Windows Analysis Report
ATF-Cleaner.exe

Overview

General Information

Sample name: ATF-Cleaner.exe
Analysis ID: 1669046
MD5: d9de89f0faf18019bc9595f0f47bca61
SHA1: 7a044dfe1c5e780f3f2b52b3bd066e463a37886e
SHA256: e900d883001ec60353c2e8e1a54e1c5948a11513fffafbd5a28b44c1e319677a

Detection

Score: 1
Range: 0 - 100
Confidence: 80%

Signatures

AV process strings found (often used to terminate AV products)
Program does not show much activity (idle)
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Uses 32bit PE files
Source: ATF-Cleaner.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: ATF-Cleaner.exe, 00000000.00000002.2440259445.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=atribune%40atribune%2eorgu-
Uses 32bit PE files
Source: ATF-Cleaner.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: ATF-Cleaner.exe, 00000000.00000002.2440259445.0000000000401000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,@`D*\AC:\Documents and Settings\fucked up\Desktop\vb Projects\ATF Cleaner\New Folder\Atf Cleaner3.vbp
Source: ATF-Cleaner.exe, 00000000.00000002.2440259445.0000000000401000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: @*\AC:\Documents and Settings\fucked up\Desktop\vb Projects\ATF Cleaner\New Folder\Atf Cleaner3.vbp tm
Source: classification engine Classification label: clean1.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Mutant created: NULL
Source: C:\Users\user\Desktop\ATF-Cleaner.exe File created: C:\Users\user\AppData\Local\Temp\~DF46DEC0923004EC71.TMP Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: advpack.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
AV process strings found (often used to terminate AV products)
Source: ATF-Cleaner.exe, 00000000.00000002.2440874901.00000000007CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &&C:\Users\user\Desktop\ATF-Cleaner.exe
Source: ATF-Cleaner.exe, 00000000.00000002.2441490757.00000000022C0000.00000004.00000800.00020000.00000000.sdmp, ATF-Cleaner.exe, 00000000.00000002.2440874901.00000000007BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\ATF-Cleaner.exe
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1669046 Sample: ATF-Cleaner.exe Startdate: 19/04/2025 Architecture: WINDOWS Score: 1 4 ATF-Cleaner.exe 2 2->4         started       
No contacted IP infos