File name:

adwcleaner_7.2.5.0.exe

Full analysis: https://app.any.run/tasks/16c311e3-1c4e-4423-8989-ca4bb14f5cd1
Verdict: Malicious activity
Analysis date: May 16, 2019, 07:47:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

2DA4157E7827059395E543DE6AB5FB13

SHA1:

66C0016F4E96752A3705DD124B90A5175C473049

SHA256:

AEA90F3B78A18E241B01F06933A22FABDEE91DB0F12D3A1FB2E283FC9543C58F

SSDEEP:

196608:vh53hUc/pOUrRT7xAuQQshOHNaQOvovzoL4:vBjFPxAuQAtHEL4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • adwcleaner_7.2.5.0.exe (PID: 2336)

    • Loads the Task Scheduler DLL interface

      • adwcleaner_7.2.5.0.exe (PID: 2336)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • adwcleaner_7.2.5.0.exe (PID: 2336)

    • Reads Environment values

      • adwcleaner_7.2.5.0.exe (PID: 2336)

    • Adds / modifies Windows certificates

      • adwcleaner_7.2.5.0.exe (PID: 2336)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:11:26 14:41:40+01:00
PEType: PE32
LinkerVersion: 12
CodeSize: 7180288
InitializedDataSize: 126976
UninitializedDataSize: 12259328
EntryPoint: 0x128a260
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 7.2.5.0
ProductVersionNumber: 7.2.5.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Malwarebytes
FileDescription: AdwCleaner
FileVersion: 7.2.5.0
InternalName: AdwCleaner
LegalCopyright: Copyright 2018 Malwarebytes
LegalTrademarks1: All Rights Reserved
LegalTrademarks2: All Rights Reserved
OriginalFileName: AdwCleaner.exe
ProductName: AdwCleaner
ProductVersion: 7.2

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 26-Nov-2018 13:41:40
Detected languages:
  • English - United States
CompanyName: Malwarebytes
FileDescription: AdwCleaner
FileVersion: 7.2.5.0
InternalName: AdwCleaner
LegalCopyright: Copyright 2018 Malwarebytes
LegalTrademarks1: All Rights Reserved
LegalTrademarks2: All Rights Reserved
OriginalFilename: AdwCleaner.exe
ProductName: AdwCleaner
ProductVersion: 7.2

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000118

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 26-Nov-2018 13:41:40
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x00BB1000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x00BB2000
0x006D9000
0x006D9000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99997
.rsrc
0x0128B000
0x0001F000
0x0001EE00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.12775

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.13365
1737
UNKNOWN
English - United States
RT_MANIFEST
2
3.6406
67624
UNKNOWN
English - United States
RT_ICON
3
4.33285
16936
UNKNOWN
English - United States
RT_ICON
4
4.6297
9640
UNKNOWN
English - United States
RT_ICON
5
5.27513
4264
UNKNOWN
English - United States
RT_ICON
6
6.10277
1128
UNKNOWN
English - United States
RT_ICON
5101
5.10135
37
UNKNOWN
English - United States
BINARY
5102
7.99984
1227554
UNKNOWN
English - United States
BINARY
IDI_ICON1
2.94936
90
UNKNOWN
English - United States
RT_GROUP_ICON

Imports

ADVAPI32.dll
CRYPT32.dll
GDI32.dll
IMM32.dll
IPHLPAPI.DLL
KERNEL32.DLL
MPR.dll
NETAPI32.dll
OLEAUT32.dll
SHELL32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start adwcleaner_7.2.5.0.exe adwcleaner_7.2.5.0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2336"C:\Users\admin\AppData\Local\Temp\adwcleaner_7.2.5.0.exe" C:\Users\admin\AppData\Local\Temp\adwcleaner_7.2.5.0.exe
explorer.exe
User:
admin
Company:
Malwarebytes
Integrity Level:
HIGH
Description:
AdwCleaner
Exit code:
0
Version:
7.2.5.0
Modules
Images
c:\users\admin\appdata\local\temp\adwcleaner_7.2.5.0.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
3404"C:\Users\admin\AppData\Local\Temp\adwcleaner_7.2.5.0.exe" C:\Users\admin\AppData\Local\Temp\adwcleaner_7.2.5.0.exeexplorer.exe
User:
admin
Company:
Malwarebytes
Integrity Level:
MEDIUM
Description:
AdwCleaner
Exit code:
3221226540
Version:
7.2.5.0
Modules
Images
c:\users\admin\appdata\local\temp\adwcleaner_7.2.5.0.exe
c:\systemroot\system32\ntdll.dll
Total events
720
Read events
687
Write events
33
Delete events
0

Modification events

(PID) Process:(2336) adwcleaner_7.2.5.0.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2336) adwcleaner_7.2.5.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Operation:writeName:Blob
Value:
0F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
(PID) Process:(2336) adwcleaner_7.2.5.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Operation:writeName:Blob
Value:
190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D03000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B810B000000010000000E00000074006800610077007400650000001D00000001000000100000005B3B67000EEB80022E42605B6B3B72401400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB57485053000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C009000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B060105050703030F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE2000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
(PID) Process:(2336) adwcleaner_7.2.5.0.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:@"%windir%\System32\ie4uinit.exe",-738
Value:
Start Internet Explorer without ActiveX controls or browser extensions.
(PID) Process:(2336) adwcleaner_7.2.5.0.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111
Value:
Performs object-based (command-line) functions
(PID) Process:(2336) adwcleaner_7.2.5.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Operation:writeName:Blob
Value:
040000000100000010000000410352DC0FF7501B16F0028EBA6F45C50F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D090000000100000042000000304006082B0601050507030406082B0601050507030106082B0601050507030206082B06010505070308060A2B0601040182370A0304060A2B0601040182370A030C6200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD67707390B000000010000001E000000440053005400200052006F006F0074002000430041002000580033000000140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589101D00000001000000100000004558D512EECB27464920897DE7B66053030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C131900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF42420000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510
Executable files
0
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2336adwcleaner_7.2.5.0.exeC:\Users\admin\AppData\Local\Temp\tmp2336aaaaaa
MD5:
SHA256:
2336adwcleaner_7.2.5.0.exeC:\AdwCleaner\Logs\AdwCleaner[S00].txttext
MD5:
SHA256:
2336adwcleaner_7.2.5.0.exeC:\AdwCleaner\settingsbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2336
adwcleaner_7.2.5.0.exe
104.109.82.77:443
adwcleaner.malwarebytes.com
Akamai International B.V.
NL
whitelisted
2336
adwcleaner_7.2.5.0.exe
212.129.58.133:443
telemetry-01.adwc.fr33tux.org
Online S.a.s.
FR
unknown
2336
adwcleaner_7.2.5.0.exe
54.213.252.57:443
telemetry.malwarebytes.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
adwcleaner.malwarebytes.com
  • 104.109.82.77
whitelisted
telemetry-01.adwc.fr33tux.org
  • 212.129.58.133
unknown
telemetry.malwarebytes.com
  • 54.213.252.57
  • 54.148.98.86
  • 52.34.60.210
whitelisted

Threats

No threats detected
Process
Message
adwcleaner_7.2.5.0.exe
QCoreApplication::applicationDirPath: Please instantiate the QApplication object first
adwcleaner_7.2.5.0.exe
[Json Parser] Failed to open file "C:\\AdwCleaner\\settings" ( 0 )
adwcleaner_7.2.5.0.exe
[Application] AdwCleaner 7 . 2 . 5 launched
adwcleaner_7.2.5.0.exe
[AdwUpgrade] Checking application updates
adwcleaner_7.2.5.0.exe
[Telemetry] Sending hello
adwcleaner_7.2.5.0.exe
[SslCert] Issued by ("DigiCert SHA2 High Assurance Server CA")
adwcleaner_7.2.5.0.exe
[SslCert] Issued to ("*.malwarebytes.com")
adwcleaner_7.2.5.0.exe
[SslCert] Locality Name ("Santa Clara")
adwcleaner_7.2.5.0.exe
[SslCert] Organization ("Malwarebytes Inc")
adwcleaner_7.2.5.0.exe
[SslCert] Certificate EffectiveDate: "Mon Oct 2 00:00:00 2017 GMT"
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
adwcleaner_7.2.5.0.exe