Manalyze report for 7108ed065682eaa24b007c54fd994648c868bfe86a0a61648319e9707da73965

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2026-May-13 13:39:33
Detected languages	English - United States
TLS Callbacks	1 callback(s) detected.
CompanyName	Malwarebytes
FileDescription	AdwCleaner
FileVersion	`8.8.1.639`
InternalName	AdwCleaner
LegalCopyright	Copyright 2026 Malwarebytes
LegalTrademarks1	All Rights Reserved
LegalTrademarks2	All Rights Reserved
OriginalFilename	AdwCleaner.exe
ProductName	AdwCleaner
ProductVersion	`8.8.1.639`

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to security software: Cleaner.exe`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Can access the registry: RegDeleteKeyValueW` `Interacts with services: OpenSCManagerW`
Info	The PE's resources present abnormal characteristics.	`Resource 5102 is possibly compressed or encrypted.`
Info	The PE is digitally signed.	`Signer: Malwarebytes Inc` `Issuer: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1`
Suspicious	VirusTotal score: 2/70 (Scanned on 2026-05-20 22:45:35)	`DeepInstinct: MALICIOUS` `TrellixENS: Artemis!94D193C0E9DE`

Hashes

MD5	`94d193c0e9de9800a82bc70caf5c31c7`
SHA1	`ac37e67a148cf50c1ce38ff228b2d1160fd1f631`
SHA256	`7108ed065682eaa24b007c54fd994648c868bfe86a0a61648319e9707da73965`
SHA3	`c53a26a2d2a7bf97995ab2f464629a7cee0c8fd6139fe224197aa4ab07835235`
SSDeep	`196608:Rhd0iNL9rwxqxa+QAmDmFTxQaaMAQmrk/nasQ5OrORMg4cYNkyru1CRz07:Rhd0iYExaQFFafQQkCsrO4cIk8u1CJ07`
Imports Hash	`7520db580899c3e0c584fa7c9d115c94`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x138`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2026-May-13 13:39:33
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x8f5000`
SizeOfInitializedData	`0x1f000`
SizeOfUninitializedData	`0x1048000`
AddressOfEntryPoint	`0x0193D180 (Section: UPX1)`
BaseOfCode	`0x1049000`
BaseOfData	`0x193e000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x195d000`
SizeOfHeaders	`0x400`
Checksum	`0x9343ce`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x1048000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`ab4bee192ff8d654a5820a6802730259`
SHA1	`551646ec25d784ba108f0630eccda78bd6b92841`
SHA256	`38a020c398a37494b955e698e45b9a4f6945362a0540d4563bf706a57ea5f898`
SHA3	`f4b09235f438367446d73c91bdebaf3d255bddd8910c82e22f1cd5ef21568d7a`
VirtualSize	`0x8f5000`
VirtualAddress	`0x1049000`
SizeOfRawData	`0x8f5000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99998`

.rsrc

MD5	`7fda28cde8b0b8cb683f989d74db82f5`
SHA1	`679f9282cf6997500416ef2ecda4cad8e53cae7f`
SHA256	`68eef6eeeb7ed79629e2482a5b219f8c7e18b5555b195ae9b640ac7bb32cecdb`
SHA3	`3f405f4f4223edce2ed8c213d3dceeec256f41e60f656dd9d774a09384717f7c`
VirtualSize	`0x1f000`
VirtualAddress	`0x193e000`
SizeOfRawData	`0x1ee00`
PointerToRawData	`0x8f5400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.12665`

Imports

api-ms-win-core-com-l1-1-0.dll	`CoGetMalloc`
api-ms-win-core-file-l1-1-0.dll	`DeleteVolumeMountPointW`
api-ms-win-core-file-l2-1-0.dll	`CopyFileExW`
api-ms-win-core-libraryloader-l1-2-0.dll	`LoadResource`
api-ms-win-core-libraryloader-l1-2-1.dll	`FindResourceW`
api-ms-win-core-localization-l1-2-0.dll	`GetCPInfo`
api-ms-win-core-memory-l1-1-1.dll	`VirtualUnlock`
api-ms-win-core-registry-l1-1-1.dll	`RegDeleteKeyValueW`
api-ms-win-core-string-l1-1-0.dll	`GetStringTypeW`
api-ms-win-core-synch-l1-1-0.dll	`InitializeCriticalSection`
api-ms-win-core-synch-l1-2-0.dll	`WaitOnAddress`
api-ms-win-core-util-l1-1-0.dll	`EncodePointer`
api-ms-win-core-winrt-l1-1-0.dll	`RoGetActivationFactory`
api-ms-win-core-winrt-string-l1-1-0.dll	`WindowsCreateStringReference`
api-ms-win-security-systemfunctions-l1-1-0.dll	`SystemFunction036`
api-ms-win-service-management-l1-1-0.dll	`OpenSCManagerW`
api-ms-win-shcore-scaling-l1-1-1.dll	`GetDpiForMonitor`
AUTHZ.dll	`AuthzFreeContext`
COMDLG32.dll	`GetOpenFileNameW`
d3d11.dll	`D3D11CreateDevice`
d3d9.dll	`Direct3DCreate9`
dxgi.dll	`CreateDXGIFactory2`
KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`
ntdll.dll	`NtTerminateThread`

Delayed Imports

5101

Type	`BINARY`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.1554`
MD5	`cebcc43ac75a5abc5619d39fbf6ff237`
SHA1	`b079160ca83fe847402c11c248f5267a070486d7`
SHA256	`db4f1f6f2ff0dcd7c2204529ee69c0d123906b722b2491e1e8c49bef80788940`
SHA3	`bec1fa63b1ceeef379794d2ffd7e8696f3d48fee57013ba3039be620747612bb`

5102

Type	`BINARY`
Language	English - United States
Codepage	UNKNOWN
Size	`0x11a78c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99983`
MD5	`f9a2443ac39ae4da7b888b1d57cd5409`
SHA1	`b59b766db22592212a10657ab7359ee41ced0fcc`
SHA256	`1e1d81af7d7487aedcf238d21972908439ba9a19db18484504eea91fe70b87d9`
SHA3	`a312341773b6df91585556fac23d773aa22e899b2c27f1d6e0e7380a06068060`

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x5627`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.9564`
Detected Filetype	PNG graphic file
MD5	`cb705b6d7f54c99b4712ca9992b34ad5`
SHA1	`e80909366b32f39b5a22c94504512d9c3c0febd1`
SHA256	`d2843fa5132ab8bd1e0a46892fb4f91d0ca97ffab1c4b90218a04f25613eac4e`
SHA3	`d269e693eb9321126507408aa30afebe6729fcd910d314ebadd827d88f193936`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.6406`
MD5	`950be1bd0231e1c941c4f92f7bcbb316`
SHA1	`a8fed0fc92647625b13a6d8141398c343eff4071`
SHA256	`d59ad31f3046ae888f46d1d83541ad6300f2f1fa5fa465b99656753a0455d057`
SHA3	`0f0868bf7a9f5a6d2f732f8f4e720b689c3f0d9b16e75c03af2e5899c73acadf`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.33285`
MD5	`2b96b9968eb5b3d65c03e87612931fac`
SHA1	`7c3c2c6fc81f8b4b9ddaa5ab6494d9231821330d`
SHA256	`622d4d43a175ed2d1231ac8bbfdcf06492e62ca0e7e6b231401e0bb971eafffe`
SHA3	`95bbbfc8a4a01cd14995883f5fc760128320848b9175bcef6fb48c3e24635154`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.6297`
MD5	`e3da219061f5bc6d38649597edf7064f`
SHA1	`0956c6a137400f16000bffd0b0697aa07be05087`
SHA256	`80a8f68a6800fd669a3014d9a797baad252e33f57d2e7a72a4f45d554870a449`
SHA3	`79ea2106112e8a9542caa953a752541e5e704febae0c0a88ee2fd202c8debb9f`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.27513`
MD5	`8fbe84539e84daee0e5f6090a53e6eb9`
SHA1	`e78408e054a40566b352bcf5d397849bbe321ae7`
SHA256	`3641c6a63c6440b390ac527025e590270ce4e9b197e2767c883fe54a53a5c531`
SHA3	`c5a9d8489acf92bfd77ccf7451a83c2bd7a7579a0c32f4cfd70f62e2efb07b21`

6

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.10277`
MD5	`ff8d851534c7df3cd58bb91fc1c51c7b`
SHA1	`2009407c1b08006f442505e5872085497532a195`
SHA256	`790e94810abb8e04445288925612721e656aa54deff7fe1f23998d2892cd031f`
SHA3	`b50762a27e48c20469874e086e5f8aba0a04383ec07e974ef10ca169d649052d`

IDI_ICON1

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x5a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.94936`
Detected Filetype	Icon file
MD5	`06c0abf9307ff5fb110abfc88ed2e54c`
SHA1	`1e81d79f674922585a475696f2a3b610c44e5aeb`
SHA256	`85772d6ec97872e29710606a0393d3684be0fcf3c009ad379121aa46b52bd456`
SHA3	`99338245b1dd638cfd9dfc82fca304bc97c1aa5750cf91b26055dbacc91024a2`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x378`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.43053`
MD5	`291377a8375e24dc1d740108ec4803b6`
SHA1	`d0bf95f462ee8cddb767abf8a55389046409dd97`
SHA256	`1b50bcbaa716fcfb1acc41df0eeba0b2ecc9863d5eefd2deee636a0bb1ec97a0`
SHA3	`29102841016db06a74ffb4ae59cc0bb86a1fa007c7fd080e09ddb4a7ca80517e`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x415`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.03648`
MD5	`bab3d0e732462fbcd16316620aebc6a4`
SHA1	`eafdcca02db9e5263543ad23a8ddba294ece1f5c`
SHA256	`baeb98a767afe74f98b40b12801d10baa0318aa35d8ba8ed5b37a33cf0b50d77`
SHA3	`c312241015ad441720d1bee46cd091feee51df483f0ebfce375569f8e0d36f0e`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	8.8.1.639
ProductVersion	8.8.1.639
FileFlags	`(EMPTY)`
FileOs	`(EMPTY)`
FileType	`VFT_UNKNOWN`
Language	English - United States
CompanyName	Malwarebytes
FileDescription	AdwCleaner
FileVersion (#2)	8.8.1.639
InternalName	AdwCleaner
LegalCopyright	Copyright 2026 Malwarebytes
LegalTrademarks1	All Rights Reserved
LegalTrademarks2	All Rights Reserved
OriginalFilename	AdwCleaner.exe
ProductName	AdwCleaner
ProductVersion (#2)	8.8.1.639

Resource LangID	English - United States

TLS Callbacks

StartAddressOfRawData	`0x1d3ddb0`
EndAddressOfRawData	`0x1d3df24`
AddressOfIndex	`0x1aa0d7c`
AddressOfCallbacks	`0x1d3df24`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_64BYTES`
Callbacks	`0x01D3DD77`

Load Configuration

Size	`0xc0`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1a63440`
SEHandlerTable	`0x19f9994`
SEHandlerCount	`5291`

RICH Header

XOR Key	`0xd137554f`
Unmarked objects	`0`
ASM objects (30795)	`52`
C objects (CVTCIL) (30795)	`2`
C objects (VS 2015-2022 runtime 33030)	`22`
C++ objects (30795)	`221`
Imports (VS2008 SP1 build 30729)	`46`
C objects (VS2019 RTM compiler 27508)	`35`
ASM objects (VS 2015-2022 runtime 33030)	`31`
Imports (30795)	`11`
C objects (30795)	`52`
C++ objects (VS 2015-2022 runtime 33030)	`120`
Total imports	`867`
C objects (33134)	`826`
C++ objects (33134)	`284`
C++ objects (LTCG) (33134)	`1121`
Exports (33134)	`1`
Resource objects (33134)	`1`
151	`1`
Linker (33134)	`1`

Errors

[*] Warning: Could not read the name of the DLL to be delay-loaded!
[*] Warning: IMAGE_EXPORT_DIRECTORY field Characteristics is reserved and should be 0!
[!] Error: Could not read the exported DLL name.
[*] Warning: Section UPX0 has a size of 0!

Leave a comment

No comments yet.