| File name: | adwcleaner.exe |
| Full analysis: | https://app.any.run/tasks/99b254c0-a645-4d45-962e-1f354ff6b015 |
| Verdict: | Malicious activity |
| Analysis date: | January 21, 2024, 04:19:05 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (console) Intel 80386, for MS Windows, UPX compressed |
| MD5: | 31EBA5C542887DEE4507780B2350EB82 |
| SHA1: | 5DA1ADDCEF89747573E18D4CB361ED7D384CC3CB |
| SHA256: | 1F544DA66675521A649E632108F86AFB351AD336BD34B7B5C3D290827EBEEF54 |
| SSDEEP: | 196608:TORsUVmq00uyojm7OpiJS40B7Ar7LA7/XAKf5e3Bvn2F8/E0BzAz:TN/kGiExB7Ar7L45oeFsAz |
MALICIOUS
Steals credentials from Web Browsers
- adwcleaner.exe (PID: 2080)
Drops the executable file immediately after the start
- adwcleaner.exe (PID: 2080)
Antivirus name has been found in the command line (generic signature)
- netsh.exe (PID: 2384)
Actions looks like stealing of personal data
- adwcleaner.exe (PID: 2080)
SUSPICIOUS
Reads the Internet Settings
- adwcleaner.exe (PID: 2080)
Reads settings of System Certificates
- adwcleaner.exe (PID: 2080)
Searches for installed software
- adwcleaner.exe (PID: 2080)
The process verifies whether the antivirus software is installed
- adwcleaner.exe (PID: 2080)
Reads the BIOS version
- adwcleaner.exe (PID: 2080)
Start notepad (likely ransomware note)
- adwcleaner.exe (PID: 2080)
Suspicious use of NETSH.EXE
- adwcleaner.exe (PID: 2080)
INFO
Create files in a temporary directory
- adwcleaner.exe (PID: 2080)
Reads the computer name
- adwcleaner.exe (PID: 2080)
- wmpnscfg.exe (PID: 2480)
Checks supported languages
- adwcleaner.exe (PID: 2080)
- wmpnscfg.exe (PID: 2480)
Reads the machine GUID from the registry
- adwcleaner.exe (PID: 2080)
Checks proxy server information
- adwcleaner.exe (PID: 2080)
Manual execution by a user
- wmpnscfg.exe (PID: 2480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | UPX compressed Win32 Executable (76) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.6) |
| .exe | | | Generic Win/DOS Executable (5.6) |
| .exe | | | DOS Executable Generic (5.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2022:08:30 18:45:44+02:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.16 |
| CodeSize: | 8486912 |
| InitializedDataSize: | 126976 |
| UninitializedDataSize: | 14598144 |
| EntryPoint: | 0x1604150 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 8.4.0.0 |
| ProductVersionNumber: | 8.4.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Unknown (0) |
| ObjectFileType: | Unknown |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | Malwarebytes |
| FileDescription: | AdwCleaner |
| FileVersion: | 8.4.0.0 |
| InternalName: | AdwCleaner |
| LegalCopyright: | Copyright 2022 Malwarebytes |
| LegalTrademarks1: | All Rights Reserved |
| LegalTrademarks2: | All Rights Reserved |
| OriginalFileName: | AdwCleaner.exe |
| ProductName: | AdwCleaner |
| ProductVersion: | 8.4 |
Total processes
43
Monitored processes
5
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1636 | "C:\Windows\system32\NOTEPAD.EXE" C:\AdwCleaner\Logs\AdwCleaner[S00].txt | C:\Windows\System32\notepad.exe | — | adwcleaner.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2080 | "C:\Users\admin\AppData\Local\Temp\adwcleaner.exe" | C:\Users\admin\AppData\Local\Temp\adwcleaner.exe | explorer.exe | ||||||||||||
User: admin Company: Malwarebytes Integrity Level: HIGH Description: AdwCleaner Exit code: 0 Version: 8.4.0.0 Modules
| |||||||||||||||
| 2120 | "C:\Users\admin\AppData\Local\Temp\adwcleaner.exe" | C:\Users\admin\AppData\Local\Temp\adwcleaner.exe | — | explorer.exe | |||||||||||
User: admin Company: Malwarebytes Integrity Level: MEDIUM Description: AdwCleaner Exit code: 3221226540 Version: 8.4.0.0 Modules
| |||||||||||||||
| 2384 | "C:\Windows\System32\netsh.exe" winsock reset | C:\Windows\System32\netsh.exe | — | adwcleaner.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2480 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
17 039
Read events
16 828
Write events
92
Delete events
119
Modification events
| (PID) Process: | (2080) adwcleaner.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
| Operation: | write | Name: | Name |
Value: Explorer.EXE | |||
| (PID) Process: | (2080) adwcleaner.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2080) adwcleaner.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\8c057075-f93a-4142-b985-bac60c985a89_RASAPI32 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2080) adwcleaner.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\8c057075-f93a-4142-b985-bac60c985a89_RASMANCS |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2080) adwcleaner.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AcroRd32_RASAPI32 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2080) adwcleaner.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AcroRd32_RASMANCS |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2080) adwcleaner.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\b6a7104a-9a13-411f-abf2-a3f71d8cca14_RASAPI32 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2080) adwcleaner.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\b6a7104a-9a13-411f-abf2-a3f71d8cca14_RASMANCS |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2080) adwcleaner.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Carrier_RASAPI32 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2080) adwcleaner.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Carrier_RASMANCS |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
0
Suspicious files
4
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2080 | adwcleaner.exe | C:\AdwCleaner\Logs\AdwCleaner[S00].txt | — | |
MD5:— | SHA256:— | |||
| 2080 | adwcleaner.exe | C:\AdwCleaner\Logs\AdwCleaner[C00].txt | — | |
MD5:— | SHA256:— | |||
| 2080 | adwcleaner.exe | C:\Users\admin\AppData\Local\Temp\tmp2080aaaaaa | binary | |
MD5:F47EB60CDF981C17722D0CE740129927 | SHA256:0210071DF12CA42D70DCB679926668AE072264705AC139A24F94BBC5A129DD8F | |||
| 2080 | adwcleaner.exe | C:\AdwCleaner\settings | binary | |
MD5:A2CFCF5166CCB4040538EF183781FEF5 | SHA256:28B1FEAFDADD02E20EC2BA9A2BD569C647FC03ED68D6CE053B1C488B7341B63A | |||
| 2080 | adwcleaner.exe | C:\Users\admin\AppData\Local\Temp\tmp2080baaaaa | binary | |
MD5:03EF1C0012EE77CDA2C2CB36DFBDA123 | SHA256:800D734016D8FBCDE263D8CD2411167406C544FC090A5DCBD2D374CABF918B86 | |||
| 2080 | adwcleaner.exe | C:\AdwCleaner\Logs\scanInfo | binary | |
MD5:7C19CECDFEF873DAD4B0E1F383EC3F72 | SHA256:ED4BFF0BF797856FCA729E8F886830D7605844FE02D3DA72BE74DA6AC59A62B6 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
13
DNS requests
2
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2080 | adwcleaner.exe | 18.173.187.122:443 | adwcleaner.malwarebytes.com | — | US | unknown |
2080 | adwcleaner.exe | 35.82.107.56:443 | telemetry.malwarebytes.com | AMAZON-02 | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
adwcleaner.malwarebytes.com |
| whitelisted |
telemetry.malwarebytes.com |
| whitelisted |
Threats
Process | Message |
|---|---|
adwcleaner.exe | [Json Parser] Failed to open file "C:\\AdwCleaner\\settings" ( "The system cannot find the file specified." )
|
adwcleaner.exe | [Application] AdwCleaner 8 . 4 . 0 launched
|
adwcleaner.exe | [AdwUpgrade] Checking application updates
|
adwcleaner.exe | [Telemetry] Sending hello
|
adwcleaner.exe | [SslCert] ALPN: None
|
adwcleaner.exe | [SslCert] Certificate ExpirationDate: "Thu Oct 3 23:59:59 2024 GMT"
|
adwcleaner.exe | [Telemetry] Status code: QVariant(int, 200)
|
adwcleaner.exe | [SslCert] Issued to ("malwarebytes.com")
|
adwcleaner.exe | [SslCert] Organization ()
|
adwcleaner.exe | [SslCert] Certificate EffectiveDate: "Tue Sep 5 00:00:00 2023 GMT"
|