File verdict·Decided by the MT AI Engine
Our call

Safe

Zero tier-1 detections across 68 engines; 357 submitters confirm common prevalence; heuristic triggers on benign system diagnostics.

Trust score82Moderate trust
MT AI confidence · 82%
ASUSSupportAgent_1.1.0.0.zip
32.4 MB
5a1f018642c95d4e0a0bed41b941
Antivirus engines
0 of 75 flagged
Code signing
Unsigned
Age
First seen 12mo ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

82%Confidence
High
Reasoning

The evidence strongly indicates a benign ASUS support agent. Zero tier-1 malicious detections across 75 engines is the primary signal — if this were malware, at least one high-trust engine would have caught it. The prevalence classification (common_old, 357 sources) confirms this is a known, widely-trusted file. The two triggered heuristics (ProcessInjection and CredentialDumper) fired on normal system-interaction patterns: ASUS support tools legitimately inspect processes and query the credential store during diagnostics. The absence of malicious sandbox verdicts, C2 contact, or credential exfiltration confirms these are benign operations. Dropped files (asussigncheck.dll, newtonsoft.json.dll) are consistent with a .NET-based installer using Costura embedding, not malware staging. The unsigned status is a minor concern, but the overwhelming prevalence and tier-1 silence rule out a trojanized copy.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines: 0/68 malicious; tier1Malicious=0; tier1ReportedClean=17 (Avast, BitDefender, Kaspersky, ESET-NOD32, Fortinet, F-Secure, Emsisoft, Avira, AVG, DrWeb, GData, Ikarus, all silent)

  2. prevalence.classification=common_old; 357 unique sources, 381 submissions since 2025-07-10 — consistent with legitimate widely-distributed software

  3. triggeredHeuristics: ProcessInjection (T1055) and CredentialDumper fired, but behaviour.hasMaliciousSandboxVerdict=false; no malicious contacted hosts; droppedChildren.hasMaliciousChild=false (5/5 inspected benign)

  4. filename 'ASUSSupportAgent_1.1.0.0.zip' claims ASUS vendor; brandMismatch.detected=false; filenameAnalysis shows hasNumericVersion=true, looksLikePortable=true — consistent with legitimate vendor release

  5. dropped files include asussigncheck.dll, newtonsoft.json.dll, Costura-embedded .NET assemblies — typical of legitimate .NET-based installer, not malware staging

Points in its favour
  • Zero tier-1 antivirus detections (17 high-trust engines silent)
  • Common prevalence: 357 unique submitters, 381 submissions over 357 days
  • No malicious sandbox verdict; no C2 contact; no credential exfiltration
  • Dropped files consistent with legitimate .NET installer (Costura-embedded assemblies)
  • Filename and version pattern match legitimate ASUS vendor release
Points against
  • File is unsigned (no Authenticode signature)
  • Heuristic rule fired on process-injection pattern (T1055)
  • Heuristic rule fired on LSASS-access pattern (credential-dumper shape)
What to do

This file is safe. The zero tier-1 detections and high prevalence confirm it is a legitimate ASUS support tool. Heuristic triggers reflect normal diagnostic behaviour, not malware. Download and use with confidence if obtained from official ASUS channels.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
14

Adversary techniques mapped to the MITRE ATT&CK framework.

T1014T1027.002T1055T1070.006T1071T1082T1106T1496T1497T1542T1542.003T1562.001T1564T1564.001
Spawned processes
12
$(unnamed)
"C:\Users\<USER>\AppData\Local\Temp\AsusSupportAgent.exe"
$(unnamed)
C:\Windows\system32\services.exe
$(unnamed)
C:\Windows\System32\svchost.exe -k NetworkService -p
$(unnamed)
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
$(unnamed)
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
$(unnamed)
C:\Windows\system32\lsass.exe
$(unnamed)
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
$(unnamed)
"C:\Windows\System32\unarchiver.exe" "C:\Users\user\Desktop\ASUSSupportAgent_1.1.0.0.zip"
+4 more processes captured.
Filesystem & mutexes
20
Files written14
  • C:\Users\<USER>\AppData\Local\Temp\Costura\744A77D656F10037D4B6978F55F978A8\64\asussigncheck.dll
  • C:\Users\<USER>\AppData\Local\Temp\Costura\744A77D656F10037D4B6978F55F978A8\64\newtonsoft.json.dll
  • C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
  • C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser
  • C:\Users\user\AppData\Local\Temp\4cfneqnb.ujr
+9 more
Mutexes created6
  • Costura744A77D656F10037D4B6978F55F978A8
  • Local\__DDrawExclMode__
  • Local\__DDrawCheckExclMode__
  • \Sessions\1\BaseNamedObjects\Costura744A77D656F10037D4B6978F55F978A8
  • \Sessions\1\BaseNamedObjects\Local\__DDrawExclMode__
+1 more
Dropped payload

Files this sample writes at runtime

This file drops 5 children at runtime. None are currently flagged malicious in our cache.

5 unseen
  • 16a19763520bc5acfa82a4042fNever scanned
    never seen before
  • b5a68ced51d3f5b73d89a3311aNever scanned
    never seen before
  • 7df844a0937127d4ce4cb5b5b4Never scanned
    never seen before
  • e1e27af7b07eeedf5ce744fa9dNever scanned
    never seen before
  • 2124d4410ff56688cc42387326Never scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

2 synthesis
MITRE ATT&CK profile
Defense evasion× 1Cred access× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjectionhigh

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    C:\Windows\System32\svchost.exe -k NetworkService -p
  • CredentialDumpermedium

    Sandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.

    Evidence
    C:\Windows\system32\lsass.exe
Antivirus engine breakdown

0 detections across 75 engines

0 malicious0 suspicious75 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-238 engines
0flag
Mainstream engines with mixed FP rates
Low-trust20 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 75 engines report this file as clean.
Hash 5a1f018642c9… cross-referenced against 75 AV engines via our AV network.
Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old
Unique uploaders
357
Hundreds of people have uploaded this — common.
Total submissions
381
Includes repeat uploads by the same source.
First seen by VT
12mo ago
Jul 9, 2025
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
here
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
7/9/2025, 10:33:16 PM
First seen (MalwareBazaar)
Last analysis (VT)
6/29/2026, 6:49:42 PM
Scanned here
7/1/2026, 6:34:46 PM
File name
ASUSSupportAgent_1.1.0.0.zip
Size
32.45 MB
MIME type
(unknown)
Detected type
ZIP
SHA-256
5a1f018642c95d4e0acf9bea02904f9f9f11f86e6ab54c0f4d13f40bed41b941
MD5
afca567dfe51c3d1e54e46a34abb6829
SHA-1
cbfae13d042019842efe5174aaab93fed7598550
First seen (VT)
7/9/2025, 10:33:16 PM
Last analysis (VT)
6/29/2026, 6:49:42 PM
First scan (MalwareTips)
7/1/2026, 6:34:46 PM
Last scan (MalwareTips)
7/1/2026, 6:34:46 PM
Community reputation
+2trusted
Behavior tags
contains-peziplong-sleepsdetect-debug-environment
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.