Safe
Widely submitted portable utility with zero engine detections and clean sandbox outcome despite heuristic flags.
5a3d0be9d5b886551a…0ebae7ee69The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
Zero malicious engine detections across a broad reporting base combined with a clean sandbox verdict outweigh the two heuristic rules that fired on process injection and direct-IP contact. The file shows medium prevalence from over 2000 sources and matches the portable utility pattern. Unsigned status is typical for this class of tool. No external intelligence or dropped malicious children contradict the clean profile.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 0 malicious out of 74 total (tier1Malicious=0, tier1ReportedClean=17)
behaviour.hasMaliciousSandboxVerdict=false and droppedChildren.hasMaliciousChild=false
prevalence.classification=medium with 2033 unique sources
triggeredHeuristics[0].rule=MalwareTips.Synth.ProcessInjection (high severity) and [1].rule=MalwareTips.Synth.DirectIpC2 (medium severity)
externalIntel.yaraify.ruleCount=0 and circl.hit=false
- Zero engine detections across 74 scanners
- Clean sandbox verdict and no malicious children
- Medium prevalence from 2033 unique sources
- Unsigned executable inside archive
- Direct-IP network contacts without DNS resolution
- Process injection techniques observed in sandbox
The evidence supports treating the archive as safe for standard use after confirming the download origin.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 23.220.161.214
- 23.220.161.219
- 150.171.109.183
- 150.171.73.13
- 8.8.8.8
- 162.159.36.2
- http://subca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEBu1jyUq3yMASSjJrj1%2B7Sc%3D
- http://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRIH1V64SBkA%2BzJQVQ6VFBAcvLB3wQUtqFUOQLDoD%2BOirz61PgcptE6Dv0CEQCZo4AKJlU7ZavcboSms%2Bo5
- http://ccsca2021.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRxypYNH69rICCzQBIRXN0YAFa3AAQU3XRdTADbe5%2BgdMqxbvc8wDLAcM0CEHCvtybvHbA67Vuw8owpxH0%3D
- http://repository.certum.pl/ctnca.cer
- C:\Users\<USER>\AppData\Local\Temp\DiskInfo.ini
- C:\Users\<USER>\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\AlertMail.exe.log
- C:\Users\<USER>\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AlertMail4.exe.log
- C:\Users\<USER>\AppData\Local\Temp\DiskInfo32.tmp
- C:\Users\<USER>\AppData\Local\Temp\CabA1DE.tmp
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.6072.64109
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.6072.64109
- C:\Users\<USER>\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.6072.64140
- C:\Users\<USER>\AppData\Local\Temp\DiskInfo32.log
- C:\Users\<USER>\AppData\Local\Temp\CabA1DE.tmp
- CrystalDiskInfo
- Global\Access_JMicron_SMART
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- 692196a9dfcf265e3589…214840Never scannednever seen before
- 6a23f9602c56eb4fc95a…59a785Never scannednever seen before
- 51b01e57d1b6a8d29ebc…e9a7baNever scannednever seen before
- 75211b1b7c7af76c7cb0…a717cbNever scannednever seen before
- ac5a2e6c0823b9b07a60…522600Never scannednever seen before
- 210f51b2611a57b5416c…4b16d4Never scannednever seen before
- 4fce68b9c789b58aa50e…8165a5Never scannednever seen before
- 8b900dcfea8a798528b4…687796Never scannednever seen before
- 9b61f96fc28c77efadf8…6063a6Never scannednever seen before
- 983a56ff8632d1a9a76f…0e6c74Never scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence"C:\Users\<USER>\AppData\Local\Temp\CdiResource/AlertMail.exe"Sample contacted 6 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence23.220.161.214 · 23.220.161.219 · 150.171.109.183
0 detections across 74 engines
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- CrystalDiskInfo9_9_1.zip
- Size
- 8.15 MB
- MIME type
- (unknown)
- Detected type
- ZIP
- SHA-256
- 5a3d0be9d5b886551ab674cc7db103cf6caeecf023c227d5b56b400ebae7ee69
- MD5
- df7159a425cd279429400dab61461b43
- SHA-1
- 539f72dfeb46dde76eb811b8dfd808a338f9e769
- First seen (VT)
- 5/23/2026, 2:55:24 AM
- Last analysis (VT)
- 7/5/2026, 9:18:38 PM
- First scan (MalwareTips)
- 7/6/2026, 9:22:37 AM
- Last scan (MalwareTips)
- 7/6/2026, 9:22:37 AM
- Community reputation
- +3trusted
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.