Loading... Additional Content is being loaded

Windows Analysis Report
ATF-Cleaner.exe

Overview

General Information

Sample name:	ATF-Cleaner.exe
Analysis ID:	1669046
MD5:	d9de89f0faf18019bc9595f0f47bca61
SHA1:	7a044dfe1c5e780f3f2b52b3bd066e463a37886e
SHA256:	e900d883001ec60353c2e8e1a54e1c5948a11513fffafbd5a28b44c1e319677a

Detection

Score:	1
Range:	0 - 100
Confidence:	80%

Signatures

AV process strings found (often used to terminate AV products)

Program does not show much activity (idle)

Uses 32bit PE files

Classification

Signatures

Uses 32bit PE files

Source: ATF-Cleaner.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: ATF-Cleaner.exe, 00000000.00000002.2440259445.0000000000401000.00000040.00000001.01000000.00000003.sdmp

String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=atribune%40atribune%2eorgu-

Uses 32bit PE files

Source: ATF-Cleaner.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: ATF-Cleaner.exe, 00000000.00000002.2440259445.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ,@`D*\AC:\Documents and Settings\fucked up\Desktop\vb Projects\ATF Cleaner\New Folder\Atf Cleaner3.vbp
Source: ATF-Cleaner.exe, 00000000.00000002.2440259445.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: @*\AC:\Documents and Settings\fucked up\Desktop\vb Projects\ATF Cleaner\New Folder\Atf Cleaner3.vbp tm

Source: classification engine

Classification label: clean1.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\ATF-Cleaner.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\ATF-Cleaner.exe

File created: C:\Users\user\AppData\Local\Temp\~DF46DEC0923004EC71.TMP

Jump to behavior

Source: C:\Users\user\Desktop\ATF-Cleaner.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ATF-Cleaner.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: msvbvm60.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: vb6zz.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: advpack.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: wintypes.dll			Jump to behavior

Source: C:\Users\user\Desktop\ATF-Cleaner.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

AV process strings found (often used to terminate AV products)

Source: ATF-Cleaner.exe, 00000000.00000002.2440874901.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &&C:\Users\user\Desktop\ATF-Cleaner.exe
Source: ATF-Cleaner.exe, 00000000.00000002.2441490757.00000000022C0000.00000004.00000800.00020000.00000000.sdmp, ATF-Cleaner.exe, 00000000.00000002.2440874901.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\ATF-Cleaner.exe

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\~DF46DEC0923004EC71.TMP	Composite Document File V2 Document, Cannot read section info	FD64F3F3FFD91C0B58659D2A339F29BE	97A7354C16C093450185AF74D70775D268E6D314	286337540C1362B4B929115CF911FDFA1DA20B938216178318EC97166F687325

Uses 32bit PE files

Source: ATF-Cleaner.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: ATF-Cleaner.exe, 00000000.00000002.2440259445.0000000000401000.00000040.00000001.01000000.00000003.sdmp

String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=atribune%40atribune%2eorgu-

Uses 32bit PE files

Source: ATF-Cleaner.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: ATF-Cleaner.exe, 00000000.00000002.2440259445.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ,@`D*\AC:\Documents and Settings\fucked up\Desktop\vb Projects\ATF Cleaner\New Folder\Atf Cleaner3.vbp
Source: ATF-Cleaner.exe, 00000000.00000002.2440259445.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: @*\AC:\Documents and Settings\fucked up\Desktop\vb Projects\ATF Cleaner\New Folder\Atf Cleaner3.vbp tm

Source: classification engine

Classification label: clean1.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\ATF-Cleaner.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\ATF-Cleaner.exe

File created: C:\Users\user\AppData\Local\Temp\~DF46DEC0923004EC71.TMP

Jump to behavior

Source: C:\Users\user\Desktop\ATF-Cleaner.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ATF-Cleaner.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: msvbvm60.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: vb6zz.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: advpack.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Section loaded: wintypes.dll			Jump to behavior

Source: C:\Users\user\Desktop\ATF-Cleaner.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

AV process strings found (often used to terminate AV products)

Source: ATF-Cleaner.exe, 00000000.00000002.2440874901.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &&C:\Users\user\Desktop\ATF-Cleaner.exe
Source: ATF-Cleaner.exe, 00000000.00000002.2441490757.00000000022C0000.00000004.00000800.00020000.00000000.sdmp, ATF-Cleaner.exe, 00000000.00000002.2440874901.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\ATF-Cleaner.exe