File name:

aswMBR.exe

Full analysis: https://app.any.run/tasks/70ccbf48-26b2-4fc3-824f-d7752d52df69
Verdict: Malicious activity
Analysis date: June 09, 2024, 19:43:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

8E3384C7A0CF27B15D786E665CE74308

SHA1:

D9AA0EF8013810FE52130CCC91CEBA16D7686CC6

SHA256:

3D212B0B8BE4D354150FF30B39A6349F7B6693A3021348D24A98FC3F8BABDB62

SSDEEP:

98304:MXPr6FwonZHZpdjD0+zNe7jsWi4IzcrPDuzGHi/rH6YdOfi8vWrVfhs/OEVRwxVA:708Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • aswMBR.exe (PID: 4080)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • aswMBR.exe (PID: 4080)

    • Creates or modifies Windows services

      • aswMBR.exe (PID: 4080)

    • The process drops C-runtime libraries

      • aswMBR.exe (PID: 4080)

    • Process drops legitimate windows executable

      • aswMBR.exe (PID: 4080)

    • Drops a system driver (possible attempt to evade defenses)

      • aswMBR.exe (PID: 4080)

  • INFO

    • Reads the computer name

      • aswMBR.exe (PID: 4080)

    • Create files in a temporary directory

      • aswMBR.exe (PID: 4080)

    • Checks supported languages

      • aswMBR.exe (PID: 4080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (23.1)
.exe | Win32 EXE PECompact compressed (generic) (22.3)
.exe | Win32 Executable MS Visual C++ (generic) (16.8)
.exe | Win64 Executable (generic) (14.8)
.exe | UPX compressed Win32 Executable (14.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:11:14 08:16:36+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 459776
InitializedDataSize: 4748800
UninitializedDataSize: -
EntryPoint: 0x4c31d
OSVersion: 5
ImageVersion: 5
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.1.2252
ProductVersionNumber: 1.0.1.2252
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: AVAST Software
FileDescription: avast! Antirootkit
FileVersion: 1, 0, 1, 2252
InternalName: aswMBR.exe
LegalCopyright: Copyright (c) 2010 AVAST Software. All rights reserved.
OriginalFileName: aswMBR.exe
ProductName: avast! Antirootkit
ProductVersion: 1, 0, 1, 2252
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start aswmbr.exe aswmbr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3976"C:\Users\admin\AppData\Local\Temp\aswMBR.exe" C:\Users\admin\AppData\Local\Temp\aswMBR.exeexplorer.exe
User:
admin
Company:
AVAST Software
Integrity Level:
MEDIUM
Description:
avast! Antirootkit
Exit code:
3221226540
Version:
1, 0, 1, 2252
Modules
Images
c:\users\admin\appdata\local\temp\aswmbr.exe
c:\windows\system32\ntdll.dll
4080"C:\Users\admin\AppData\Local\Temp\aswMBR.exe" C:\Users\admin\AppData\Local\Temp\aswMBR.exe
explorer.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
avast! Antirootkit
Version:
1, 0, 1, 2252
Modules
Images
c:\users\admin\appdata\local\temp\aswmbr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
Total events
204
Read events
194
Write events
10
Delete events
0

Modification events

(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswMBR
Operation:writeName:Type
Value:
1
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswMBR
Operation:writeName:ErrorControl
Value:
1
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswMBR
Operation:writeName:Start
Value:
3
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswMBR
Operation:writeName:ImagePath
Value:
\??\C:\Users\admin\AppData\Local\Temp\aswMBR.sys
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswMBR
Operation:writeName:Group
Value:
Base
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswVmm
Operation:writeName:Type
Value:
1
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswVmm
Operation:writeName:ErrorControl
Value:
1
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswVmm
Operation:writeName:Start
Value:
3
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswVmm
Operation:writeName:ImagePath
Value:
\??\C:\Users\admin\AppData\Local\Temp\aswVmm.sys
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswVmm
Operation:writeName:Group
Value:
Base
Executable files
16
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\aswCmnOS.dllexecutable
MD5:01033EDA5F63E4BA48C25099CE9D6BDD
SHA256:FF511070EFAD9FA5E3273FF06289C904E0A4F9491A802AB8153B09FB7A81E5B2
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\msvcp71.dllexecutable
MD5:561FA2ABB31DFA8FAB762145F81667C2
SHA256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\aswCmnB.dllexecutable
MD5:99F500385CB4DFF826F0A9058BEE2C98
SHA256:544AC9AD907F582966A94C2E0509725782B2C8075DD5D925FB8C811F33791CB5
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\aswRes.dllexecutable
MD5:4EF2C07E609A13DFA539E918534C23A3
SHA256:599B12047F4EA1881F6C3EE312A5E557FAC047D449D58158A5B3FCB205C52EA8
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\aswCmnS.dllexecutable
MD5:13EEB998A123530809BFBC16A6BE580E
SHA256:947EE660EAB27FB77B982073A28EEC1C1099E8018193CCD32F177A4976E1D852
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\ashSSqlt.dllexecutable
MD5:DD941B3009294441FBBD2019098F2260
SHA256:3BC28F90F2590EC964D557EF779D69BA2FAA7A9D65098223B04F944FBCF98C3D
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\english\Base.dllexecutable
MD5:55A3768099D89870A77BC93CB37E08B4
SHA256:B59BEC05FC740465254E434CE3E89E38079A7DAAD93973F9086011228738B2F3
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\data\Avast4.iniini
MD5:6623F79B5E704BAA8DFA6952F52D4DBB
SHA256:AD99D9412F3B82B8B102E34000ECFBD06223536014D22462BC29CE2E815BCDAE
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\aswScan.dllexecutable
MD5:088022E7418526C11831394502A6E5BD
SHA256:60F9507148C9DCBEB08EFC5563A5812F9D659DD08F277BA8E121F61F14AF504C
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\aswMBR.sysexecutable
MD5:483A51BF45F59C5B2F8EE01D14B46318
SHA256:6E758FB982241CAAD70601B0E94889902CA54E30C876425BA4780AB77B6B8DA7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
aswMBR.exe