× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b87c1be1dd90d9ae8e7b04c87a6ab0a2b706ded02e2f4c3db45db1bed9d46642
File name: 93a104caf7b01de69614498de5cf870a
Detection ratio: 40 / 53
Analysis date: 2014-05-25 07:51:03 UTC ( 12 months ago )
Antivirus Result Update
AVG SHeur4.BDLF 20140525
Ad-Aware Trojan.Agent.AZCS 20140525
AhnLab-V3 Trojan/Win32.Jorik 20140524
AntiVir TR/Agent.106496.427 20140524
Antiy-AVL Trojan[Dropper]/Win32.Dapato 20140525
Avast Win32:Reveton-SO [Trj] 20140525
Baidu-International Trojan.Win32.Generic.axcJ 20140525
BitDefender Trojan.Agent.AZCS 20140525
Bkav W32.Clodd50.Trojan.7668 20140523
CAT-QuickHeal Worm.Cridex 20140524
Comodo TrojWare.Win32.Trojan.Agent.Gen 20140524
DrWeb Trojan.Necurs.97 20140525
ESET-NOD32 Win32/Cridex.AA 20140524
Emsisoft Trojan-Dropper.Win32.Dapato (A) 20140525
F-Secure Trojan.Agent.AZCS 20140525
Fortinet W32/Kryptik.ALRY!tr 20140525
GData Trojan.Agent.AZCS 20140525
Ikarus Win32.SuspectCrc 20140525
K7AntiVirus Backdoor ( 04c4fd0b1 ) 20140523
K7GW Backdoor ( 04c4fd0b1 ) 20140523
Kaspersky HEUR:Trojan.Win32.Generic 20140525
Kingsoft Win32.Troj.Agent.zz.(kcloud) 20140525
Malwarebytes Trojan.FakeMS.ED 20140525
McAfee PWS-Zbot-FAQK!93A104CAF7B0 20140525
McAfee-GW-Edition PWS-Zbot-FAQK!93A104CAF7B0 20140525
MicroWorld-eScan Trojan.Agent.AZCS 20140525
Microsoft Worm:Win32/Cridex.E 20140525
NANO-Antivirus Trojan.Win32.Dapato.bkhqts 20140525
Norman Kelihos.TJU 20140525
Panda Trj/Genetic.gen 20140524
Qihoo-360 HEUR/Malware.QVM20.Gen 20140525
Rising PE:Trojan.Win32.Generic.14474520!340215072 20140524
Sophos Mal/EncPk-AIS 20140525
Symantec Trojan.Gen 20140525
Tencent Win32.Trojan.Generic.Htlp 20140525
TrendMicro TROJ_SPNR.14CE13 20140525
TrendMicro-HouseCall TROJ_SPNR.14CE13 20140525
VIPRE Trojan.Win32.Cridex.aa (v) 20140525
Zillya Dropper.Dapato.Win32.17177 20140524
nProtect Trojan.Agent.AZCS 20140525
AegisLab 20140525
Agnitum 20140524
ByteHero 20140525
CMC 20140525
ClamAV 20140525
Commtouch 20140525
F-Prot 20140525
Jiangmin 20140525
SUPERAntiSpyware 20140524
TheHacker 20140525
TotalDefense 20140525
VBA32 20140523
ViRobot 20140524
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Developer metadata
Copyright
© Microsoft Corporation. All rights reserved.

Publisher Microsoft Corporation
Product Microsoft® Windows® Operating System
Original name docprop.dll
Internal name docprop.dll
File version 6.0.6000.16386 (vista_rtm.061101-2205)
Description OLE DocFile Property Page
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2006-05-27 20:40:22
Link date 9:40 PM 5/27/2006
Entry Point 0x00002B3F
Number of sections 3
PE sections
PE imports
RegFlushKey
RegOpenKeyA
RegCloseKey
RegQueryValueExA
RegSetValueExA
RegCreateKeyExA
RegOpenKeyExA
RegCreateKeyA
GetLastError
lstrlenA
GetFileAttributesA
WaitForSingleObject
FreeLibrary
QueryPerformanceCounter
GetTickCount
DisableThreadLibraryCalls
GetCurrentProcess
GetDateFormatA
LoadLibraryExA
GetCurrentProcessId
lstrcatA
LockResource
CreateDirectoryA
CreateThread
UnhandledExceptionFilter
SetErrorMode
MultiByteToWideChar
GetProcAddress
CloseHandle
WideCharToMultiByte
SetUnhandledExceptionFilter
WriteFile
GetTimeFormatA
GetSystemTimeAsFileTime
lstrcpynA
GetSystemDirectoryA
FreeResource
SetEvent
LocalFree
TerminateProcess
FreeLibraryAndExitThread
LoadResource
lstrcpyA
CreateEventA
InterlockedDecrement
CreateFileA
GetCurrentThreadId
FindResourceA
LocalAlloc
MulDiv
wsprintfA
malloc
free
Number of PE resources by type
RT_ICON 3
RT_GROUP_ICON 3
MUI 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 8
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
8.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
6.0.6000.16386

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
69632

FileOS
Windows NT 32-bit

MIMEType
application/octet-stream

LegalCopyright
Microsoft Corporation. All rights reserved.

FileVersion
6.0.6000.16386 (vista_rtm.061101-2205)

TimeStamp
2006:05:27 21:40:22+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
docprop.dll

FileAccessDate
2014:05:25 08:54:30+01:00

ProductVersion
6.0.6000.16386

FileDescription
OLE DocFile Property Page

OSVersion
4.0

FileCreateDate
2014:05:25 08:54:30+01:00

OriginalFilename
docprop.dll

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
94208

ProductName
Microsoft Windows Operating System

ProductVersionNumber
6.0.6000.16386

EntryPoint
0x2b3f

ObjectFileType
Dynamic link library

File identification
MD5 93a104caf7b01de69614498de5cf870a
SHA1 656ade98396bc2f671ad7344d179b791b2bece05
SHA256 b87c1be1dd90d9ae8e7b04c87a6ab0a2b706ded02e2f4c3db45db1bed9d46642
ssdeep
1536:iIEtYUlFEaIoeMwGOGlxKB8h+FBQS8//VtrVk6tnPYHezs:P+bEJovdlxI8h+Q//V3K+zs

imphash c7d82948ac5b2ce76830a2add5807aaa
File size 104.0 KB ( 106496 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe

VirusTotal metadata
First submission 2013-03-11 17:22:58 UTC ( 2 years, 2 months ago )
Last submission 2014-05-25 07:51:03 UTC ( 12 months ago )
File names about.exe
8276832.exe
docprop.dll
KB01207714.exe
93a104caf7b01de69614498de5cf870a
adaaffd83f93d3d86bb8b0a9ddbba49b-ddff0d97dba465e36034a0f92edfe762-1363022571
A0110545.EXE
contacts.exe
info.exe
file-5247643_exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Set keys
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
TCP connections