» winlogon.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

winlogon.exe

Windows User Access Controler

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The application winlogon.exe has been detected as a potentially unwanted program by 28 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘winlogon’. While running, it connects to the Internet address s106.nnuu.net on port 80 using the HTTP protocol.

File name:

winlogon.exe

Publisher:

Microsoft Corporation* (Invalid match)

Product:

Windows User Access Controler

Version:

1.0.0.0

MD5:

f6e242207e37c85c94f743fef62e659c

SHA-1:

484113e69f69e1d3b134c6d1f1d1529d53c0beca

SHA-256:

e2842c1c4a57298691226d475cd54bf675d78cb0419ebc1cc97ff63328b29246

Scanner detections:

28 / 68

Status:

Potentially unwanted

Analysis date:

4/20/2024 2:44:36 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Zusy.65736

383

Agnitum Outpost

Trojan.Agent

7.1.1

AhnLab V3 Security

Trojan/Win32.Generic

2014.10.23

Avira AntiVirus

Worm/Autorun.I.18

7.11.180.144

avast!

MSIL:KeyLogger-T [Spy]

2014.9-160117

AVG

Worm/Generic2

2017.0.2861

Baidu Antivirus

Worm.MSIL.Agent

4.0.3.16117

Bitdefender

Gen:Variant.Zusy.65736

1.0.20.85

Bkav FE

W32.Cloda8d.Trojan

1.3.0.4959

Comodo Security

UnclassifiedMalware

19872

Dr.Web

Trojan.DownLoader8.35580

9.0.1.017

Emsisoft Anti-Malware

Gen:Variant.Zusy.65736

8.16.01.17.01

ESET NOD32

MSIL/Autorun.Agent.BT (variant)

10.10603

Fortinet FortiGate

MSIL/Autorun_Agent.AL

1/17/2016

F-Secure

Gen:Variant.Zusy.65736

11.2016-17-01_1

G Data

Gen:Variant.Zusy.65736

16.1.24

IKARUS anti.virus

Worm.Win32.Msil

t3scan.1.7.8.0

Malwarebytes

RiskWare.Tool.HCK

v2016.01.17.01

McAfee

Artemis!F6E242207E37

5600.6517

Microsoft Security Essentials

Worm:MSIL/Autorun.I

1.11104

MicroWorld eScan

Gen:Variant.Zusy.65736

17.0.0.51

Norman

Suspicious_Gen.OXIM

11.20160117

Qihoo 360 Security

Win32/Trojan.Multi.daf

1.0.0.1015

Sophos

Mal/Generic-S

4.98

Trend Micro House Call

TROJ_SPNR.03I612

7.2.17

Trend Micro

TROJ_SPNR.03I612

10.465.17

VIPRE Antivirus

Trojan.Win32.Generic

34144

Zillya! Antivirus

Trojan.Genome.Win32.219433

2.0.0.1963

File size:

480 KB (491,520 bytes)

Product version:

1.0.0.0

Original file name:

Need For Speed Shift Keygen.exe

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\Program Files\windows user\winlogon.exe

File PE Metadata

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

6144:VFKflyFrNAkM57W+NVk6MQ4bhk9Ko2zS0LKmgq1+U8KogjG7PUsu7+:bfZWkM57W2kZVhuf0LK5U8KerPs

Entry address:

0x663EE

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

6.2598

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

404 KB (413,696 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

winlogon

Command:

C:\Program Files\windows user\winlogon.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to s106.nnuu.net (188.40.117.12:80)

Remove winlogon.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.