× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e5edc18319a7adee318e06d3892296829d7f79caf667469e69d3aa47ce7e9734
File name: afc1dcf7a65ddf4e9960d3bfe052e780
Detection ratio: 36 / 52
Analysis date: 2014-06-01 13:33:29 UTC ( 4 years, 10 months ago )
Antivirus Result Update
Ad-Aware Gen:Application.Keylog.em0@aiSnXwhi 20140601
Yandex Worm.Luder!VtDeNiRkKi4 20140531
AhnLab-V3 Worm/Win32.Luder 20140601
AntiVir TR/Spy.Gen 20140601
Antiy-AVL Worm/Win32.Luder 20140530
AVG Generic33.AVUS 20140601
Baidu-International Worm.Win32.Luder.aINa 20140601
BitDefender Gen:Application.Keylog.em0@aiSnXwhi 20140601
CAT-QuickHeal Trojan.VB.Gen 20140531
Commtouch W32/VBTrojan.17C!Generic 20140601
Comodo UnclassifiedMalware 20140601
DrWeb Trojan.Siggen6.1079 20140601
ESET-NOD32 Win32/VB.NYW 20140601
F-Prot W32/VBTrojan.17C!Generic 20140601
F-Secure Gen:Application.Keylog.em0@aiSnXwhi 20140601
Fortinet W32/Luder.BMNB!worm 20140601
GData Gen:Application.Keylog.em0@aiSnXwhi 20140601
Ikarus Gen.Application.Keylog 20140601
K7AntiVirus Riskware ( 0040eff71 ) 20140530
K7GW Riskware ( 0040eff71 ) 20140530
Kaspersky Worm.Win32.Luder.bmnb 20140601
Kingsoft Worm.Luder.bm.(kcloud) 20140601
McAfee Artemis!AFC1DCF7A65D 20140601
McAfee-GW-Edition Artemis!AFC1DCF7A65D 20140531
eScan Gen:Application.Keylog.em0@aiSnXwhi 20140601
NANO-Antivirus Trojan.Win32.Luder.bttsju 20140601
Panda Trj/Genetic.gen 20140601
Qihoo-360 Win32/Application.Keylog.251 20140601
Sophos AV Mal/Keylog-O 20140601
Symantec WS.Reputation.1 20140601
Tencent Win32.Worm.Luder.Lrsb 20140601
TrendMicro TROJ_GEN.F0C2C00J413 20140601
TrendMicro-HouseCall TSPY_VBKLOG.SMIB 20140601
VBA32 Worm.Luder 20140530
VIPRE Trojan.Win32.Generic!BT 20140601
ViRobot Worm.Win32.S.Luder.69632 20140601
AegisLab 20140601
Avast 20140601
Bkav 20140530
ByteHero 20140601
ClamAV 20140530
CMC 20140530
Emsisoft 20140601
Jiangmin 20140531
Malwarebytes 20140601
Microsoft 20140601
Norman 20140601
nProtect 20140601
Rising 20140601
SUPERAntiSpyware 20140531
TheHacker 20140531
TotalDefense 20140601
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Publisher CrownSoft
Product TKL
Original name tkl.exe
Internal name tkl
File version 1.00
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-03-15 23:54:34
Entry Point 0x00001A70
Number of sections 3
PE sections
PE imports
_adj_fdivr_m64
__vbaGenerateBoundsError
_allmul
_adj_fprem
_adj_fdiv_r
__vbaRecAnsiToUni
__vbaObjSetAddref
Ord(100)
__vbaHresultCheckObj
__vbaR8Str
_CIlog
_adj_fptan
__vbaFileClose
Ord(581)
__vbaI4Var
__vbaRecUniToAnsi
__vbaFreeVar
__vbaFreeStr
__vbaLateIdCallLd
Ord(588)
__vbaFreeStrList
_adj_fdiv_m16i
EVENT_SINK_QueryInterface
__vbaI4Str
Ord(607)
__vbaLenBstr
Ord(594)
Ord(681)
Ord(576)
__vbaStrToUnicode
_adj_fdiv_m32i
__vbaExceptHandler
__vbaSetSystemError
DllFunctionCall
Ord(608)
__vbaStrI4
__vbaFileOpen
__vbaI2Str
_CIsin
Ord(711)
Ord(606)
EVENT_SINK_Release
__vbaVarTstEq
Ord(610)
__vbaOnError
_adj_fdivr_m32i
__vbaStrCat
__vbaVarDup
__vbaChkstk
__vbaPrintFile
__vbaStrCmp
__vbaAryCopy
__vbaFreeObjList
Ord(666)
__vbaVarForNext
__vbaFreeVarList
__vbaStrVarMove
__vbaExitProc
__vbaFreeObj
_adj_fdivr_m32
__vbaStrVarVal
Ord(660)
_CIcos
__vbaVarMove
__vbaFPInt
__vbaErrorOverflow
__vbaNew2
__vbaAryDestruct
__vbaStrMove
_adj_fprem1
Ord(619)
_adj_fdiv_m32
__vbaPrintObj
__vbaEnd
EVENT_SINK_AddRef
_adj_fpatan
Ord(712)
__vbaVarForInit
Ord(612)
Ord(645)
__vbaFPException
__vbaAryVar
_adj_fdivr_m16i
_adj_fdiv_m64
Ord(526)
_CIsqrt
__vbaVarCopy
Ord(593)
__vbaStrCopy
_CIatan
Ord(617)
_CItan
Ord(529)
__vbaObjSet
Ord(644)
__vbaVarCat
_CIexp
__vbaStrToAnsi
__vbaFpR8
__vbaFpI4
Ord(598)
Number of PE resources by type
RT_ICON 3
1 2
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 4
ENGLISH US 3
PE resources
ExifTool file metadata
UninitializedDataSize
0

InitializedDataSize
8192

ImageVersion
1.0

ProductName
TKL

FileVersionNumber
1.0.0.0

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
Unicode

LinkerVersion
6.0

FileOS
Win32

MIMEType
application/octet-stream

FileVersion
1.0

TimeStamp
2013:03:16 00:54:34+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
tkl

FileAccessDate
2014:06:01 14:35:27+01:00

ProductVersion
1.0

SubsystemVersion
4.0

OSVersion
4.0

FileCreateDate
2014:06:01 14:35:27+01:00

OriginalFilename
tkl.exe

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
CrownSoft

CodeSize
57344

FileSubtype
0

ProductVersionNumber
1.0.0.0

EntryPoint
0x1a70

ObjectFileType
Executable application

File identification
MD5 afc1dcf7a65ddf4e9960d3bfe052e780
SHA1 65f493fa853805adfabca0c27767ac326b384877
SHA256 e5edc18319a7adee318e06d3892296829d7f79caf667469e69d3aa47ce7e9734
ssdeep
1536:ysdB9W96tWdU/wI2Yg4AZew2wm88fN4IXI7fmHAyCDGerun:pB9W96tWhvX6vXiZvpc

imphash 4c49e6d47d029a0bea52fdef975a878e
File size 68.0 KB ( 69632 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (84.4%)
Win32 Dynamic Link Library (generic) (6.7%)
Win32 Executable (generic) (4.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
Tags
peexe

VirusTotal metadata
First submission 2013-06-10 01:17:09 UTC ( 5 years, 10 months ago )
Last submission 2014-06-01 13:33:29 UTC ( 4 years, 10 months ago )
File names tkl.exe
vt-upload-6pNHd
aa
output.16982335.txt
Final-12-11-2012.ex
tkl
Ts9KJFZ8c.ps1
Final-12-11-2012.exe
RHpeFwC9
16982335
afc1dcf7a65ddf4e9960d3bfe052e780
e5edc18319a7adee318e06d3892296829d7f79caf667469e69d3aa47ce7e9734
8ujDRXSO9k.fon
vt-upload-ZAlzL
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.