File name:

adwcleaner_8.4.0.exe

Full analysis: https://app.any.run/tasks/d5b93b48-f082-4f8f-a05b-5ba966cc5722
Verdict: Malicious activity
Analysis date: February 12, 2024, 23:59:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
MD5:

31EBA5C542887DEE4507780B2350EB82

SHA1:

5DA1ADDCEF89747573E18D4CB361ED7D384CC3CB

SHA256:

1F544DA66675521A649E632108F86AFB351AD336BD34B7B5C3D290827EBEEF54

SSDEEP:

196608:TORsUVmq00uyojm7OpiJS40B7Ar7LA7/XAKf5e3Bvn2F8/E0BzAz:TN/kGiExB7Ar7L45oeFsAz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • adwcleaner_8.4.0.exe (PID: 2036)

    • Steals credentials from Web Browsers

      • adwcleaner_8.4.0.exe (PID: 2036)

    • Actions looks like stealing of personal data

      • adwcleaner_8.4.0.exe (PID: 2036)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • adwcleaner_8.4.0.exe (PID: 2036)

    • Searches for installed software

      • adwcleaner_8.4.0.exe (PID: 2036)

    • Reads the BIOS version

      • adwcleaner_8.4.0.exe (PID: 2036)

    • Reads the Internet Settings

      • adwcleaner_8.4.0.exe (PID: 2036)

    • The process verifies whether the antivirus software is installed

      • adwcleaner_8.4.0.exe (PID: 2036)

  • INFO

    • Checks proxy server information

      • adwcleaner_8.4.0.exe (PID: 2036)

    • Checks supported languages

      • adwcleaner_8.4.0.exe (PID: 2036)

    • Reads the computer name

      • adwcleaner_8.4.0.exe (PID: 2036)

    • Reads the software policy settings

      • adwcleaner_8.4.0.exe (PID: 2036)

    • Reads the machine GUID from the registry

      • adwcleaner_8.4.0.exe (PID: 2036)

    • Create files in a temporary directory

      • adwcleaner_8.4.0.exe (PID: 2036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:08:30 16:45:44+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 8486912
InitializedDataSize: 126976
UninitializedDataSize: 14598144
EntryPoint: 0x1604150
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 8.4.0.0
ProductVersionNumber: 8.4.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Malwarebytes
FileDescription: AdwCleaner
FileVersion: 8.4.0.0
InternalName: AdwCleaner
LegalCopyright: Copyright 2022 Malwarebytes
LegalTrademarks1: All Rights Reserved
LegalTrademarks2: All Rights Reserved
OriginalFileName: AdwCleaner.exe
ProductName: AdwCleaner
ProductVersion: 8.4
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start adwcleaner_8.4.0.exe adwcleaner_8.4.0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2036"C:\Users\admin\AppData\Local\Temp\adwcleaner_8.4.0.exe" C:\Users\admin\AppData\Local\Temp\adwcleaner_8.4.0.exe
explorer.exe
User:
admin
Company:
Malwarebytes
Integrity Level:
HIGH
Description:
AdwCleaner
Exit code:
0
Version:
8.4.0.0
Modules
Images
c:\users\admin\appdata\local\temp\adwcleaner_8.4.0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\gdi32.dll
2472"C:\Users\admin\AppData\Local\Temp\adwcleaner_8.4.0.exe" C:\Users\admin\AppData\Local\Temp\adwcleaner_8.4.0.exeexplorer.exe
User:
admin
Company:
Malwarebytes
Integrity Level:
MEDIUM
Description:
AdwCleaner
Exit code:
3221226540
Version:
8.4.0.0
Modules
Images
c:\users\admin\appdata\local\temp\adwcleaner_8.4.0.exe
c:\windows\system32\ntdll.dll
Total events
131 467
Read events
131 414
Write events
51
Delete events
2

Modification events

(PID) Process:(2036) adwcleaner_8.4.0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
adwcleaner_8.4.0.exe
(PID) Process:(2036) adwcleaner_8.4.0.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2036) adwcleaner_8.4.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
Operation:delete valueName:9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Value:
(PID) Process:(2036) adwcleaner_8.4.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(2036) adwcleaner_8.4.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
190000000100000010000000BCC80DAA2F98A4692805BFF4CBB372EB0300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB60F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D8200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(2036) adwcleaner_8.4.0.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@"%windir%\System32\ie4uinit.exe",-738
Value:
Start Internet Explorer without ActiveX controls or browser extensions.
(PID) Process:(2036) adwcleaner_8.4.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes
Operation:writeName:id
Value:
f79baee3ca0211eeafbd12a9866c77de
Executable files
0
Suspicious files
4
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2036adwcleaner_8.4.0.exeC:\AdwCleaner\Logs\AdwCleaner[S00].txt
MD5:
SHA256:
2036adwcleaner_8.4.0.exeC:\AdwCleaner\Logs\AdwCleaner[S01].txt
MD5:
SHA256:
2036adwcleaner_8.4.0.exeC:\AdwCleaner\settingsbinary
MD5:A900A0F65C6ACAA30F6404621ADABA78
SHA256:18F44D52364FD574A2278205BECE4EBEACEFC11DC468A2025A3E8CA717BE03A7
2036adwcleaner_8.4.0.exeC:\Users\admin\AppData\Local\Temp\tmp2036daaaaasqlite
MD5:03EF1C0012EE77CDA2C2CB36DFBDA123
SHA256:800D734016D8FBCDE263D8CD2411167406C544FC090A5DCBD2D374CABF918B86
2036adwcleaner_8.4.0.exeC:\Users\admin\AppData\Local\Temp\tmp2036aaaaaabinary
MD5:F47EB60CDF981C17722D0CE740129927
SHA256:0210071DF12CA42D70DCB679926668AE072264705AC139A24F94BBC5A129DD8F
2036adwcleaner_8.4.0.exeC:\Users\admin\AppData\Local\Temp\tmp2036baaaaabinary
MD5:03EF1C0012EE77CDA2C2CB36DFBDA123
SHA256:800D734016D8FBCDE263D8CD2411167406C544FC090A5DCBD2D374CABF918B86
2036adwcleaner_8.4.0.exeC:\Users\admin\AppData\Local\Temp\tmp2036caaaaasqlite
MD5:F47EB60CDF981C17722D0CE740129927
SHA256:0210071DF12CA42D70DCB679926668AE072264705AC139A24F94BBC5A129DD8F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
15
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2036
adwcleaner_8.4.0.exe
108.138.7.35:443
adwcleaner.malwarebytes.com
AMAZON-02
US
unknown
2036
adwcleaner_8.4.0.exe
108.138.7.99:443
adwcleaner.malwarebytes.com
AMAZON-02
US
unknown
2036
adwcleaner_8.4.0.exe
100.21.181.219:443
telemetry.malwarebytes.com
AMAZON-02
US
unknown

DNS requests

Domain
IP
Reputation
adwcleaner.malwarebytes.com
  • 108.138.7.35
  • 108.138.7.13
  • 108.138.7.117
  • 108.138.7.99
whitelisted
telemetry.malwarebytes.com
  • 100.21.181.219
  • 54.186.107.47
  • 44.226.183.130
  • 52.37.151.61
  • 35.82.193.168
  • 52.13.169.121
whitelisted

Threats

No threats detected
Process
Message
adwcleaner_8.4.0.exe
[Json Parser] Failed to open file "C:\\AdwCleaner\\settings" ( "The system cannot find the file specified." )
adwcleaner_8.4.0.exe
[Application] AdwCleaner 8 . 4 . 0 launched
adwcleaner_8.4.0.exe
[AdwUpgrade] Checking application updates
adwcleaner_8.4.0.exe
[Telemetry] Sending hello
adwcleaner_8.4.0.exe
[SslCert] Issued by ("Amazon RSA 2048 M02")
adwcleaner_8.4.0.exe
[SslCert] Issued to ("malwarebytes.com")
adwcleaner_8.4.0.exe
[SslCert] Locality Name ()
adwcleaner_8.4.0.exe
[SslCert] Organization ()
adwcleaner_8.4.0.exe
[SslCert] Certificate EffectiveDate: "Tue Sep 5 00:00:00 2023 GMT"
adwcleaner_8.4.0.exe
[SslCert] Certificate ExpirationDate: "Thu Oct 3 23:59:59 2024 GMT"
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
adwcleaner_8.4.0.exe