home

winlogon.exe

qwcttnnbf

The executable winlogon.exe has been detected as malware by 38 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘NVIDIA Media Center Library’.
Product:
qwcttnnbf

Version:
1.00

MD5:
5404b4dde4c10d731686caecee8c06eb

SHA-1:
1d08ec60902f254a46c7fec612fe88e1d795c073

SHA-256:
5cb8faaded0742f6cb7d8a2aadbb660ad19f3102ce07df2d12750633207ef04b

Scanner detections:
38 / 68

Status:
Malware

Analysis date:
4/25/2024 10:00:48 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Symmi.16769
256

AegisLab AV Signature
W32.W.AutoRun.bjix!c
2.1.4+

Agnitum Outpost
Worm.AutoRun
7.1.1

AhnLab V3 Security
Worm/Win32.AutoRun
2016.02.23

Avira AntiVirus
TR/Patched.Ren.Gen
8.3.3.2

Arcabit
Trojan.Symmi.D4181
1.0.0.656

avast!
Win32:VB-OLX [Trj]
2014.9-160523

AVG
Worm/VB.10.O
2017.0.2734

Bitdefender
Gen:Variant.Symmi.16769
1.0.20.720

Bkav FE
W32.MoonWinMTA
1.3.0.7400

Clam AntiVirus
Worm.Autorun-3912
0.98/21511

Comodo Security
UnclassifiedMalware
24295

Dr.Web
Win32.HLLW.Autoruner.49917
9.0.1.0144

Emsisoft Anti-Malware
Gen:Variant.Symmi.16769
8.16.05.23.07

ESET NOD32
Win32/AutoRun.VB.LQ (variant)
10.13066

Fortinet FortiGate
W32/AutoRun.VB!worm
5/23/2016

F-Prot
W32/VB.MW.gen
v6.4.7.1.166

F-Secure
Gen:Variant.Symmi.16769
11.2016-23-05_2

G Data
Gen:Variant.Symmi.16769
16.5.25

IKARUS anti.virus
Trojan.Win32.VB
t3scan.2.0.7.0

K7 AntiVirus
P2PWorm
13.213.18814

Kaspersky
Worm.Win32.AutoRun
14.0.0.166

Malwarebytes
Backdoor.Bot
v2016.05.23.07

McAfee
Swisyn.p
5600.6390

Microsoft Security Essentials
Trojan:Win32/Bagsu!rfn
1.1.12400.0

MicroWorld eScan
Gen:Variant.Symmi.16769
17.0.0.432

NANO AntiVirus
Trojan.Win32.AutoRun.cojaxz
1.0.14.6204

Panda Antivirus
Generic Malware
16.05.23.07

Qihoo 360 Security
Malware.Radar01.Gen
1.0.0.1120

Quick Heal
Worm.Autorun.AM3
5.16.14.00

Rising Antivirus
PE:Worm.Autorun!1.9A03 [F]
23.00.65.16521

Sophos
Mal/VB-BQ
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Joke[VB]
9125

Total Defense
Win32/Autorun.B!generic
37.1.62.1

Trend Micro House Call
WORM_ESFURY.SMN
7.2.144

Vba32 AntiVirus
MAS.Trojan.VB.0871
3.12.26.4

VIPRE Antivirus
LooksLike.Win32.Malware!vb
47392

ViRobot
Worm.Win32.A.AutoRun.59392.C[h]
2014.3.20.0

File size:
40 KB (40,960 bytes)

Product version:
1.00

Original file name:
92.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\hp\hp1\winlogon.exe

File PE Metadata
Compilation timestamp:
2/12/2010 11:04:11 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
384:DkwI4LDnE6w+cU1z6HjbDw18ZhUJDK5FaPmyEYx8+MeHmYNnVfe4Fc8YHylnD1RN:9IIDEWR6D2GYQt+M2qyJ2PhAkw

Entry address:
0x1134

Entry point:
68, 04, 17, 40, 00, E8, F0, FF, FF, FF, 00, 00, 48, 00, 00, 00, 30, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, B7, 9E, B8, D1, 21, D1, CC, 4E, A3, 58, 9C, 68, CA, CD, 37, F9, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 69, 75, 6A, 78, 77, 6F, 69, 73, 6E, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 90, 00, 00, 00, 00, 00, 00, 00, 02, 00, 00, 00, 01, 00, 00, 00, 14, 36, D6, 25, FD, 80, 97, 4C, A1, D4, F8, C7, 79, C0, 7C, BC, 01, 00, 00, 00, A0, 00, 00, 00...
 
[+]

Entropy:
4.3066

Developed / compiled with:
Microsoft Visual Basic v5.0

Code size:
32 KB (32,768 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
NVIDIA Media Center Library

Command:
C:\users\hp\hp1\winlogon.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-76-130-169.ap-southeast-1.compute.amazonaws.com  (52.76.130.169:80)

TCP (HTTP):
Connects to li173-99.members.linode.com  (173.230.133.99:80)

TCP (HTTP):
Connects to ip234.208-100-26.static.steadfastdns.net  (208.100.26.234:80)

TCP (HTTP):
Connects to ip-184-168-221-89.ip.secureserver.net  (184.168.221.89:80)

Remove winlogon.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.