File name:

aswMBR.exe

Full analysis: https://app.any.run/tasks/70ccbf48-26b2-4fc3-824f-d7752d52df69
Verdict: Malicious activity
Analysis date: June 09, 2024, 19:43:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

8E3384C7A0CF27B15D786E665CE74308

SHA1:

D9AA0EF8013810FE52130CCC91CEBA16D7686CC6

SHA256:

3D212B0B8BE4D354150FF30B39A6349F7B6693A3021348D24A98FC3F8BABDB62

SSDEEP:

98304:MXPr6FwonZHZpdjD0+zNe7jsWi4IzcrPDuzGHi/rH6YdOfi8vWrVfhs/OEVRwxVA:708Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • aswMBR.exe (PID: 4080)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • aswMBR.exe (PID: 4080)

    • Executable content was dropped or overwritten

      • aswMBR.exe (PID: 4080)

    • Drops a system driver (possible attempt to evade defenses)

      • aswMBR.exe (PID: 4080)

    • Creates or modifies Windows services

      • aswMBR.exe (PID: 4080)

    • The process drops C-runtime libraries

      • aswMBR.exe (PID: 4080)

  • INFO

    • Reads the computer name

      • aswMBR.exe (PID: 4080)

    • Create files in a temporary directory

      • aswMBR.exe (PID: 4080)

    • Checks supported languages

      • aswMBR.exe (PID: 4080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (23.1)
.exe | Win32 EXE PECompact compressed (generic) (22.3)
.exe | Win32 Executable MS Visual C++ (generic) (16.8)
.exe | Win64 Executable (generic) (14.8)
.exe | UPX compressed Win32 Executable (14.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:11:14 08:16:36+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 459776
InitializedDataSize: 4748800
UninitializedDataSize: -
EntryPoint: 0x4c31d
OSVersion: 5
ImageVersion: 5
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.1.2252
ProductVersionNumber: 1.0.1.2252
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: AVAST Software
FileDescription: avast! Antirootkit
FileVersion: 1, 0, 1, 2252
InternalName: aswMBR.exe
LegalCopyright: Copyright (c) 2010 AVAST Software. All rights reserved.
OriginalFileName: aswMBR.exe
ProductName: avast! Antirootkit
ProductVersion: 1, 0, 1, 2252
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start aswmbr.exe aswmbr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3976"C:\Users\admin\AppData\Local\Temp\aswMBR.exe" C:\Users\admin\AppData\Local\Temp\aswMBR.exeexplorer.exe
User:
admin
Company:
AVAST Software
Integrity Level:
MEDIUM
Description:
avast! Antirootkit
Exit code:
3221226540
Version:
1, 0, 1, 2252
Modules
Images
c:\users\admin\appdata\local\temp\aswmbr.exe
c:\windows\system32\ntdll.dll
4080"C:\Users\admin\AppData\Local\Temp\aswMBR.exe" C:\Users\admin\AppData\Local\Temp\aswMBR.exe
explorer.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
avast! Antirootkit
Version:
1, 0, 1, 2252
Modules
Images
c:\users\admin\appdata\local\temp\aswmbr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
Total events
204
Read events
194
Write events
10
Delete events
0

Modification events

(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswMBR
Operation:writeName:Type
Value:
1
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswMBR
Operation:writeName:ErrorControl
Value:
1
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswMBR
Operation:writeName:Start
Value:
3
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswMBR
Operation:writeName:ImagePath
Value:
\??\C:\Users\admin\AppData\Local\Temp\aswMBR.sys
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswMBR
Operation:writeName:Group
Value:
Base
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswVmm
Operation:writeName:Type
Value:
1
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswVmm
Operation:writeName:ErrorControl
Value:
1
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswVmm
Operation:writeName:Start
Value:
3
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswVmm
Operation:writeName:ImagePath
Value:
\??\C:\Users\admin\AppData\Local\Temp\aswVmm.sys
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aswVmm
Operation:writeName:Group
Value:
Base
Executable files
16
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\aswMBR.sysexecutable
MD5:483A51BF45F59C5B2F8EE01D14B46318
SHA256:6E758FB982241CAAD70601B0E94889902CA54E30C876425BA4780AB77B6B8DA7
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\ashSSqlt.dllexecutable
MD5:DD941B3009294441FBBD2019098F2260
SHA256:3BC28F90F2590EC964D557EF779D69BA2FAA7A9D65098223B04F944FBCF98C3D
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\aswCmnB.dllexecutable
MD5:99F500385CB4DFF826F0A9058BEE2C98
SHA256:544AC9AD907F582966A94C2E0509725782B2C8075DD5D925FB8C811F33791CB5
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\ashSXML.dllexecutable
MD5:ACA1DF15A75F066837525FAEA5E2BE46
SHA256:708BC1BC8864A12E575E3A5068F2913ACA666757293FEE4D1DCBB73A8BBDC0C8
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\ashBase.dllexecutable
MD5:54C458A07FA6D44EE640777013E92A15
SHA256:CE2795E25220EA2D147A7AA96372A5B3E6DB44569B2044AEA74C25EF40758718
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\aswAux.dllexecutable
MD5:400F4A04D5D955BAD183B520BA1479E6
SHA256:76F388D822BD549E9F5220E8FE511CB8CED9B73F3D396565BAB1845F2C634F03
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\aswEngin.dllexecutable
MD5:6B198F82D25A06E2E402385038E6785B
SHA256:F3AB098324BB7144B357EA9511622674C463A9E05D0B0DA1D5FA05F2BADA3589
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\aswCmnOS.dllexecutable
MD5:01033EDA5F63E4BA48C25099CE9D6BDD
SHA256:FF511070EFAD9FA5E3273FF06289C904E0A4F9491A802AB8153B09FB7A81E5B2
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\aswScan.dllexecutable
MD5:088022E7418526C11831394502A6E5BD
SHA256:60F9507148C9DCBEB08EFC5563A5812F9D659DD08F277BA8E121F61F14AF504C
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\aswVmm.sysexecutable
MD5:CDA2BB375A4A45FAD85A7A5379F526C5
SHA256:7F1634F7890E2A96211D9FB2054573E6C978C21C8E0AAA818BA7BA412AD6CBBF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
aswMBR.exe