Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2008-Sep-16 08:40:04 |
Detected languages |
Chinese - PRC
English - United States |
CompanyName | Microsoft Corporation |
FileDescription | Generic Host Process for Win32 Services |
FileVersion | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) |
InternalName | svchost.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | svchost.exe |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 5.1.2600.2180 |
Info | Matching compiler(s): |
Microsoft Visual C++
Microsoft Visual C++ v6.0 |
Info | The PE contains common functions which appear in legitimate applications. |
Possibly launches other programs:
|
Malicious | VirusTotal score: 54/67 (Scanned on 2018-02-02 16:57:30) |
MicroWorld-eScan:
Gen:Variant.Zusy.Elzob.7387
nProtect: Trojan-Downloader/W32.Agent.8704.GW CMC: Trojan-Downloader.Win32.Agent!O CAT-QuickHeal: Trojan.Connapts.A4 ALYac: Gen:Variant.Zusy.Elzob.7387 Zillya: Downloader.Agent.Win32.168675 AegisLab: Troj.Downloader.W32.Agent!c Paloalto: generic.ml TheHacker: Trojan/Agent.pmk BitDefender: Gen:Variant.Zusy.Elzob.7387 K7GW: Trojan ( 00100e511 ) K7AntiVirus: Trojan ( 00100e511 ) Arcabit: Trojan.Zusy.Elzob.D1CDB TrendMicro: TROJ_GEN.R002C0DIJ17 Cyren: W32/Trojan.ERJY-2603 Symantec: Trojan.Gen TrendMicro-HouseCall: TROJ_GEN.R002C0DIJ17 Avast: Win32:Trojan-gen ClamAV: Win.Trojan.Agent-638097 Kaspersky: Trojan-Downloader.Win32.Agent.gzdp Cybereason: malicious.1b8fb7 NANO-Antivirus: Trojan.Win32.Agent.cqkvci Tencent: Suspicious.Heuristic.Gen.b.0 Ad-Aware: Gen:Variant.Zusy.Elzob.7387 Emsisoft: Gen:Variant.Zusy.Elzob.7387 (B) Comodo: UnclassifiedMalware F-Secure: Gen:Variant.Zusy.Elzob.7387 DrWeb: Trojan.DownLoad3.21202 VIPRE: Trojan.Win32.Generic!BT McAfee-GW-Edition: Artemis!Trojan Sophos: Mal/Generic-S Ikarus: Trojan.Win32.Agent Jiangmin: TrojanDownloader.Agent.fhxy Webroot: W32.Trojan.Gen Avira: TR/Downloader.Gen Antiy-AVL: Trojan[Downloader]/Win32.Agent Endgame: malicious (high confidence) ZoneAlarm: Trojan-Downloader.Win32.Agent.gzdp Microsoft: Trojan:Win32/Connapts AhnLab-V3: Trojan/Win32.Connapts.C256363 McAfee: Artemis!02658BC9801F AVware: Trojan.Win32.Generic!BT MAX: malware (ai score=100) VBA32: TrojanDownloader.Agent Cylance: Unsafe ESET-NOD32: Win32/Agent.PMK Rising: Downloader.Agent!8.B23 (TFE:5:CVRXB1Iz1gL) Yandex: Trojan.DL.Agent!KhetxqhGsFU eGambit: Unsafe.AI_Score_88% GData: Gen:Variant.Zusy.Elzob.7387 AVG: Win32:Trojan-gen Panda: Generic Suspicious CrowdStrike: malicious_confidence_100% (D) Qihoo-360: HEUR/QVM07.1.Malware.Gen |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2008-Sep-16 08:40:04 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 6.0 |
SizeOfCode | 0xe00 |
SizeOfInitializedData | 0x1000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00001C3F (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x2000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x5000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
Sleep
WriteFile CloseHandle GetWindowsDirectoryA ReadFile PeekNamedPipe CreateProcessA CreatePipe |
---|---|
WININET.dll |
InternetOpenA
InternetConnectA HttpOpenRequestA InternetQueryOptionA InternetSetOptionA InternetCloseHandle HttpSendRequestA HttpSendRequestExA InternetWriteFile HttpEndRequestA InternetReadFile |
MSVCRT.dll |
_controlfp
_except_handler3 __set_app_type __p__fmode __p__commode _adjust_fdiv __setusermatherr _initterm __getmainargs __CxxFrameHandler strstr strlen memcpy ??3@YAXPAX@Z fread strcmp sprintf strrchr ftell fseek fclose fopen ??2@YAPAXI@Z fwrite atoi strcpy sscanf strcat memset _exit _XcptFilter exit __p___initenv _strnicmp |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 5.1.2600.2180 |
ProductVersion | 5.1.2600.2180 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | Microsoft Corporation |
FileDescription | Generic Host Process for Win32 Services |
FileVersion (#2) | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) |
InternalName | svchost.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | svchost.exe |
ProductName | Microsoft® Windows® Operating System |
ProductVersion (#2) | 5.1.2600.2180 |
Resource LangID | Chinese - PRC |
---|
XOR Key | 0xdc567155 |
---|---|
Unmarked objects | 0 |
12 (7291) | 1 |
14 (7299) | 3 |
C objects (8047) | 11 |
Linker (8047) | 2 |
Imports (2179) | 2 |
Total imports | 55 |
19 (8034) | 3 |
C++ objects (VS98 build 8168) | 3 |
Resource objects (VS98 SP6 cvtres build 1736) | 1 |