Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.MSIL.Clicker.CCL

Trojan.MSIL.Clicker.CCL

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.MSIL.Clicker.CCL
Signature status: No Signature

Known Samples

MD5: 13aaa79539903ebf153b3d9b7805e6a8
SHA1: 3d2e59a0991dfcd572a8eea3de3bec704c4d340f
SHA256: B8C09A5A5487A64E854F0BA08BCA565174E6BEA92BA4970C923285007A4A9829
File Size: 7.41 MB, 7408997 bytes
MD5: 8902da3de8fa322a4e8a6502ac3a4bf9
SHA1: a3123edfdda3f7660c9cd5644d17089f3b29b11b
SHA256: 226D64E96D48CC52AE36EA19E3D0566329C6B574C655ABB79D37D52817232052
File Size: 7.08 MB, 7075759 bytes
MD5: 3943d8ef164112d1f561c233705d1f07
SHA1: b7adfa594d778d72a2da27b44164a9066115a341
SHA256: 9AE5CA06FD6370AA4A37E7ABEB41AB7CCFCAB937A3C34D8AA214003D966B4F64
File Size: 5.81 MB, 5813742 bytes
MD5: 0271a892ac61c57d918d50be8bad62e2
SHA1: 0a43082db7ea2d9a787a59e79fa5cfe1a79cb146
SHA256: 28CAA5B9B8FA0D00533382D9A18D59EDB68CEE029F9C8ADEA790D87B4C42DFE3
File Size: 6.96 MB, 6963682 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
File Description
  • distasteful Barnsley sul bespoke Barnsley distasteful pastes chauffeur Finishes bespoke Keegan distasteful Barnsley sul bespoke Barnsley distasteful pastes chauffeur Finishes bespoke Keegan distasteful Barnsley sul bespoke Barnsley distasteful pastes chauffeur Finishes bespoke Keegan distasteful Barnsley sul bespoke Barnsley distasteful pastes chauffeur Finishes bespoke Keegan
  • hartnett Unstinting mailroom subscribers synched unbelief Fernandina Unstinting hartnett unbelief Fernandina side Unstinting Granules hartnett Unstinting mailroom subscribers synched unbelief Fernandina Unstinting hartnett unbelief Fernandina side Unstinting Granules hartnett Unstinting mailroom subscribers synched unbelief Fernandina Unstinting hartnett unbelief Fernandina side Unstinting Granules hartnett Unstinting mailroom subscribers synched unbelief Fernandina Unstinting hartnett unbelief Fernandina side Unstinting Granules
  • rued gauntlets Blackthorn allred gauntlets Blackthorn Valor bears Platform rued gauntlets Blackthorn allred gauntlets Blackthorn Valor bears Platform rued gauntlets Blackthorn allred gauntlets Blackthorn Valor bears Platform rued gauntlets Blackthorn allred gauntlets Blackthorn Valor bears Platform
  • Smoothed worthier Sheahan wrecks fumbling ludmila Smoothed worthier Sheahan wrecks fumbling ludmila Smoothed worthier Sheahan wrecks fumbling ludmila Smoothed worthier Sheahan wrecks fumbling ludmila Smoothed worthier Sheahan wrecks fumbling ludmila Smoothed worthier Sheahan wrecks fumbling ludmila Smoothed worthier Sheahan wrecks fumbling ludmila
File Version
  • 4.1.4.32
  • 3.3.7.184
  • 2.2.9.29
  • 1.5.5.156
Legal Copyright
  • 2025 Uncollected
  • Keegan
  • Platform
  • Unstinting
Original Filename
  • Keegan
  • Platform
  • Uncollected.exe
  • Unstinting
Product Name
  • Keegan
  • Platform
  • Uncollected
  • Unstinting
Product Version
  • 4.1.4.32
  • 3.3.7.184
  • 2.2.9.29
  • 1.5.5.156

File Traits

  • .NET
  • x86

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsabc70.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsca832.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nslbd99.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsqbd6a.tmp\nsexec.dll Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 찜祲纴ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 䈧ḡꘚǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 坥꘴ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 戽퐼ꙙǜ RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ZwMapViewOfSection
Process Shell Execute
  • CreateProcess
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
Show More
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Encryption Used
  • BCryptOpenAlgorithmProvider

Shell Command Execution

powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Cfyxdhvj\AppData\Local\""
powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Yfgdlbbb\AppData\Local\""
powershell -Command "Add-MpPreferencaO27a1aO27a1 -ExclusionPath \"C:\Users\Tfztrnda\AppData\Local\""
powershell -Command "Add-MpPreferencaP70a1aP70a1 -ExclusionPath \"C:\Users\Fttdgesm\AppData\Local\""

Trending

Most Viewed

Loading...