logger.exe

  • File Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\logger.exe
  • Description: Logger (debugger) 4.02 (Window Title)

Screenshot

logger.exe

Hashes

Type Hash
MD5 58EB12FE266036FEB408528FFBA028D0
SHA1 FB752AF191BF5E8C7FE9FC053368133BE36FA444
SHA256 E5AA8D65747EFD4862E74FD223566E3B9D044B0C2D662BD23B53A93D12237D3A
SHA384 EEE43F50E1A50614F3F3A2C3CEEECE4E39F3A159E02CD3B7C8BA94CB27FE82C0F0C93AD8C8943C7E13A338963897DB21
SHA512 C6115F412BBE63CE6029B8A81B0DD1FEFE25AD6E49A259AAFACAC53A124EB47AD0F6335C289795D68BBE6C5D5984E968013065CB46E4638A825F6FA42B8013AE
SSDEEP 6144:Ce2kVAhw/Uu+y/Tb05LmKBz8xh5KzsW5CB:Ce5Khib05SKBIxfKzNCB
IMP 29B00655AF7D4A72C238F06EF87FB647
PESHA1 553657E44AE6B4573404D199EF00346092B6E165
PE256 4DD37B1E2D92689CC26C3C88E402B8796740DAB6E6FCD032450408C97D9DA1A0

Runtime Data

Usage (stdout):

For more information on a specific command, type HELP command-name
ASSOC          Displays or modifies file extension associations.
ATTRIB         Displays or changes file attributes.
BREAK          Sets or clears extended CTRL+C checking.
BCDEDIT        Sets properties in boot database to control boot loading.
CACLS          Displays or modifies access control lists (ACLs) of files.
CALL           Calls one batch program from another.
CD             Displays the name of or changes the current directory.
CHCP           Displays or sets the active code page number.
CHDIR          Displays the name of or changes the current directory.
CHKDSK         Checks a disk and displays a status report.
CHKNTFS        Displays or modifies the checking of disk at boot time.
CLS            Clears the screen.
CMD            Starts a new instance of the Windows command interpreter.
COLOR          Sets the default console foreground and background colors.
COMP           Compares the contents of two files or sets of files.
COMPACT        Displays or alters the compression of files on NTFS partitions.
CONVERT        Converts FAT volumes to NTFS.  You cannot convert the
               current drive.
COPY           Copies one or more files to another location.
DATE           Displays or sets the date.
DEL            Deletes one or more files.
DIR            Displays a list of files and subdirectories in a directory.
DISKPART       Displays or configures Disk Partition properties.
DOSKEY         Edits command lines, recalls Windows commands, and 
               creates macros.
DRIVERQUERY    Displays current device driver status and properties.
ECHO           Displays messages, or turns command echoing on or off.
ENDLOCAL       Ends localization of environment changes in a batch file.
ERASE          Deletes one or more files.
EXIT           Quits the CMD.EXE program (command interpreter).
FC             Compares two files or sets of files, and displays the 
               differences between them.
FIND           Searches for a text string in a file or files.
FINDSTR        Searches for strings in files.
FOR            Runs a specified command for each file in a set of files.
FORMAT         Formats a disk for use with Windows.
FSUTIL         Displays or configures the file system properties.
FTYPE          Displays or modifies file types used in file extension 
               associations.
GOTO           Directs the Windows command interpreter to a labeled line in 
               a batch program.
GPRESULT       Displays Group Policy information for machine or user.
GRAFTABL       Enables Windows to display an extended character set in 
               graphics mode.
HELP           Provides Help information for Windows commands.
ICACLS         Display, modify, backup, or restore ACLs for files and 
               directories.
IF             Performs conditional processing in batch programs.
LABEL          Creates, changes, or deletes the volume label of a disk.
MD             Creates a directory.
MKDIR          Creates a directory.
MKLINK         Creates Symbolic Links and Hard Links
MODE           Configures a system device.
MORE           Displays output one screen at a time.
MOVE           Moves one or more files from one directory to another 
               directory.
OPENFILES      Displays files opened by remote users for a file share.
PATH           Displays or sets a search path for executable files.
PAUSE          Suspends processing of a batch file and displays a message.
POPD           Restores the previous value of the current directory saved by 
               PUSHD.
PRINT          Prints a text file.
PROMPT         Changes the Windows command prompt.
PUSHD          Saves the current directory then changes it.
RD             Removes a directory.
RECOVER        Recovers readable information from a bad or defective disk.
REM            Records comments (remarks) in batch files or CONFIG.SYS.
REN            Renames a file or files.
RENAME         Renames a file or files.
REPLACE        Replaces files.
RMDIR          Removes a directory.
ROBOCOPY       Advanced utility to copy files and directory trees
SET            Displays, sets, or removes Windows environment variables.
SETLOCAL       Begins localization of environment changes in a batch file.
SC             Displays or configures services (background processes).
SCHTASKS       Schedules commands and programs to run on a computer.
SHIFT          Shifts the position of replaceable parameters in batch files.
SHUTDOWN       Allows proper local or remote shutdown of machine.
SORT           Sorts input.
START          Starts a separate window to run a specified program or command.
SUBST          Associates a path with a drive letter.
SYSTEMINFO     Displays machine specific properties and configuration.
TASKLIST       Displays all currently running tasks including services.
TASKKILL       Kill or stop a running process or application.
TIME           Displays or sets the system time.
TITLE          Sets the window title for a CMD.EXE session.
TREE           Graphically displays the directory structure of a drive or 
               path.
TYPE           Displays the contents of a text file.
VER            Displays the Windows version.
VERIFY         Tells Windows whether to verify that your files are written
               correctly to a disk.
VOL            Displays a disk volume label and serial number.
XCOPY          Copies files and directory trees.
WMIC           Displays WMI information inside interactive command shell.

For more information on tools see the command-line reference in the online help.

Child Processes:

conhost.exe

Window Title:

Logger (debugger) 4.02

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(RW-) C:\Users\user File
(RW-) C:\Windows File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme1383959086 Section
\Windows\Theme2042523233 Section

Loaded Modules:

Path
C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\logger.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002CF6D2CC57CAA65A6D80000000002CF
  • Thumbprint: 1A221B3B4FEF088B17BA6704FD088DF192D9E0EF
  • Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename:
  • Product Name:
  • Company Name:
  • File Version:
  • Product Version:
  • Language:
  • Legal Copyright:
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: Unknown

Possible Misuse

The following table contains possible examples of logger.exe being misused. While logger.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma lnx_shell_clear_cmd_history.yml # (is_empty=false; inotifywait -m .bash_history \| while read file; do if [ $(wc -l <.bash_history) -lt 1 ]; then if [ "$is_empty" = false ]; then logger -i -p local5.info -t empty_bash_history "$USER : ~/.bash_history is empty "; is_empty=true; fi; else is_empty=false; fi; done ) & DRL 1.0
sigma proc_creation_macos_disable_security_tools.yml - 'packetbeat' # elastic network logger/shipper DRL 1.0
sigma proc_creation_macos_security_software_discovery.yml - 'packetbeat' # elastic network logger/shipper DRL 1.0
sigma proc_creation_lnx_security_software_discovery.yml - 'packetbeat' # elastic network logger/shipper DRL 1.0
sigma proc_access_win_uac_bypass_wow64_logger.yml title: UAC Bypass Using WOW64 Logger DLL Hijack DRL 1.0
sigma proc_access_win_uac_bypass_wow64_logger.yml description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30) DRL 1.0
LOLBAS Msbuild.yml Description: Executes Logger statements from rsp file  
LOLBAS Msbuild.yml - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo  
LOLBAS Msbuild.yml Description: Executes generated Logger dll file with TargetLogger export  
malware-ioc attor ==== Key/clipboard logger plugin © ESET 2014-2018
atomic-red-team T1056.001.md PROMPT_COMMAND=’history -a >(tee -a ~/.bash_history |logger -t “$USER[$$] $SSH_CONNECTION “)’ MIT License. © 2018 Red Canary
atomic-red-team T1056.001.md ##### Description: This test requires to be run in a bash shell and that logger and tee are installed. MIT License. © 2018 Red Canary
atomic-red-team T1056.001.md if [ ! -x “$(command -v logger)” ]; then echo -e “\n*** logger NOT installed ***\n”; exit 1; fi MIT License. © 2018 Red Canary
signature-base apt_op_wocao.yar $ = “Logger PingConnect” CC BY-NC 4.0
signature-base apt_op_wocao.yar $ = “Logger GetAdmins” CC BY-NC 4.0
signature-base apt_op_wocao.yar $ = “Logger InstallPro” CC BY-NC 4.0
signature-base apt_op_wocao.yar $ = “Logger Exec” CC BY-NC 4.0
signature-base apt_op_wocao.yar $ = “Logger VolumeName & " (" & objDrive.DriveLetter & ":)" _” CC BY-NC 4.0
signature-base crime_fireball.yar $s5 = “Logger Name:” fullword ascii CC BY-NC 4.0
signature-base gen_github_net_redteam_tools_guids.yar reference = “https://github.com/xxczaki/logger” CC BY-NC 4.0
signature-base spy_equation_fiveeyes.yar description = “EquationDrug - Key/clipboard logger driver - msrtvd.sys” CC BY-NC 4.0
signature-base spy_querty_fiveeyes.yar $s3 = “This command will return the current status of the Keyboard Logger (Whether it i” ascii CC BY-NC 4.0
signature-base spy_querty_fiveeyes.yar $s7 = “Keystroke Logger Lp Plugin” fullword ascii CC BY-NC 4.0
signature-base spy_querty_fiveeyes.yar $s0 = “Keystroke Logger Plugin.” fullword ascii CC BY-NC 4.0
signature-base spy_querty_fiveeyes.yar $s2 = “Keystroke Logger Plugin.” fullword ascii CC BY-NC 4.0
stockpile 95ad5d69-563e-477b-802b-4855bfb3be09.yml description: Dll Hijack of WOW64 logger wow64log.dll using Akagi.exe Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.