» winlogon.exe
Overview
Analysis
File Details
Behaviors (1)
Network (2)

winlogon.exe

The executable winlogon.exe has been detected as malware by 29 anti-virus scanners. While running, it connects to the Internet address ir1.fp.vip.sg3.yahoo.com on port 443.

File name:

winlogon.exe

MD5:

9b5f175c8a18fc1fa3bf8f3634c4c1db

SHA-1:

f6ee7173e5860af95f9b31c59e592ecea2471f8f

SHA-256:

195ac6d3da451008dc172ba32e754e304c5dd370739ab87457b7f07e3acd0bb0

Scanner detections:

29 / 68

Status:

Malware

Analysis date:

4/26/2024 8:09:25 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

Packed/PECompact

7.1.1

AhnLab V3 Security

Worm/Win32.VB

2013.09.29

Avira AntiVirus

TR/Crypt.PEPM.Gen

7.11.105.20

avast!

Win32:VB-HJC [Wrm]

2014.9-170316

AVG

Worm/VB

2018.0.2438

Baidu Antivirus

Worm.Win32.VB

4.0.3.17316

Bitdefender

Worm.Generic.228619

1.0.20.375

Bkav FE

HW32.CDB

1.3.0.4246

Comodo Security

Worm.Win32.NoonLight.G

17018

Emsisoft Anti-Malware

Worm.Generic.228619

8.17.03.16.11

ESET NOD32

Win32/NoonLight

11.8854

Fortinet FortiGate

W32/VB.CZ!worm

3/16/2017

F-Prot

W32/Worm.HKC

v6.4.7.1.166

G Data

Worm.Generic.228619

17.3.22

IKARUS anti.virus

Virus.Win32.VB

t3scan.2.0.127

K7 AntiVirus

EmailWorm

13.172.9720

Kaspersky

Worm.Win32.VB

14.0.0.-1317

McAfee

W32/MoonLight.worm

5600.6094

Microsoft Security Essentials

Worm:Win32/Lightmoon.gen@mm!A

1.163.1557.0

MicroWorld eScan

Worm.Generic.228619

18.0.0.225

Norman

Lightmoon.Z

11.20170316

nProtect

Worm/W32.Agent.39936.C

13.09.27.03

Quick Heal

Worm.VB.cz.n2

3.17.12.00

Sophos

Mal/VB-F

4.93

SUPERAntiSpyware

Trojan.Agent/Gen-Pakon

8532

Total Defense

Win32/Lightmoon.F

37.0.10498

Trend Micro House Call

TROJ_GEN.R021C0CIO13

7.2.75

Trend Micro

TROJ_GEN.R021C0CIO13

10.465.16

Vba32 AntiVirus

Worm.VB

3.12.24.3

File size:

39 KB (39,936 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\microsoft\windows\templates\o17281z\winlogon.exe

File PE Metadata

Compilation timestamp:

3/7/2004 4:47:23 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

Entry address:

0x11F8

Entry point:

B8, 3C, B1, 41, 00, 50, 64, FF, 35, 00, 00, 00, 00, 64, 89, 25, 00, 00, 00, 00, 33, C0, 89, 08, 50, 45, 43, 6F, 6D, 70, 61, 63, 74, 32, 00, 62, 58, 57, DA, AA, 7D, B5, D8, 0D, 06, C9, A3, D0, 4D, C0, DE, ED, 55, C9, 8E, 14, 3C, 18, 24, 53, 3E, 5C, 4E, 4F, 10, 81, 37, 75, DC, DB, 62, 89, 73, 3A, D9, 9B, 54, 1E, 3A, 4B, 56, 79, F5, A2, 6E, 20, 56, 2D, 0E, E7, F1, 12, 16, 0C, 68, A8, BD, E4, B1, ED, 9C, 09, 7D, 40, 45, 3D, 20, C5, 01, A8, 42, 15, 99, BA, 5F, 74, 2C, 8A, 47, 3D, 04, 1D, AF, 57, 50, 3D, A9, 4E... 
[+]

Packer / compiler:

PECompact v2

Code size:

72 KB (73,728 bytes)

Safe Boot Alternate Shell

Name:

516211783062l.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to ir1.fp.vip.sg3.yahoo.com (106.10.139.246:443)

TCP (HTTP SSL):

Connects to ats.sbs.vip.dc11.lumsb.com (8.12.146.61:443)

Remove winlogon.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.