| File name: | adwcleaner.exe |
| Full analysis: | https://app.any.run/tasks/9e72b470-aaf6-4465-a6b1-ab943fd4fba5 |
| Verdict: | Malicious activity |
| Analysis date: | June 15, 2024, 15:56:53 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (console) Intel 80386, for MS Windows, UPX compressed |
| MD5: | 31EBA5C542887DEE4507780B2350EB82 |
| SHA1: | 5DA1ADDCEF89747573E18D4CB361ED7D384CC3CB |
| SHA256: | 1F544DA66675521A649E632108F86AFB351AD336BD34B7B5C3D290827EBEEF54 |
| SSDEEP: | 196608:TORsUVmq00uyojm7OpiJS40B7Ar7LA7/XAKf5e3Bvn2F8/E0BzAz:TN/kGiExB7Ar7L45oeFsAz |
MALICIOUS
Drops the executable file immediately after the start
- adwcleaner.exe (PID: 4080)
Steals credentials from Web Browsers
- adwcleaner.exe (PID: 4080)
Actions looks like stealing of personal data
- adwcleaner.exe (PID: 4080)
SUSPICIOUS
Reads the Internet Settings
- adwcleaner.exe (PID: 4080)
Reads the BIOS version
- adwcleaner.exe (PID: 4080)
Searches for installed software
- adwcleaner.exe (PID: 4080)
Reads settings of System Certificates
- adwcleaner.exe (PID: 4080)
The process verifies whether the antivirus software is installed
- adwcleaner.exe (PID: 4080)
INFO
Checks supported languages
- adwcleaner.exe (PID: 4080)
Checks proxy server information
- adwcleaner.exe (PID: 4080)
Reads the machine GUID from the registry
- adwcleaner.exe (PID: 4080)
Reads the computer name
- adwcleaner.exe (PID: 4080)
Create files in a temporary directory
- adwcleaner.exe (PID: 4080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | UPX compressed Win32 Executable (76) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.6) |
| .exe | | | Generic Win/DOS Executable (5.6) |
| .exe | | | DOS Executable Generic (5.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2022:08:30 16:45:44+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.16 |
| CodeSize: | 8486912 |
| InitializedDataSize: | 126976 |
| UninitializedDataSize: | 14598144 |
| EntryPoint: | 0x1604150 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 8.4.0.0 |
| ProductVersionNumber: | 8.4.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Unknown (0) |
| ObjectFileType: | Unknown |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | Malwarebytes |
| FileDescription: | AdwCleaner |
| FileVersion: | 8.4.0.0 |
| InternalName: | AdwCleaner |
| LegalCopyright: | Copyright 2022 Malwarebytes |
| LegalTrademarks1: | All Rights Reserved |
| LegalTrademarks2: | All Rights Reserved |
| OriginalFileName: | AdwCleaner.exe |
| ProductName: | AdwCleaner |
| ProductVersion: | 8.4 |
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3964 | "C:\Users\admin\AppData\Local\Temp\adwcleaner.exe" | C:\Users\admin\AppData\Local\Temp\adwcleaner.exe | — | explorer.exe | |||||||||||
User: admin Company: Malwarebytes Integrity Level: MEDIUM Description: AdwCleaner Exit code: 3221226540 Version: 8.4.0.0 Modules
| |||||||||||||||
| 4080 | "C:\Users\admin\AppData\Local\Temp\adwcleaner.exe" | C:\Users\admin\AppData\Local\Temp\adwcleaner.exe | explorer.exe | ||||||||||||
User: admin Company: Malwarebytes Integrity Level: HIGH Description: AdwCleaner Exit code: 0 Version: 8.4.0.0 Modules
| |||||||||||||||
Total events
127 309
Read events
127 274
Write events
35
Delete events
0
Modification events
| (PID) Process: | (4080) adwcleaner.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
| Operation: | write | Name: | Name |
Value: adwcleaner.exe | |||
| (PID) Process: | (4080) adwcleaner.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (4080) adwcleaner.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | @"%windir%\System32\ie4uinit.exe",-738 |
Value: Start Internet Explorer without ActiveX controls or browser extensions. | |||
| (PID) Process: | (4080) adwcleaner.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes |
| Operation: | write | Name: | id |
Value: f95a24512b2f11efa1b912a9866c77de | |||
Executable files
0
Suspicious files
5
Text files
0
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4080 | adwcleaner.exe | C:\AdwCleaner\Logs\AdwCleaner[S00].txt | — | |
MD5:— | SHA256:— | |||
| 4080 | adwcleaner.exe | C:\Users\admin\AppData\Local\Temp\tmp4080baaaaa | binary | |
MD5:03EF1C0012EE77CDA2C2CB36DFBDA123 | SHA256:800D734016D8FBCDE263D8CD2411167406C544FC090A5DCBD2D374CABF918B86 | |||
| 4080 | adwcleaner.exe | C:\Users\admin\AppData\Local\Temp\tmp4080daaaaa | sqlite | |
MD5:03EF1C0012EE77CDA2C2CB36DFBDA123 | SHA256:800D734016D8FBCDE263D8CD2411167406C544FC090A5DCBD2D374CABF918B86 | |||
| 4080 | adwcleaner.exe | C:\AdwCleaner\Logs\adwcleaner.exe_4080_2024-06-15_15-57-45.dmp | binary | |
MD5:5F3C35B837E0682D31A02DD1D3070B44 | SHA256:7E12E1F71600D766F32E6821BB03E95AB72EA7E820931A2FC178176B688900DC | |||
| 4080 | adwcleaner.exe | C:\AdwCleaner\settings | binary | |
MD5:6C669B679DB98E8A8FD934B4C9461056 | SHA256:A3C960C82EDC220C418FDAE6865D350D58D375BA0CB78924C5F2D747FB951BEE | |||
| 4080 | adwcleaner.exe | C:\Users\admin\AppData\Local\Temp\tmp4080aaaaaa | binary | |
MD5:F47EB60CDF981C17722D0CE740129927 | SHA256:0210071DF12CA42D70DCB679926668AE072264705AC139A24F94BBC5A129DD8F | |||
| 4080 | adwcleaner.exe | C:\Users\admin\AppData\Local\Temp\tmp4080caaaaa | sqlite | |
MD5:F47EB60CDF981C17722D0CE740129927 | SHA256:0210071DF12CA42D70DCB679926668AE072264705AC139A24F94BBC5A129DD8F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
DNS requests
Threats
Process | Message |
|---|---|
adwcleaner.exe | [Json Parser] Failed to open file "C:\\AdwCleaner\\settings" ( "The system cannot find the file specified." )
|
adwcleaner.exe | [Application] AdwCleaner 8 . 4 . 0 launched
|
adwcleaner.exe | [AdwUpgrade] Checking application updates
|
adwcleaner.exe | [Telemetry] Sending hello
|
adwcleaner.exe | [File Downloader] Error downloading ( QNetworkReply::UnknownNetworkError )
|
adwcleaner.exe | [Telemetry] Status code: QVariant(Invalid)
|
adwcleaner.exe | QIODevice::read (QDisabledNetworkReply): device not open
|
adwcleaner.exe | [Button clicked] EULA agreed
|
adwcleaner.exe | [Scan] Started
|
adwcleaner.exe | [Scan] Loading local database
|