Malicious
Unsigned executable exhibits process injection, reflective code loading, and direct-IP C2 contact — hallmarks of evasive malware.
2ff8ecb29b45afaf4e…0e6471ccaaThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The file exhibits a malware-consistent behaviour profile: process injection (T1055, T1055.003) and reflective code loading (T1620) are evasion techniques used to hide malicious payloads from security hooks. The sandbox observed direct-IP C2 contact to 162.159.36.2 with zero DNS queries, a known tactic to bypass reputation-based domain blocklists. Google (tier2) flagged the sample as 'Detected', and our heuristic engines (MalwareTips.Synth.ProcessInjection, MalwareTips.Synth.DirectIpC2) fired at high/medium severity. The file is unsigned, rare (3 submitters, 1 day old), and has no established signer history. While tier1 engines remain silent and external intel (CIRCL, YARA, MalwareBazaar) returned no hits, the combination of tier2 detection + offensive MITRE + direct-IP C2 + process injection is sufficient to classify the sample as malicious.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
Google (tier2) flagged 'Detected'; DeepInstinct (low-trust) flagged 'MALICIOUS' — 2/70 engines, but Google tier2 detection is credible.
behaviour.offensiveTechniques: T1055 (Process Injection), T1055.003 (reflective DLL injection), T1620 (reflective code loading) — evasion techniques exclusive to malware/hacktools.
triggeredHeuristics: MalwareTips.Synth.ProcessInjection [high] + MalwareTips.Synth.DirectIpC2 [medium] — direct-IP C2 to 162.159.36.2 with zero DNS queries is a strong C2 indicator.
signing.verified=false; prevalence.classification='rare_new' (3 submitters, 1 day old); no signer history — unsigned + brand-new + rare is a risk multiplier when paired with offensive behaviour.
behaviour.contactedIps=['162.159.36.2']; contactedDomains=[] — direct-IP contact bypasses DNS reputation systems, a known C2 evasion tactic.
- Tier1 engines (Kaspersky, BitDefender, ESET, Avast, Fortinet, etc.) remain silent — 17/17 tier1 engines undetected
- No malicious dropped children or secondary payloads observed
- No malicious contacted hosts in our URL cache
- No external YARA rules or CIRCL corroboration — sample may be novel
- Process injection (T1055, T1055.003) — evasion technique to hide malicious code
- Reflective code loading (T1620) — in-memory execution to avoid disk detection
- Direct-IP C2 contact (162.159.36.2) with zero DNS — bypasses domain reputation systems
- Unsigned executable — no publisher identity or code-signing verification
- Rare and new (3 submitters, 1 day old) — limited community analysis
- Temporary file writes to user Temp directory — staging area for malware components
Treat this sample as malicious and block execution. The combination of process injection, reflective code loading, and direct-IP C2 contact is consistent with evasive trojan behaviour. If encountered in your environment, isolate the affected system and conduct forensic analysis for persistence mechanisms and lateral movement.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 162.159.36.2
- C:\Users\<USER>\AppData\Local\Temp\LHD9A5D.tmp
- C:\Users\<USER>\AppData\Local\Temp\LHDAD88.tmp
- C:\Users\<USER>\AppData\Local\Temp\LHDC111.tmp
- C:\Users\<USER>\AppData\Local\Temp\LHDD48A.tmp
- C:\Users\<USER>\AppData\Local\Temp\LHDE832.tmp
- C:\Users\<USER>\AppData\Local\Temp\LHD9A5D.tmp
- C:\Users\<USER>\AppData\Local\Temp\LHDAD88.tmp
- C:\Users\<USER>\AppData\Local\Temp\LHDC111.tmp
- C:\Users\<USER>\AppData\Local\Temp\LHDD48A.tmp
- C:\Users\<USER>\AppData\Local\Temp\LHDE832.tmp
- KiAiAaAa__shmem3_winpthreads_tdm_
- Global\HDDHealth_SingleInstance_v1
- \Sessions\1\BaseNamedObjects\MaBlAaAa__shmem3_winpthreads_tdm_
- \Sessions\1\BaseNamedObjects\Global\HDDHealth_SingleInstance_v1
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence"C:\Users\user\Desktop\HDDHealth.exe"Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence162.159.36.2
2 detections across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Barely seen in the wild and first surfaced recently. This is the footprint of targeted malware the AV industry hasn't signatured yet — extra scrutiny is warranted.
Forensic fingerprint
- File name
- HDDHealth.exe
- Size
- 1.41 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 2ff8ecb29b45afaf4e948e431a956af1acc9f324788b427a33ae550e6471ccaa
- MD5
- 74d2ebbbf7d1319125fdcb294aeceedf
- SHA-1
- 7fba463d487b4f2c4726885cd3f4ab891e2ddabd
- PE imphash
- 4876c4201b5481024c7a9ef09e5ed30a
- First seen (VT)
- 6/17/2026, 9:53:55 PM
- Last analysis (VT)
- 6/17/2026, 9:53:55 PM
- First scan (MalwareTips)
- 6/18/2026, 3:55:34 PM
- Last scan (MalwareTips)
- 6/18/2026, 3:55:34 PM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.