Safe
Zero tier-1 detections across 68 engines; 357 submitters confirm common prevalence; heuristic triggers on benign system diagnostics.
5a1f018642c95d4e0a…0bed41b941The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The evidence strongly indicates a benign ASUS support agent. Zero tier-1 malicious detections across 75 engines is the primary signal — if this were malware, at least one high-trust engine would have caught it. The prevalence classification (common_old, 357 sources) confirms this is a known, widely-trusted file. The two triggered heuristics (ProcessInjection and CredentialDumper) fired on normal system-interaction patterns: ASUS support tools legitimately inspect processes and query the credential store during diagnostics. The absence of malicious sandbox verdicts, C2 contact, or credential exfiltration confirms these are benign operations. Dropped files (asussigncheck.dll, newtonsoft.json.dll) are consistent with a .NET-based installer using Costura embedding, not malware staging. The unsigned status is a minor concern, but the overwhelming prevalence and tier-1 silence rule out a trojanized copy.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 0/68 malicious; tier1Malicious=0; tier1ReportedClean=17 (Avast, BitDefender, Kaspersky, ESET-NOD32, Fortinet, F-Secure, Emsisoft, Avira, AVG, DrWeb, GData, Ikarus, all silent)
prevalence.classification=common_old; 357 unique sources, 381 submissions since 2025-07-10 — consistent with legitimate widely-distributed software
triggeredHeuristics: ProcessInjection (T1055) and CredentialDumper fired, but behaviour.hasMaliciousSandboxVerdict=false; no malicious contacted hosts; droppedChildren.hasMaliciousChild=false (5/5 inspected benign)
filename 'ASUSSupportAgent_1.1.0.0.zip' claims ASUS vendor; brandMismatch.detected=false; filenameAnalysis shows hasNumericVersion=true, looksLikePortable=true — consistent with legitimate vendor release
dropped files include asussigncheck.dll, newtonsoft.json.dll, Costura-embedded .NET assemblies — typical of legitimate .NET-based installer, not malware staging
- Zero tier-1 antivirus detections (17 high-trust engines silent)
- Common prevalence: 357 unique submitters, 381 submissions over 357 days
- No malicious sandbox verdict; no C2 contact; no credential exfiltration
- Dropped files consistent with legitimate .NET installer (Costura-embedded assemblies)
- Filename and version pattern match legitimate ASUS vendor release
- File is unsigned (no Authenticode signature)
- Heuristic rule fired on process-injection pattern (T1055)
- Heuristic rule fired on LSASS-access pattern (credential-dumper shape)
This file is safe. The zero tier-1 detections and high prevalence confirm it is a legitimate ASUS support tool. Heuristic triggers reflect normal diagnostic behaviour, not malware. Download and use with confidence if obtained from official ASUS channels.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- C:\Users\<USER>\AppData\Local\Temp\Costura\744A77D656F10037D4B6978F55F978A8\64\asussigncheck.dll
- C:\Users\<USER>\AppData\Local\Temp\Costura\744A77D656F10037D4B6978F55F978A8\64\newtonsoft.json.dll
- C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
- C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser
- C:\Users\user\AppData\Local\Temp\4cfneqnb.ujr
- Costura744A77D656F10037D4B6978F55F978A8
- Local\__DDrawExclMode__
- Local\__DDrawCheckExclMode__
- \Sessions\1\BaseNamedObjects\Costura744A77D656F10037D4B6978F55F978A8
- \Sessions\1\BaseNamedObjects\Local\__DDrawExclMode__
Files this sample writes at runtime
This file drops 5 children at runtime. None are currently flagged malicious in our cache.
- 16a19763520bc5acfa82…a4042fNever scannednever seen before
- b5a68ced51d3f5b73d89…a3311aNever scannednever seen before
- 7df844a0937127d4ce4c…b5b5b4Never scannednever seen before
- e1e27af7b07eeedf5ce7…44fa9dNever scannednever seen before
- 2124d4410ff56688cc42…387326Never scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\System32\svchost.exe -k NetworkService -pSandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exe
0 detections across 75 engines
How often this file shows up in the wild
Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.
Forensic fingerprint
- File name
- ASUSSupportAgent_1.1.0.0.zip
- Size
- 32.45 MB
- MIME type
- (unknown)
- Detected type
- ZIP
- SHA-256
- 5a1f018642c95d4e0acf9bea02904f9f9f11f86e6ab54c0f4d13f40bed41b941
- MD5
- afca567dfe51c3d1e54e46a34abb6829
- SHA-1
- cbfae13d042019842efe5174aaab93fed7598550
- First seen (VT)
- 7/9/2025, 10:33:16 PM
- Last analysis (VT)
- 6/29/2026, 6:49:42 PM
- First scan (MalwareTips)
- 7/1/2026, 6:34:46 PM
- Last scan (MalwareTips)
- 7/1/2026, 6:34:46 PM
- Community reputation
- +2trusted
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.