File name:

aswMBR.exe

Full analysis: https://app.any.run/tasks/9537ed5e-bf48-4479-912e-b9bb5c9f20fd
Verdict: Malicious activity
Analysis date: June 09, 2024, 21:41:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

8E3384C7A0CF27B15D786E665CE74308

SHA1:

D9AA0EF8013810FE52130CCC91CEBA16D7686CC6

SHA256:

3D212B0B8BE4D354150FF30B39A6349F7B6693A3021348D24A98FC3F8BABDB62

SSDEEP:

98304:MXPr6FwonZHZpdjD0+zNe7jsWi4IzcrPDuzGHi/rH6YdOfi8vWrVfhs/OEVRwxVA:708Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • aswMBR.exe (PID: 4080)

  • SUSPICIOUS

    • Creates or modifies Windows services

      • aswMBR.exe (PID: 4080)

    • Drops a system driver (possible attempt to evade defenses)

      • aswMBR.exe (PID: 4080)

    • The process drops C-runtime libraries

      • aswMBR.exe (PID: 4080)

    • Executable content was dropped or overwritten

      • aswMBR.exe (PID: 4080)

    • Process drops legitimate windows executable

      • aswMBR.exe (PID: 4080)

  • INFO

    • Checks supported languages

      • aswMBR.exe (PID: 4080)

    • Reads the computer name

      • aswMBR.exe (PID: 4080)

    • Create files in a temporary directory

      • aswMBR.exe (PID: 4080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (23.1)
.exe | Win32 EXE PECompact compressed (generic) (22.3)
.exe | Win32 Executable MS Visual C++ (generic) (16.8)
.exe | Win64 Executable (generic) (14.8)
.exe | UPX compressed Win32 Executable (14.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:11:14 08:16:36+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 459776
InitializedDataSize: 4748800
UninitializedDataSize: -
EntryPoint: 0x4c31d
OSVersion: 5
ImageVersion: 5
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.1.2252
ProductVersionNumber: 1.0.1.2252
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: AVAST Software
FileDescription: avast! Antirootkit
FileVersion: 1, 0, 1, 2252
InternalName: aswMBR.exe
LegalCopyright: Copyright (c) 2010 AVAST Software. All rights reserved.
OriginalFileName: aswMBR.exe
ProductName: avast! Antirootkit
ProductVersion: 1, 0, 1, 2252
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
116
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start aswmbr.exe aswmbr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3700"C:\Users\admin\Desktop\aswMBR.exe" C:\Users\admin\Desktop\aswMBR.exeexplorer.exe
User:
admin
Company:
AVAST Software
Integrity Level:
MEDIUM
Description:
avast! Antirootkit
Exit code:
3221226540
Version:
1, 0, 1, 2252
Modules
Images
c:\users\admin\desktop\aswmbr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4080"C:\Users\admin\Desktop\aswMBR.exe" C:\Users\admin\Desktop\aswMBR.exe
explorer.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
avast! Antirootkit
Version:
1, 0, 1, 2252
Modules
Images
c:\users\admin\desktop\aswmbr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
224
Read events
214
Write events
10
Delete events
0

Modification events

(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aswMBR
Operation:writeName:Type
Value:
1
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aswMBR
Operation:writeName:ErrorControl
Value:
1
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aswMBR
Operation:writeName:Start
Value:
3
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aswMBR
Operation:writeName:ImagePath
Value:
\??\C:\Users\admin\AppData\Local\Temp\aswMBR.sys
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aswMBR
Operation:writeName:Group
Value:
Base
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aswVmm
Operation:writeName:Type
Value:
1
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aswVmm
Operation:writeName:ErrorControl
Value:
1
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aswVmm
Operation:writeName:Start
Value:
3
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aswVmm
Operation:writeName:ImagePath
Value:
\??\C:\Users\admin\AppData\Local\Temp\aswVmm.sys
(PID) Process:(4080) aswMBR.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aswVmm
Operation:writeName:Group
Value:
Base
Executable files
16
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\aswVmm.sysexecutable
MD5:A6542A6E95461458FD386D4A40417F31
SHA256:5073CAF44064F7716F68A2803DA57B1C75F39A45D8F8DEC72A14080320BE05BF
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\aswMBR.sysexecutable
MD5:AE358AA704ED7BD4A592053426237065
SHA256:3507BA0C32B6EBBACBDDD46D6A65309D75A6926243B6A78B406F5514C32AA120
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\ashBase.dllexecutable
MD5:54C458A07FA6D44EE640777013E92A15
SHA256:CE2795E25220EA2D147A7AA96372A5B3E6DB44569B2044AEA74C25EF40758718
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\ashSXML.dllexecutable
MD5:ACA1DF15A75F066837525FAEA5E2BE46
SHA256:708BC1BC8864A12E575E3A5068F2913ACA666757293FEE4D1DCBB73A8BBDC0C8
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\ashSSqlt.dllexecutable
MD5:DD941B3009294441FBBD2019098F2260
SHA256:3BC28F90F2590EC964D557EF779D69BA2FAA7A9D65098223B04F944FBCF98C3D
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\aswCmnS.dllexecutable
MD5:13EEB998A123530809BFBC16A6BE580E
SHA256:947EE660EAB27FB77B982073A28EEC1C1099E8018193CCD32F177A4976E1D852
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\aswRes.dllexecutable
MD5:4EF2C07E609A13DFA539E918534C23A3
SHA256:599B12047F4EA1881F6C3EE312A5E557FAC047D449D58158A5B3FCB205C52EA8
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\aswScan.dllexecutable
MD5:088022E7418526C11831394502A6E5BD
SHA256:60F9507148C9DCBEB08EFC5563A5812F9D659DD08F277BA8E121F61F14AF504C
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\aswCmnB.dllexecutable
MD5:99F500385CB4DFF826F0A9058BEE2C98
SHA256:544AC9AD907F582966A94C2E0509725782B2C8075DD5D925FB8C811F33791CB5
4080aswMBR.exeC:\Users\admin\AppData\Local\Temp\_av4_\aswCmnOS.dllexecutable
MD5:01033EDA5F63E4BA48C25099CE9D6BDD
SHA256:FF511070EFAD9FA5E3273FF06289C904E0A4F9491A802AB8153B09FB7A81E5B2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
21
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
95.100.242.144:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5228
svchost.exe
GET
200
95.100.242.144:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1964
RUXIMICS.exe
GET
200
95.100.242.144:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1964
RUXIMICS.exe
GET
200
23.200.213.221:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5228
svchost.exe
GET
200
23.200.213.221:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
POST
200
20.189.173.28:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
5228
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1964
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5228
svchost.exe
95.100.242.144:80
crl.microsoft.com
Akamai International B.V.
IT
unknown
1964
RUXIMICS.exe
95.100.242.144:80
crl.microsoft.com
Akamai International B.V.
IT
unknown
5140
MoUsoCoreWorker.exe
95.100.242.144:80
crl.microsoft.com
Akamai International B.V.
IT
unknown
1964
RUXIMICS.exe
23.200.213.221:80
www.microsoft.com
AKAMAI-AS
FR
unknown
5228
svchost.exe
23.200.213.221:80
www.microsoft.com
AKAMAI-AS
FR
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 95.100.242.144
  • 95.100.242.154
whitelisted
www.microsoft.com
  • 23.200.213.221
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
self.events.data.microsoft.com
  • 20.189.173.11
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
aswMBR.exe