» egdpsvc.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (1)
Downloads (1)
Network (2)

egdpsvc.exe

Wsys Control

Banyan Tree Technology Limited

The application egdpsvc.exe, “Wsys Control 10.2.1.2634” by Banyan Tree Technology Limited has been detected as adware by 27 anti-malware scanners. This is a setup program which is used to install the application. It runs as a separate (within the context of its own process) windows Service named “Wsys Service”. This file is typically installed with the program DProtect by DProtect Lab which is a potentially unwanted software program. This is an adware bundler (AKA ElexNetDownload) that will include additional unwanted offers in the download and install process. During install it will establish a connection to twonext.com and xingcloud.com to determine what offers to show the user (based on what is already installed and where they live).

File name:

egdpsvc.exe

Publisher:

Wsys Co., Ltd. (signed by Banyan Tree Technology Limited)

Product:

Wsys Control

Description:

Wsys Control 10.2.1.2634

Version:

10.2.1.2634

MD5:

256f569179d786680cd216c0240a42d3

SHA-1:

f584b2ca7a53d135bbc6c7eab6c43e439bf3a9da

SHA-256:

ac6d61858cb68a5bff6f42106dd11648981d3f8eae3b558b66bb44f014d4ab6e

Scanner detections:

27 / 68

Status:

Adware

Explanation:

Software bundler and update mechanism that will attempt to install adware offers.

Analysis date:

5/19/2024 5:07:40 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

Trojan.Staser

7.1.1

AhnLab V3 Security

Trojan/Win32.Staser

2013.09.29

Avira AntiVirus

TR/Staser.rfm

7.11.120.238

AVG

Win32/Heur

2014.0.3619

Boost by Reason

Optional.Service.BanyanTreeTechnologyLimited.H

188163

Comodo Security

Heur.Suspicious

17470

Dr.Web

Adware.Mutabaha.25

9.0.1.0354

ESET NOD32

Win32/ELEX (variant)

7.9190

Fortinet FortiGate

W32/Staser.FV!tr

12/20/2013

K7 AntiVirus

Trojan

13.174.10575

Kaspersky

Trojan.Win32.Staser

14.0.0.4592

Malwarebytes

PUP.Optional.Wsys.A

v2013.12.20.01

McAfee

Adware-Bprotect

5600.7275

Microsoft Security Essentials

Trojan:Win32/Wysotot.A

1.165.247.01

NANO AntiVirus

Trojan.Win32.Staser.cjecni

0.28.0.57029

nProtect

Trojan/W32.Staser.825920

13.12.19.01

Panda Antivirus

Trj/Staser.A

13.12.20.01

Quick Heal

Trojan.Staser.fv

12.13.12.00

Reason Heuristics

PUP.Service.BanyanTreeTechnologyLimited.H

14.3.1.11

Rising Antivirus

PE:Trojan.Win32.Generic.15CE6B46!365849414

23.00.65.131218

Sophos

Mal/VMProtBad-A

4.96

SUPERAntiSpyware

Trojan.Agent/Gen-ELEX

10896

Trend Micro House Call

TROJ_GEN.USCK25ACN

7.2.354

Trend Micro

TROJ_STASER.AB

10.465.20

Vba32 AntiVirus

Trojan.Staser

3.12.24.3

VIPRE Antivirus

Elex Installer

24546

ViRobot

Trojan.Win32.S.Agent.825920

2011.4.7.4223

File size:

806.6 KB (825,920 bytes)

Product version:

10.2.1.2634

Original file name:

Wsys.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\ProgramData\esafe\egdpsvc.exe

Digital Signature

Signed by:

Banyan Tree Technology Limited

Authority:

GlobalSign nv-sa

Valid from:

1/10/2013 3:18:54 AM

Valid to:

1/11/2015 3:18:54 AM

Subject:

CN=Banyan Tree Technology Limited, O=Banyan Tree Technology Limited, L=HongKong, S=HongKong, C=HK

Issuer:

CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:

1121C63E4490F9D28667737C8DE7D3B6805D

File PE Metadata

Compilation timestamp:

9/9/2013 4:20:14 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

12288:8b+pcijEWRxUdNI3bdcRUGNsEobSbOgKWB232LZI5L6b/9IWMql4FQfyy4OMYC53:yaocx138Ii23fq/9I/0PfF4Oa5jh5

Entry address:

0x1C1A48

Entry point:

68, 3A, 36, 5D, 61, 60, C7, 44, 24, 20, 8C, 5A, EB, C1, E8, 5E, 2E, 00, 00, B1, B3, 00, C0, 63, 17, E0, CC, 33, 6D, C2, 52, 82, B2, 1F, F0, FD, 92, 87, A5, 0F, 31, D8, 2A, 03, FD, FF, B3, C2, 63, C1, E9, C0, 63, 17, CB, FA, 13, 86, 27, E9, 37, 65, 20, 59, 59, AB, 9C, F9, D9, 53, A9, 2E, 5A, 44, 83, B9, 1B, F9, DC, EE, 81, 06, 43, 91, 10, BF, 3F, DE, B2, B2, E6, AD, 34, FF, E6, 27, 2B, C1, 63, 17, A9, BA, A3, EA, 8E, 0E, 93, AC, 12, BF, 34, 29, 08, 9A, A4, 65, 67, 34, BF, 71, 55, 27, 8D, C1, 2E, 22, 43, 00... 
[+]

Code size:

235 KB (240,640 bytes)

Service

Display name:

Wsys Service

Service name:

WsysSvc

Description:

Wsys update service

Type:

Win32OwnProcess

The file egdpsvc.exe has been discovered within the following program.

DProtect by DProtect Lab

DProtect is an adware web browser extension that will display various popup and banner ads as well as modify the user's web browser search and home page settings.

78% remove it

The file egdpsvc.exe has been seen being distributed by the following URL.

http://www.twonext.com/download/.../eGdpSvc.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to c1.2f.6132.ip4.static.sl-reverse.com (50.97.47.193:80)

TCP (HTTP):

Connects to 7d.a0.a86c.ip4.static.sl-reverse.com (108.168.160.125:80)

Remove egdpsvc.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.