» winlogon.exe
Overview
Analysis
File Details
Behaviors (1)

winlogon.exe

The executable winlogon.exe has been detected as malware by 37 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘T71Z517’.

File name:

winlogon.exe

MD5:

1b67d82f766ba4d9a76122b45df31856

SHA-1:

d9ec44dae0fa998b951dad343af9a059155cda70

SHA-256:

e0ff2f6b9a13484fd61aff3df02ebb434fdba3aabb5adbb552e3616fe7d826ac

Scanner detections:

37 / 68

Status:

Malware

Analysis date:

5/2/2024 9:27:48 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Win32.Worm.Brontok.BI

-39

Agnitum Outpost

Worm.VB

7.1.1

AhnLab V3 Security

HEUR/Fakon.mwf

2015.05.15

Avira AntiVirus

WORM/VB.CZ.14.A

8.3.1.6

avast!

Win32:VB-BQD [Wrm]

2014.9-170315

AVG

Worm/Generic3

2018.0.2439

Bitdefender

Win32.Worm.Brontok.BI

1.0.20.370

Clam AntiVirus

Worm.VB-89

0.98/21511

Comodo Security

Worm.Win32.VB.CZ_14_A0

22124

Dr.Web

Trojan.MulDrop.59624

9.0.1.074

Emsisoft Anti-Malware

Win32.Worm.Brontok.BI

8.17.03.15.05

ESET NOD32

Win32/NoonLight

11.11631

F-Prot

W32/Worm.AJ

v6.4.7.1.166

F-Secure

Win32.Worm.Brontok.BI

11.2017-15-03_4

G Data

Win32.Worm.Brontok.BI

17.3.25

IKARUS anti.virus

Trojan.Win32.Agent2

t3scan.1.8.9.0

K7 AntiVirus

EmailWorm

13.203.15920

Kaspersky

HEUR:Trojan.Win32.Generic

14.0.0.-1311

Malwarebytes

Worm.AutoRun

v2017.03.15.05

McAfee

W32/MoonLight.worm

5600.6095

Microsoft Security Essentials

Worm:Win32/Lightmoon.H

1.1.11602.0

MicroWorld eScan

Win32.Worm.Brontok.BI

18.0.0.222

NANO AntiVirus

Trojan.Win32.VB.crsvto

0.30.24.1357

Norman

Lightmoon.Z

11.20170315

nProtect

Win32.Worm.Brontok.BI

15.05.15.01

Panda Antivirus

Trj/CI.A

17.03.15.05

Quick Heal

Worm.Lightmoon.H2

3.17.14.00

Rising Antivirus

PE:Trojan.Win32.Generic.1607313B!369570107

23.00.65.17313

Sophos

W32/Lightmoon-A

4.98

SUPERAntiSpyware

Trojan.Agent/Gen-Pakon

8535

Total Defense

Win32/Brontok.GE

37.1.62.1

Trend Micro House Call

TROJ_SPNR.01FR13

7.2.74

Trend Micro

TROJ_SPNR.01FR13

10.465.15

Vba32 AntiVirus

Worm.VB

3.12.26.4

VIPRE Antivirus

Worm.Win32.Moonlight.gen

40250

ViRobot

Worm.Win32.VB.32768[h]

2014.3.20.0

Zillya! Antivirus

Worm.VB.Win32.2

2.0.0.2179

File size:

120 KB (122,880 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\microsoft\windows\templates\o31414z\winlogon.exe

File PE Metadata

Compilation timestamp:

4/8/2009 8:26:18 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

Entry address:

0x1189

Entry point:

B1, 07, 5E, B8, 5C, B1, 41, 00, 50, 64, FF, 35, 00, 00, 00, 00, 64, 89, 25, 00, 00, 00, 00, 33, C0, 89, 08, 50, 45, 43, 6F, 6D, 70, 61, 63, 74, 32, 00, 82, 3C, 25, 81, A6, 49, 2A, 33, 9D, D6, EC, B8, 06, 94, 03, 10, 9A, BB, 92, B3, 43, 38, 52, 66, 4F, 0A, 0D, 85, A5, D1, A5, 52, 6D, 94, 93, 1C, 51, 4A, 9D, 63, D5, C0, 41, 3A, F7, D6, 69, 7F, E0, 8A, 68, 57, 35, F7, 31, 22, C0, BB, 17, D8, 98, 6A, 63, C8, C6, 57, 85, B4, C1, 48, AF, 7A, AC, B9, 8C, 3E, 36, E8, DC, 4B, C1, 8F, 3B, E0, 10, A8, F5, 26, 7D, 05... 
[+]

Entropy:

2.5360

Code size:

72 KB (73,728 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

T71Z517

Command:

C:\windows\sa-200622.exe

Remove winlogon.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.