Simple windows API logger
Log windows API calls with parameters, calling module, thread id, return code, time, last status and last error based on a simple hooking engine
Malware nature is so wild and chaotic, you cannot know for sure how a malicious software will behave, so a method like API logging is a very useful pre-analysis information source as you can know what is going at different analysis stages.
The real difference between different tools is the hooking engine used. Commonly there's two types of API hooking:
IAT hooking
Inline hooking (detouring)
Whatever the way used at the dynamic/manual API resolving, the resolver has to loop on the export address table (EAT) to get the API address, so placing our hooks on the EAT will deceive the resolver by getting the address of the trampoline instead of the address of the API, this can make a really good ApiLogger that can handle the reallife advanced malware samples Of course EAT hooking comes with problems, there are some of them and how I dealt with it:
Modules' IATs are already built
EAT has RVAs instead of absolute addresses
Requires DLL injection
Usage: xLogger <Options> [-c [CommandLine]|-attach [Pid]] -l [LogFile]
Options:
--external-mods <list of modules>: Log calls from these modules with the main module
--exclude-apis <list of dll:api>: Never log calls made to these apis
--exclude-mods <list of modules>: Never log calls made to these modules
--exclude-all-apis-except <list of dll:api>: Only log calls made to these apis
--exclude-all-mods-except <list of modules>: Only log calls made to these modules
--detach-on-exit: Keep the process when the logger exits (the process will continue logging)
--detach-on-system: Detach on reaching system/attach breakpoint (the process will continue logging)
--hide-debugger: Hide the debugger from being detected by IsDebuggerPresent,PEB BeingDebugged,..
--external-console: Run the process at external console (only with -c switch)
--apis-dir <directory path>: directory of api definition files (default: WinApi)
--headers-dir <directory path>: directory of headers definition files (default: WinApi\headers)
-v: verbous mode
-c
-c "evil.exe param"
-c "\"c:\malware folder\evil.exe\" \"param one\""
-attach
-attach 1337
-l
Get-Content -wait
-l log.txt
--external-mods
--external-mods kernelbase.dll,msvcrt.dll,evil.dll
--exclude-apis
--exclude-apis kernel32.dll:GetLastError,kernelbase.dll:GetLastError
--exclude-mods
--exclude-apis
, but instead of apis, the used modules will not be hooked--exclude-mods msvcrt.dll
--exclude-all-apis-except
--exclude-all-apis-except kernel32.dll:CreateProcessInternalW,ntdll.dll:NtCreateProcesss
--exclude-all-mods-except
--exclude-all-mods-except kernel32.dll
--detach-on-exit
--detach-on-system
-c
) or the attach breakpoint (with -attach
)--hide-debugger
NtGlobalFlag
and BeingDebugged
, in future ScyllaHide will be used--external-console
--apis-dir
WinApi
[CreateFile]
1=LPCTSTR lpFileName
2=[FILE_ACCESS_MASK] dwDesiredAccess
3=[FILE_SHARE_MODE] dwShareMode
4=LPSECURITY_ATTRIBUTES lpSecurityAttributes
5=[CreationDisposition] dwCreationDisposition
6=[FlagsAndAttributes] dwFlagsAndAttributes
7=HANDLE hTemplateFile
ParamCount=7
Header=kernel32.h.api;native.h.api;security.h.api;windows.h.api;
kernel32!AddDllDirectory
is forwarded to kernelbase!AddDllDirectory
so the definition of AddDllDirectory
will be put at kernel32.api
and kernelbase.api
will have[AddDllDirectory]
SourceModule=kernel32.api
--headers-dir
WinApi\\Headers
-v
Future options
--auto-attach
to automatically attach the logger to any process created by the current process, I've the theory, just need time--log-all
to log calls to all of the exported functions even if it's not defined at its dll definition file--inject-dll
to inject a custom dll at the system/attach breakpoint[mal_v1.exe] [0x1484] LoadLibrary (
LPCTSTR lpFileName = "NTDLL"
) -> 0x777d0000 [0x25 µs]
[mal_v1.exe] [0x1484] LoadLibrary (
LPCTSTR lpFileName = "shlwapi"
) -> 0x756e0000 [0x47 µs]
[mal_v1.exe] [0x1484] LoadLibrary (
LPCTSTR lpFileName = "shell32"
) -> 0x75ea0000 [0x2f µs]
[mal_v1.exe] [0x1484] GetEnvironmentVariable (
LPCTSTR lpName = "localappdata",
LPTSTR lpBuffer = L"",
DWORD nSize = 0x104
) -> 0x24 [0xa µs]
[mal_v1.exe] [0x1484] lstrcat (
LPSTR lpString1 = "C:\\Users\\Administrator\\AppData\\Local",
LPSTR lpString2 = "\\Microsoft\\config.vbe"
) -> 0x40b110 [0x4 µs]
[mal_v1.exe] [0x1484] GetEnvironmentVariable (
LPCTSTR lpName = "localappdata",
LPTSTR lpBuffer = L"",
DWORD nSize = 0x104
) -> 0x24 [0x3 µs]
[mal_v1.exe] [0x1484] lstrcat (
LPSTR lpString1 = "C:\\Users\\Administrator\\AppData\\Local",
LPSTR lpString2 = "\\Microsoft\\tmscv.exe"
) -> 0x40b000 [0x0 µs]
[mal_v1.exe] [0x1484] GetModuleFileName (
HMODULE hModule = 0x0,
LPTSTR lpFilename = L"",
DWORD nSize = 0x104
) -> 0x29 [0x3 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "C:\\Users\\Administrator\\Desktop\\mal_v1.exe"
) -> 0x0 [0x15 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "mal_v1.exe"
) -> 0xa [0x0 µs]
[mal_v1.exe] [0x1484] CreateToolhelp32Snapshot (
CreateToolhelp32SnapshotFlags dwFlags = TH32CS_SNAPPROCESS,
DWORD th32ProcessID = 0x0
) -> 0x78 [0x131 µs]
[mal_v1.exe] [0x1484] Process32First (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x3f µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "[System Process]"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "[System Process]"
) -> 0x10 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "[system process]"
) -> 0x1 [0x5 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2c µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "System"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "System"
) -> 0x6 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "system"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x3f µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "smss.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "smss.exe"
) -> 0x8 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "smss.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "csrss.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "csrss.exe"
) -> 0x9 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "csrss.exe"
) -> 0x1 [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "csrss.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "csrss.exe"
) -> 0x9 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "csrss.exe"
) -> 0x1 [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x50 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "wininit.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "wininit.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "wininit.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x3b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "winlogon.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "winlogon.exe"
) -> 0xc [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "winlogon.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "services.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "services.exe"
) -> 0xc [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "services.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "lsass.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "lsass.exe"
) -> 0x9 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "lsass.exe"
) -> 0x1 [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x45 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "lsm.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "lsm.exe"
) -> 0x7 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "lsm.exe"
) -> 0x1 [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x77 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "svchost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "svchost.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "svchost.exe"
) -> 0xffffffff [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x3a µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "vmacthlp.exe"
) -> 0x149f488 [0x2 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "vmacthlp.exe"
) -> 0xc [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "vmacthlp.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x49 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "svchost.exe"
) -> 0x149f488 [0x3 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "svchost.exe"
) -> 0xb [0x2 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "svchost.exe"
) -> 0xffffffff [0x2 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2f µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "svchost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "svchost.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "svchost.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x4a µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "svchost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "svchost.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "svchost.exe"
) -> 0xffffffff [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x3b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "svchost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "svchost.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "svchost.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x47 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "svchost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "svchost.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "svchost.exe"
) -> 0xffffffff [0xe µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x3e µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "svchost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "svchost.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "svchost.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x39 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "svchost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "svchost.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "svchost.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "spoolsv.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "spoolsv.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "spoolsv.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "svchost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "svchost.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "svchost.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x46 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "svchost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "svchost.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "svchost.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x46 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "svchost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "svchost.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "svchost.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2d µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "IpOverUsbSvc.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "IpOverUsbSvc.exe"
) -> 0x10 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "ipoverusbsvc.exe"
) -> 0x1 [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "cygrunsrv.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "cygrunsrv.exe"
) -> 0xd [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "cygrunsrv.exe"
) -> 0x1 [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x31 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "sqlwriter.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "sqlwriter.exe"
) -> 0xd [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "sqlwriter.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2c µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "conhost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "conhost.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "conhost.exe"
) -> 0x1 [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2a µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "VGAuthService.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "VGAuthService.exe"
) -> 0x11 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "vgauthservice.exe"
) -> 0xffffffff [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x45 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "sshd.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "sshd.exe"
) -> 0x8 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "sshd.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "vmtoolsd.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "vmtoolsd.exe"
) -> 0xc [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "vmtoolsd.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "ManagementAgentHost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "ManagementAgentHost.exe"
) -> 0x17 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "managementagenthost.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "BuildService.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "BuildService.exe"
) -> 0x10 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "buildservice.exe"
) -> 0x1 [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x3d µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "CoordService.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "CoordService.exe"
) -> 0x10 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "coordservice.exe"
) -> 0x1 [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x53 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "sppsvc.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "sppsvc.exe"
) -> 0xa [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "sppsvc.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x36 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "svchost.exe"
) -> 0x149f488 [0x2 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "svchost.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "svchost.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2d µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "WmiPrvSE.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "WmiPrvSE.exe"
) -> 0xc [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "wmiprvse.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x3b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "msdtc.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "msdtc.exe"
) -> 0x9 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "msdtc.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x39 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "svchost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "svchost.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "svchost.exe"
) -> 0xffffffff [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x48 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "GoogleCrashHandler.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "GoogleCrashHandler.exe"
) -> 0x16 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "googlecrashhandler.exe"
) -> 0x1 [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2d µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "GoogleCrashHandler64.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "GoogleCrashHandler64.exe"
) -> 0x18 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "googlecrashhandler64.exe"
) -> 0x1 [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "taskhost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "taskhost.exe"
) -> 0xc [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "taskhost.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x3b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "dwm.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "dwm.exe"
) -> 0x7 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "dwm.exe"
) -> 0x1 [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x39 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "explorer.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "explorer.exe"
) -> 0xc [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "explorer.exe"
) -> 0x1 [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2d µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "vmtoolsd.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "vmtoolsd.exe"
) -> 0xc [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "vmtoolsd.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "Everything.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "Everything.exe"
) -> 0xe [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "everything.exe"
) -> 0x1 [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x47 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "jusched.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "jusched.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "jusched.exe"
) -> 0x1 [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x36 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "xgTrayIcon.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "xgTrayIcon.exe"
) -> 0xe [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "xgtrayicon.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2e µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "jucheck.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "jucheck.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "jucheck.exe"
) -> 0x1 [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2c µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "TrustedInstaller.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "TrustedInstaller.exe"
) -> 0x14 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "trustedinstaller.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x32 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "SearchIndexer.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "SearchIndexer.exe"
) -> 0x11 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "searchindexer.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2d µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "taskhost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "taskhost.exe"
) -> 0xc [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "taskhost.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2c µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "CompatTelRunner.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "CompatTelRunner.exe"
) -> 0x13 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "compattelrunner.exe"
) -> 0x1 [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2c µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "conhost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "conhost.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "conhost.exe"
) -> 0x1 [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2c µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "OSPPSVC.EXE"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "OSPPSVC.EXE"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "osppsvc.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "CompatTelRunner.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "CompatTelRunner.exe"
) -> 0x13 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "compattelrunner.exe"
) -> 0x1 [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x46 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "cmd.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "cmd.exe"
) -> 0x7 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "cmd.exe"
) -> 0x1 [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2b µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "conhost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "conhost.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "conhost.exe"
) -> 0x1 [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x32 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "VSSVC.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "VSSVC.exe"
) -> 0x9 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "vssvc.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x48 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "svchost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "svchost.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "svchost.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2f µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "SearchProtocolHost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "SearchProtocolHost.exe"
) -> 0x16 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "searchprotocolhost.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x30 µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "dllhost.exe"
) -> 0x149f488 [0x2 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "dllhost.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "dllhost.exe"
) -> 0x1 [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2e µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "SearchFilterHost.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "SearchFilterHost.exe"
) -> 0x14 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "searchfilterhost.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x3a µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "xLogger.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "xLogger.exe"
) -> 0xb [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "xlogger.exe"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x1 [0x2c µs]
[mal_v1.exe] [0x1484] PathStripPath (
LPTSTR pszPath = "mal_v1.exe"
) -> 0x149f488 [0x1 µs]
[mal_v1.exe] [0x1484] lstrlen (
LPCSTR lpString = "mal_v1.exe"
) -> 0xa [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "mal_v1.exe",
const char* string2 = "mal_v1.exe"
) -> 0x0 [0x0 µs]
[mal_v1.exe] [0x1484] Process32Next (
HANDLE hSnapshot = 0x78,
LPPROCESSENTRY32 lppe = 0x149f464
) -> 0x0 [0x3f µs]
[mal_v1.exe] [0x1484] CloseHandle (
HANDLE hObject = 0x78
) -> 0x1 [0x13 µs]
[mal_v1.exe] [0x1484] GetModuleFileName (
HMODULE hModule = 0x0,
LPTSTR lpFilename = "",
DWORD nSize = 0x104
) -> 0x29 [0x6 µs]
[mal_v1.exe] [0x1484] GetModuleFileName (
HMODULE hModule = 0x0,
LPTSTR lpFilename = L"",
DWORD nSize = 0x104
) -> 0x29 [0x2 µs]
[mal_v1.exe] [0x1484] GetFullPathName (
LPCTSTR lpFileName = "C:\\Users\\Administrator\\Desktop\\mal_v1.exe",
DWORD nBufferLength = 0x104,
LPTSTR lpBuffer = "C:\\Users\\Administrator\\Desktop\\mal_v1.exe",
LPTSTR* lpFilePart = 0x149f5a8
) -> 0x29 [0x1a µs]
[mal_v1.exe] [0x1484] lstrcat (
LPSTR lpString1 = L"",
LPSTR lpString2 = "\"RI\" "
) -> 0x40d230 [0x1 µs]
[mal_v1.exe] [0x1484] lstrcat (
LPSTR lpString1 = "\"RI\" ",
LPSTR lpString2 = "\"-path\" \"\\\""
) -> 0x40d230 [0x0 µs]
[mal_v1.exe] [0x1484] lstrcat (
LPSTR lpString1 = "\"RI\" \"-path\" \"\\\"",
LPSTR lpString2 = "C:\\Users\\Administrator\\Desktop\\mal_v1.exe"
) -> 0x40d230 [0x1 µs]
[mal_v1.exe] [0x1484] lstrcat (
LPSTR lpString1 = "\"RI\" \"-path\" \"\\\"C:\\Users\\Administrator\\Desktop\\mal_v1.exe",
LPSTR lpString2 = "\\\"\" \"-force\""
) -> 0x40d230 [0x1 µs]
[mal_v1.exe] [0x1484] lstrcat (
LPSTR lpString1 = L"",
LPSTR lpString2 = "TYPELIB"
) -> 0x40f240 [0x1 µs]
[mal_v1.exe] [0x1484] GetModuleHandle (
LPCTSTR lpModuleName = NULL
) -> 0x400000 [0x1 µs]
[mal_v1.exe] [0x1484] WideCharToMultiByte (
CodePageEnum CodePage = CP_ACP,
WideCharFlags dwFlags = 0x0,
LPCWSTR lpWideCharStr = L"TYPELIB",
int cchWideChar = 0x7,
LPSTR lpMultiByteStr = L"",
int cbMultiByte = 0x8,
LPCSTR lpDefaultChar = NULL,
LPBOOL lpUsedDefaultChar = 0x0
) -> 0x7 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "TYPELIB",
const char* string2 = "TYPELIB"
) -> 0x0 [0x0 µs]
[mal_v1.exe] [0x1484] WideCharToMultiByte (
CodePageEnum CodePage = CP_ACP,
WideCharFlags dwFlags = 0x0,
LPCWSTR lpWideCharStr = L"A",
int cchWideChar = 0x1,
LPSTR lpMultiByteStr = L"",
int cbMultiByte = 0x2,
LPCSTR lpDefaultChar = NULL,
LPBOOL lpUsedDefaultChar = 0x0
) -> 0x1 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = L"A",
const char* string2 = L"A"
) -> 0x0 [0x0 µs]
[mal_v1.exe] [0x1484] CreateFile (
LPCTSTR lpFileName = "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\tmscv.exe",
FILE_ACCESS_MASK dwDesiredAccess = GENERIC_WRITE,
FILE_SHARE_MODE dwShareMode = 0x0,
LPSECURITY_ATTRIBUTES lpSecurityAttributes = 0x0,
CreationDisposition dwCreationDisposition = CREATE_ALWAYS,
FlagsAndAttributes dwFlagsAndAttributes = FILE_ATTRIBUTE_NORMAL,
HANDLE hTemplateFile = 0x0
) -> 0x78 [0x96 µs]
[mal_v1.exe] [0x1484] WriteFile (
HANDLE hFile = 0x78,
LPCVOID lpBuffer = 0x414254,
DWORD nNumberOfBytesToWrite = 0x29400,
LPDWORD lpNumberOfBytesWritten = 0x149f57c,
LPOVERLAPPED lpOverlapped = 0x0
) -> 0x1 [0x10e µs]
[mal_v1.exe] [0x1484] CloseHandle (
HANDLE hObject = 0x78
) -> 0x1 [0x50 µs]
[mal_v1.exe] [0x1484] lstrcat (
LPSTR lpString1 = "",
LPSTR lpString2 = "TYPESCR"
) -> 0x40f240 [0x0 µs]
[mal_v1.exe] [0x1484] GetModuleHandle (
LPCTSTR lpModuleName = NULL
) -> 0x400000 [0x1 µs]
[mal_v1.exe] [0x1484] WideCharToMultiByte (
CodePageEnum CodePage = CP_ACP,
WideCharFlags dwFlags = 0x0,
LPCWSTR lpWideCharStr = L"TYPELIB",
int cchWideChar = 0x7,
LPSTR lpMultiByteStr = "TYPELIB",
int cbMultiByte = 0x8,
LPCSTR lpDefaultChar = NULL,
LPBOOL lpUsedDefaultChar = 0x0
) -> 0x7 [0x0 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "TYPELIB",
const char* string2 = "TYPESCR"
) -> 0xffffffff [0x1 µs]
[mal_v1.exe] [0x1484] WideCharToMultiByte (
CodePageEnum CodePage = CP_ACP,
WideCharFlags dwFlags = 0x0,
LPCWSTR lpWideCharStr = L"TYPESCR",
int cchWideChar = 0x7,
LPSTR lpMultiByteStr = "TYPELIB",
int cbMultiByte = 0x8,
LPCSTR lpDefaultChar = NULL,
LPBOOL lpUsedDefaultChar = 0x0
) -> 0x7 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = "TYPESCR",
const char* string2 = "TYPESCR"
) -> 0x0 [0x0 µs]
[mal_v1.exe] [0x1484] WideCharToMultiByte (
CodePageEnum CodePage = CP_ACP,
WideCharFlags dwFlags = 0x0,
LPCWSTR lpWideCharStr = L"B",
int cchWideChar = 0x1,
LPSTR lpMultiByteStr = L"A",
int cbMultiByte = 0x2,
LPCSTR lpDefaultChar = NULL,
LPBOOL lpUsedDefaultChar = 0x0
) -> 0x1 [0x1 µs]
[mal_v1.exe] [0x1484] strcmp (
const char* string1 = L"B",
const char* string2 = L"B"
) -> 0x0 [0x0 µs]
[mal_v1.exe] [0x1484] CreateFile (
LPCTSTR lpFileName = "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\config.vbe",
FILE_ACCESS_MASK dwDesiredAccess = GENERIC_WRITE,
FILE_SHARE_MODE dwShareMode = 0x0,
LPSECURITY_ATTRIBUTES lpSecurityAttributes = 0x0,
CreationDisposition dwCreationDisposition = CREATE_ALWAYS,
FlagsAndAttributes dwFlagsAndAttributes = FILE_ATTRIBUTE_NORMAL,
HANDLE hTemplateFile = 0x0
) -> 0x78 [0x4a µs]
[mal_v1.exe] [0x1484] WriteFile (
HANDLE hFile = 0x78,
LPCVOID lpBuffer = 0x43d654,
DWORD nNumberOfBytesToWrite = 0xf8,
LPDWORD lpNumberOfBytesWritten = 0x149f57c,
LPOVERLAPPED lpOverlapped = 0x0
) -> 0x1 [0x14 µs]
[mal_v1.exe] [0x1484] CloseHandle (
HANDLE hObject = 0x78
) -> 0x1 [0x49 µs]
[mal_v1.exe] [0x1484] lstrcat (
LPSTR lpString1 = L"",
LPSTR lpString2 = "\"RI\" \"-path\" \"\\\"C:\\Users\\Administrator\\Desktop\\mal_v1.exe\\\"\" \"-force\""
) -> 0x410300 [0x1 µs]
[mal_v1.exe] [0x1484] lstrcat (
LPSTR lpString1 = "\"RI\" \"-path\" \"\\\"C:\\Users\\Administrator\\Desktop\\mal_v1.exe\\\"\" \"-force\"",
LPSTR lpString2 = L""
) -> 0x410300 [0x0 µs]
[mal_v1.exe] [0x1484] ShellExecute (
HWND hwnd = 0x0,
LPCTSTR lpOperation = "OPEN",
LPCTSTR lpFile = "Powershell",
LPCTSTR lpParameters = "\"RI\" \"-path\" \"\\\"C:\\Users\\Administrator\\Desktop\\mal_v1.exe\\\"\" \"-force\"",
LPCTSTR lpDirectory = L"",
ShowWindowCmd nShowCmd = SW_HIDE
) -> 0x2a [0x66 µs]
[mal_v1.exe] [0x1484] ExitProcess (
UINT uExitCode = 0x104
)
git clone --recurive https://github.com/d35ha/xLogger