home

winlogon.exe

¼–Œœß¬†Œ‹š’Œ, Inc.

The executable winlogon.exe, “windows updation ” has been detected as malware by 31 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘soundtry’.
Publisher:
ActionVoip  (signed by ¼–Œœß¬†Œ‹š’Œ, Inc.)

Product:
ActionVoip

Description:
windows updation

Version:
4.8.633.0

MD5:
c158efb42a7e6a59d92525afc438201e

SHA-1:
c2cc84230964bfb0db6780b91ac6e36c822cce21

SHA-256:
117bfc4719a9d5196968e453a8a3027b196503945e1fbdacd071ea7bc1ba25f7

Scanner detections:
31 / 68

Status:
Malware

Analysis date:
5/5/2024 5:06:12 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.8235929
64

Agnitum Outpost
Trojan.VBKrypt
7.1.1

Avira AntiVirus
BDS/Fynloski.A.5851
7.11.117.44

avast!
Win32:Trojan-gen
2014.9-161202

AVG
Generic29
2017.0.2542

Baidu Antivirus
Trojan.Win32.Fynloski
4.0.3.16122

Bitdefender
Trojan.Generic.8235929
1.0.20.1685

Bkav FE
W32.Clode0b.Trojan
1.3.0.4562

Comodo Security
UnclassifiedMalware
17365

Dr.Web
BackDoor.Tordev.7
9.0.1.0337

Emsisoft Anti-Malware
Trojan.Generic.8235929
8.16.12.02.06

ESET NOD32
Win32/Fynloski.AA
10.9117

Fortinet FortiGate
W32/VBKRYPT.AA!tr
12/2/2016

F-Secure
Trojan.Generic.8235929
11.2016-02-12_6

G Data
Trojan.Generic.8235929
16.12.22

IKARUS anti.virus
Trojan.Win32.VBKrypt
t3scan.2.2.29

K7 AntiVirus
Trojan
13.174.10361

Kaspersky
Trojan.Win32.VBKrypt
14.0.0.-796

McAfee
Artemis!C158EFB42A7E
5600.6198

Microsoft Security Essentials
Backdoor:Win32/Fynloski.A
1.163.1557.0

MicroWorld eScan
Trojan.Generic.8235929
17.0.0.1011

NANO AntiVirus
Trojan.Win32.VBKrypt.bsjqdp
0.28.0.56420

Norman
Suspicious_Gen4.ARAEU
11.20161202

Panda Antivirus
Trj/CI.A
16.12.02.06

Quick Heal
Trojan.VBKrypt.mfzm
12.16.12.00

Rising Antivirus
PE:Malware.FakeDOC!1.9C3B
23.00.65.161130

Sophos
Mal/Generic-L
4.95

Trend Micro House Call
TROJ_GEN.R0CBC0DJ113
7.2.337

Trend Micro
TROJ_GEN.R0CBC0DJ113
10.465.02

Vba32 AntiVirus
TScope.Trojan.VB
3.12.24.3

VIPRE Antivirus
Trojan.Win32.Generic
23902

File size:
692.9 KB (709,560 bytes)

Product version:
4.08 build 645

Copyright:
(c) ActionVoip, All rights reserved.

Original file name:
ActionVoip.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\winlogon.exe

Digital Signature
Signed by:
¼–Œœß¬†Œ‹š’Œ, Inc.

Authority:
Thawte Consulting (Pty) Ltd.

Valid from:
5/23/2005 9:56:27 AM

Valid to:
6/24/2007 9:52:41 PM

Subject:
CN="Cisco Systems, Inc.", OU=Security Appliance Engineering, O="¼–Œœß¬†Œ‹š’Œ, Inc.", L=Franklin, S=Massachusetts, C=US

Issuer:
CN=Thawte Code Signing CA, O=Thawte Consulting (Pty) Ltd., C=ZA

Serial number:
3F5F25

File PE Metadata
Compilation timestamp:
6/18/2012 2:25:15 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:Du2+M2iKu/T0736XutWT+PnKPxUO7bdA7L0Fpup8U7/J73/zamJ8pxiAz1+0IlAs:K2+MmgT0736Xuy+va37WXupuSUbJTWmH

Entry address:
0x1090

Entry point:
B8, 00, AD, 55, 00, 50, 64, FF, 35, 00, 00, 00, 00, 64, 89, 25, 00, 00, 00, 00, 33, C0, 89, 08, 50, 45, 43, 6F, 6D, 70, 61, 63, 74, 32, 00, 83, ED, D7, 1F, C2, D3, 07, 2D, E0, A4, 52, 24, 00, A7, D5, 28, DE, C7, FB, 01, E3, 30, 33, F7, F5, 07, 24, C0, 5B, 0E, 64, 1A, 2E, 5D, 8E, 5C, 16, C4, F4, EE, B1, D5, 76, 2D, 44, 06, 6B, 44, 0E, 2B, 03, 1B, 94, 90, AF, AB, EB, 25, 6B, 8F, F6, 2C, B0, 3F, 4A, 74, 52, 67, 53, 37, 7E, 59, 20, 24, 10, 9E, 55, 5D, B3, 3E, 97, 7E, 65, 1D, 26, B8, C6, 91, 13, A6, 3C, EB, 5C...
 
[+]

Entropy:
7.9892

Packer / compiler:
PECompact v2

Code size:
32 KB (32,768 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
soundtry

Command:
C:\users\{user}\appdata\local\temp\winlogon.exe


Remove winlogon.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.