» winlogon.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (3)

winlogon.exe

Server FUD

FacebookDLLHacking

This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘7361798d7231c2bbc8627c7f87c230a7’. The file has been seen being downloaded from www41.zippyshare.com and multiple other hosts.

File name:

winlogon.exe

Publisher:

FacebookDLLHacking

Product:

Server FUD

Description:

Facebook Account Hack

Version:

1.0.0.0

MD5:

a6be2011d7aa86ab14b80b7dd52f9d5a

SHA-1:

6d9dc07e6ff003031dc77861bb014defb35c0ca5

SHA-256:

217bca2d96043984d7b2e9728ad8723a1dc12595184167754fad64eaebe64f4e

Scanner detections:

0 / 68

Status:

Clean (as of last analysis)

Analysis date:

11/30/2024 10:20:03 AM UTC (today)

File size:

449.5 KB (460,288 bytes)

Product version:

1.0.0.0

Original file name:

Server FUD.exe

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\temp\winlogon.exe

File PE Metadata

Compilation timestamp:

5/5/2016 3:51:50 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

12288:W3F0kiVnG1Tvdxwu1gmMAxOnJcubyXN0:W3RiVG1TvdxwofxkJcYIN

Entry address:

0x3C59E

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 78, A4, 6A, D7, 56, B7, C7, E8, DB, 70, 20, 24, EE, CE, BD, C1, AF, 0F, 7C, F5, 2A, C6, 87, 47, 13, 46, 30, A8, 01, 95... 
[+]

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

233.5 KB (239,104 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

7361798d7231c2bbc8627c7f87c230a7

Command:

"C:\users\{user}\appdata\local\temp\winlogon.exe"..

The file winlogon.exe has been seen being distributed by the following 3 URLs.

http://www41.zippyshare.com/d/7cD93an6/.../Gerador de ZP [ZP Generator hack - HaxReborn 2016].exe

Scan winlogon.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.