» winlogon.exe
Overview
Analysis
File Details
Behaviors (1)

winlogon.exe

The executable winlogon.exe has been detected as malware by 28 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘winlogon’.

File name:

winlogon.exe

MD5:

ab63bcf85b5d7a3acead21f2ebd9ec51

SHA-1:

d3ad93390d5c5c6351d2af7dc7464dc871e7efd4

Scanner detections:

28 / 68

Status:

Malware

Analysis date:

4/29/2024 3:03:45 AM UTC (today)

Scan engine

Detection

Engine version

AhnLab V3 Security

Win-Trojan/Agent.159744.Q

5.0.

Avira AntiVirus

TR/Proxy.Gen

7.9.1.122

Emsisoft A-Squared

Trojan-Proxy.Win32.Agent.kj!IK

4.5.0.43

avast!

Win32:Agent-EYV

2014.9-170310

AVG

Proxy

2018.0.2443

Bitdefender

Trojan.Proxy.Agent.KJ

1.0.20.345

Clam AntiVirus

Trojan.Proxy-396

0.98/171

Comodo Security

Heur.Pck.PKLITE32

3446

Dr.Web

Trojan.Spambot

9.0.1.069

ESET NOD32

Win32/SpamTool.Agent.NDJ (variant)

11.4736

Fortinet FortiGate

W32/Agent.KJ!tr

3/10/2017

F-Prot

W32/Trojan.RBV

v6.4.5.1.85

F-Secure

Trojan.Proxy.Agent.KJ

11.2017-10-03_6

G Data

Trojan.Proxy.Agent.KJ

17.3.19

IKARUS anti.virus

Trojan-Proxy.Win32.Agent.kj

t3scan.1.1.79.0

K7 AntiVirus

Trojan-Proxy.Win32.Agent

13.7.10.935

Kaspersky

Trojan-Proxy.Win32.Agent

14.0.0.-1290

McAfee

Artemis!AB63BCF85B5D

5600.6099

Microsoft Security Essentials

Trojan:Win32/Iflar.gen!B

1.163.1557.0

Norman

W32/Agent.AVVD

11.20170310

nProtect

Trojan-Proxy/W32.Agent.159744.B

2009.1.8.0

Panda Antivirus

Trj/Spammer.EW

17.03.10.10

Prevx

High Risk Cloaked Malware

3.0

Quick Heal

TrojanProxy.Agent.kj

3.17.10.00

Rising Antivirus

Trojan.Proxy.Agent.sww

23.00.65.17308

Sophos

Troj/Agent-EUZ

4.49

Vba32 AntiVirus

Trojan.Spambot

3.12.12.1

ViRobot

Trojan.Win32.Proxy.159744.D

2009.12.31.2118

File size:

156 KB (159,744 bytes)

File type:

Executable application (Win32 EXE)

File PE Metadata

Compilation timestamp:

12/16/2006 8:19:00 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

Entry address:

0x42000

Entry point:

68, 80, 20, 44, 00, 68, D0, CF, 45, 00, 68, 00, 00, 00, 00, E8, BC, AF, 01, 00, E9, C6, C5, FC, FF, 40, 28, 23, 29, 50, 4B, 4C, 49, 54, 45, 33, 32, 20, 43, 6F, 70, 79, 72, 69, 67, 68, 74, 20, 31, 39, 39, 38, 20, 50, 4B, 57, 41, 52, 45, 20, 49, 6E, 63, 2E, 2C, 20, 41, 6C, 6C, 20, 52, 69, 67, 68, 74, 73, 20, 52, 65, 73, 65, 72, 76, 65, 64, 20, 28, 24, 52, 65, 76, 69, 73, 69, 6F, 6E, 3A, 20, 24, 29, 00, 50, 4B, 4C, 54, 33, 32, 00, 00, 10, 01, 00, 00, 80, 00, 84, 45, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC... 
[+]

Entropy:

7.1753

Packer / compiler:

PKLITE32, 0x1.1

Code size:

112 KB (114,688 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

winlogon

Command:

C:\windows2\winlogon.exe

Remove winlogon.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.