home

winlogon.exe

npynpwcmt

NVIDIA Corporation 53732746459

The executable winlogon.exe has been detected as malware by 35 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘NVIDIA Media Center Library’. While running, it connects to the Internet address li173-99.members.linode.com on port 80 using the HTTP protocol.
Publisher:
NVIDIA Corporation 53732746459

Product:
npynpwcmt

Version:
1.00

MD5:
a92cc1fa026756920491fd355a6128fa

SHA-1:
f76c7813122843a2b4d12822b1d6a0928ba87c19

SHA-256:
19e18c095e8921a63f7de13de7517c6a44ba509040dc2c09215db0bd99da3858

Scanner detections:
35 / 68

Status:
Malware

Analysis date:
4/16/2024 3:51:30 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Worm.VBNA
7.1.1

AhnLab V3 Security
Worm/Win32.VBNA
2013.06.16

Avira AntiVirus
TR/Dropper.Gen
7.11.84.224

avast!
Win32:VB-OJK [Trj]
2014.9-170316

AVG
VBCrypt
2018.0.2438

Bitdefender
Worm.Generic.248132
1.0.20.375

Clam AntiVirus
Trojan.Banker-2142
0.98/18155

Comodo Security
UnclassifiedMalware
16437

Dr.Web
Win32.HLLW.Autoruner1.18487
9.0.1.075

Emsisoft Anti-Malware
Worm.Generic.248132
8.17.03.16.06

ESET NOD32
Win32/AutoRun.VB.LQ (variant)
11.8453

Fortinet FortiGate
W32/VB.JT!tr
3/16/2017

F-Prot
W32/AutoRun.R.gen
v6.4.7.1.166

F-Secure
Worm.Generic.248132
11.2017-16-03_5

G Data
Worm.Generic.248132
17.3.22

IKARUS anti.virus
Virus.Win32.VB
t3scan.2.0.3.0

K7 AntiVirus
EmailWorm
13.170.8865

Kaspersky
Worm.Win32.VBNA
14.0.0.-1316

Malwarebytes
Backdoor.Bot
v2017.03.16.06

McAfee
W32/Autorun.worm.bbm
5600.6094

Microsoft Security Essentials
Worm:Win32/Autorun.WZ
1.163.1557.0

NANO AntiVirus
Trojan.Win32.VBNA.utskm
0.24.0.52848

Norman
VBNA.OS
11.20170316

nProtect
Trojan/W32.Agent.45056.AVJ
13.06.15.02

Panda Antivirus
Generic Worm
17.03.16.06

Quick Heal
Worm.Autorun.WZ4
3.17.12.00

Rising Antivirus
Trojan.Win32.VBCode.flp
23.00.65.17314

Sophos
Mal/VBCheMan-A
4.90

SUPERAntiSpyware
Trojan.Agent/Gen-Koobface[Bonkers]
8532

Total Defense
Win32/Autorun.B!generic
37.0.10467

Trend Micro House Call
WORM_OTORUN.SMJ
7.2.75

Trend Micro
WORM_OTORUN.SMJ
10.465.16

Vba32 AntiVirus
Trojan.VBRA.02146
3.12.22.2

VIPRE Antivirus
Trojan.Win32.VB.cg
18752

ViRobot
Worm.Win32.A.VBNA.41238
2011.4.7.4223

File size:
44 KB (45,056 bytes)

Product version:
1.00

Original file name:
31.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\hp\hp1\winlogon.exe

File PE Metadata
Compilation timestamp:
1/31/2010 6:44:58 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x1184

Entry point:
68, D0, 17, 40, 00, E8, F0, FF, FF, FF, 00, 00, 48, 00, 00, 00, 30, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 69, 41, 12, 1C, 5C, 2B, 17, 4E, BF, A7, F9, 06, 50, C8, 8A, C7, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 6D, 63, 68, 68, 67, 69, 75, 78, 62, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 90, 00, 00, 00, 00, 00, 00, 00, 02, 00, 00, 00, 02, 00, 00, 00, 10, 16, CC, 38, FD, 7B, 0F, 43, B6, DE, 67, 5F, CF, 3C, 99, 7F, 01, 00, 00, 00, A0, 00, 00, 00...
 
[+]

Entropy:
5.1942

Developed / compiled with:
Microsoft Visual Basic v5.0

Code size:
28 KB (28,672 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
NVIDIA Media Center Library

Command:
C:\users\hp\hp1\winlogon.exe


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to li173-99.members.linode.com  (173.230.133.99:80)

Remove winlogon.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.