
- aaf135472f81c5b4a0dc…430df3Never scannednever seen before
- e34c58338bd89d43e709…42488eNever scannednever seen before
- 3cf06aba3588c41c514f…75dcb4Never scannednever seen before
- 3972dc9744f6499f0f9b…b36986Never scannednever seen before
- b6a8bf63ae2c95b0aa25…6acc4eNever scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence"C:\Users\<USER>\AppData\Local\Temp\eden-cli.exe"Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence162.159.36.2
0 detections across 74 engines
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- Eden-Windows-v0.2.1-amd64-clang-pgo.zip
- Size
- 35.23 MB
- MIME type
- (unknown)
- Detected type
- ZIP
- SHA-256
- 6c1b53ce325170a026cc0f87098380027dc6170d94ba95f913aab7596fd097cb
- MD5
- 3eb0871ed8aebb60af9ec4e21dada7c7
- SHA-1
- 475d1176f4ab346c66bcf1c03b96d6fd85828a4e
- First seen (VT)
- 6/1/2026, 5:07:15 PM
- Last analysis (VT)
- 7/3/2026, 7:50:50 AM
- First scan (MalwareTips)
- 7/4/2026, 12:54:37 AM
- Last scan (MalwareTips)
- 7/4/2026, 12:54:37 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.