logger.exe
- File Path:
C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\logger.exe - Description: Logger (debugger) 4.02 (Window Title)
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 58EB12FE266036FEB408528FFBA028D0 |
| SHA1 | FB752AF191BF5E8C7FE9FC053368133BE36FA444 |
| SHA256 | E5AA8D65747EFD4862E74FD223566E3B9D044B0C2D662BD23B53A93D12237D3A |
| SHA384 | EEE43F50E1A50614F3F3A2C3CEEECE4E39F3A159E02CD3B7C8BA94CB27FE82C0F0C93AD8C8943C7E13A338963897DB21 |
| SHA512 | C6115F412BBE63CE6029B8A81B0DD1FEFE25AD6E49A259AAFACAC53A124EB47AD0F6335C289795D68BBE6C5D5984E968013065CB46E4638A825F6FA42B8013AE |
| SSDEEP | 6144:Ce2kVAhw/Uu+y/Tb05LmKBz8xh5KzsW5CB:Ce5Khib05SKBIxfKzNCB |
| IMP | 29B00655AF7D4A72C238F06EF87FB647 |
| PESHA1 | 553657E44AE6B4573404D199EF00346092B6E165 |
| PE256 | 4DD37B1E2D92689CC26C3C88E402B8796740DAB6E6FCD032450408C97D9DA1A0 |
Runtime Data
Usage (stdout):
For more information on a specific command, type HELP command-name
ASSOC Displays or modifies file extension associations.
ATTRIB Displays or changes file attributes.
BREAK Sets or clears extended CTRL+C checking.
BCDEDIT Sets properties in boot database to control boot loading.
CACLS Displays or modifies access control lists (ACLs) of files.
CALL Calls one batch program from another.
CD Displays the name of or changes the current directory.
CHCP Displays or sets the active code page number.
CHDIR Displays the name of or changes the current directory.
CHKDSK Checks a disk and displays a status report.
CHKNTFS Displays or modifies the checking of disk at boot time.
CLS Clears the screen.
CMD Starts a new instance of the Windows command interpreter.
COLOR Sets the default console foreground and background colors.
COMP Compares the contents of two files or sets of files.
COMPACT Displays or alters the compression of files on NTFS partitions.
CONVERT Converts FAT volumes to NTFS. You cannot convert the
current drive.
COPY Copies one or more files to another location.
DATE Displays or sets the date.
DEL Deletes one or more files.
DIR Displays a list of files and subdirectories in a directory.
DISKPART Displays or configures Disk Partition properties.
DOSKEY Edits command lines, recalls Windows commands, and
creates macros.
DRIVERQUERY Displays current device driver status and properties.
ECHO Displays messages, or turns command echoing on or off.
ENDLOCAL Ends localization of environment changes in a batch file.
ERASE Deletes one or more files.
EXIT Quits the CMD.EXE program (command interpreter).
FC Compares two files or sets of files, and displays the
differences between them.
FIND Searches for a text string in a file or files.
FINDSTR Searches for strings in files.
FOR Runs a specified command for each file in a set of files.
FORMAT Formats a disk for use with Windows.
FSUTIL Displays or configures the file system properties.
FTYPE Displays or modifies file types used in file extension
associations.
GOTO Directs the Windows command interpreter to a labeled line in
a batch program.
GPRESULT Displays Group Policy information for machine or user.
GRAFTABL Enables Windows to display an extended character set in
graphics mode.
HELP Provides Help information for Windows commands.
ICACLS Display, modify, backup, or restore ACLs for files and
directories.
IF Performs conditional processing in batch programs.
LABEL Creates, changes, or deletes the volume label of a disk.
MD Creates a directory.
MKDIR Creates a directory.
MKLINK Creates Symbolic Links and Hard Links
MODE Configures a system device.
MORE Displays output one screen at a time.
MOVE Moves one or more files from one directory to another
directory.
OPENFILES Displays files opened by remote users for a file share.
PATH Displays or sets a search path for executable files.
PAUSE Suspends processing of a batch file and displays a message.
POPD Restores the previous value of the current directory saved by
PUSHD.
PRINT Prints a text file.
PROMPT Changes the Windows command prompt.
PUSHD Saves the current directory then changes it.
RD Removes a directory.
RECOVER Recovers readable information from a bad or defective disk.
REM Records comments (remarks) in batch files or CONFIG.SYS.
REN Renames a file or files.
RENAME Renames a file or files.
REPLACE Replaces files.
RMDIR Removes a directory.
ROBOCOPY Advanced utility to copy files and directory trees
SET Displays, sets, or removes Windows environment variables.
SETLOCAL Begins localization of environment changes in a batch file.
SC Displays or configures services (background processes).
SCHTASKS Schedules commands and programs to run on a computer.
SHIFT Shifts the position of replaceable parameters in batch files.
SHUTDOWN Allows proper local or remote shutdown of machine.
SORT Sorts input.
START Starts a separate window to run a specified program or command.
SUBST Associates a path with a drive letter.
SYSTEMINFO Displays machine specific properties and configuration.
TASKLIST Displays all currently running tasks including services.
TASKKILL Kill or stop a running process or application.
TIME Displays or sets the system time.
TITLE Sets the window title for a CMD.EXE session.
TREE Graphically displays the directory structure of a drive or
path.
TYPE Displays the contents of a text file.
VER Displays the Windows version.
VERIFY Tells Windows whether to verify that your files are written
correctly to a disk.
VOL Displays a disk volume label and serial number.
XCOPY Copies files and directory trees.
WMIC Displays WMI information inside interactive command shell.
For more information on tools see the command-line reference in the online help.
Child Processes:
conhost.exe
Window Title:
Logger (debugger) 4.02
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (RW-) C:\Users\user | File |
| (RW-) C:\Windows | File |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\1\Windows\Theme1383959086 | Section |
| \Windows\Theme2042523233 | Section |
Loaded Modules:
| Path |
|---|
| C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\logger.exe |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
Signature
- Status: Signature verified.
- Serial:
33000002CF6D2CC57CAA65A6D80000000002CF - Thumbprint:
1A221B3B4FEF088B17BA6704FD088DF192D9E0EF - Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename:
- Product Name:
- Company Name:
- File Version:
- Product Version:
- Language:
- Legal Copyright:
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: Unknown
Possible Misuse
The following table contains possible examples of logger.exe being misused. While logger.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | lnx_shell_clear_cmd_history.yml | # (is_empty=false; inotifywait -m .bash_history \| while read file; do if [ $(wc -l <.bash_history) -lt 1 ]; then if [ "$is_empty" = false ]; then logger -i -p local5.info -t empty_bash_history "$USER : ~/.bash_history is empty "; is_empty=true; fi; else is_empty=false; fi; done ) & |
DRL 1.0 |
| sigma | proc_creation_macos_disable_security_tools.yml | - 'packetbeat' # elastic network logger/shipper |
DRL 1.0 |
| sigma | proc_creation_macos_security_software_discovery.yml | - 'packetbeat' # elastic network logger/shipper |
DRL 1.0 |
| sigma | proc_creation_lnx_security_software_discovery.yml | - 'packetbeat' # elastic network logger/shipper |
DRL 1.0 |
| sigma | proc_access_win_uac_bypass_wow64_logger.yml | title: UAC Bypass Using WOW64 Logger DLL Hijack |
DRL 1.0 |
| sigma | proc_access_win_uac_bypass_wow64_logger.yml | description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30) |
DRL 1.0 |
| LOLBAS | Msbuild.yml | Description: Executes Logger statements from rsp file |
|
| LOLBAS | Msbuild.yml | - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo |
|
| LOLBAS | Msbuild.yml | Description: Executes generated Logger dll file with TargetLogger export |
|
| malware-ioc | attor | ==== Key/clipboard logger plugin |
© ESET 2014-2018 |
| atomic-red-team | T1056.001.md | PROMPT_COMMAND=’history -a >(tee -a ~/.bash_history |logger -t “$USER[$$] $SSH_CONNECTION “)’ | MIT License. © 2018 Red Canary |
| atomic-red-team | T1056.001.md | ##### Description: This test requires to be run in a bash shell and that logger and tee are installed. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1056.001.md | if [ ! -x “$(command -v logger)” ]; then echo -e “\n*** logger NOT installed ***\n”; exit 1; fi | MIT License. © 2018 Red Canary |
| signature-base | apt_op_wocao.yar | $ = “Logger PingConnect” | CC BY-NC 4.0 |
| signature-base | apt_op_wocao.yar | $ = “Logger GetAdmins” | CC BY-NC 4.0 |
| signature-base | apt_op_wocao.yar | $ = “Logger InstallPro” | CC BY-NC 4.0 |
| signature-base | apt_op_wocao.yar | $ = “Logger Exec” | CC BY-NC 4.0 |
| signature-base | apt_op_wocao.yar | $ = “Logger VolumeName & " (" & objDrive.DriveLetter & ":)" _” | CC BY-NC 4.0 |
| signature-base | crime_fireball.yar | $s5 = “Logger Name:” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_github_net_redteam_tools_guids.yar | reference = “https://github.com/xxczaki/logger” | CC BY-NC 4.0 |
| signature-base | spy_equation_fiveeyes.yar | description = “EquationDrug - Key/clipboard logger driver - msrtvd.sys” | CC BY-NC 4.0 |
| signature-base | spy_querty_fiveeyes.yar | $s3 = “This command will return the current status of the Keyboard Logger (Whether it i” ascii | CC BY-NC 4.0 |
| signature-base | spy_querty_fiveeyes.yar | $s7 = “ |
CC BY-NC 4.0 |
| signature-base | spy_querty_fiveeyes.yar | $s0 = “ |
CC BY-NC 4.0 |
| signature-base | spy_querty_fiveeyes.yar | $s2 = “ |
CC BY-NC 4.0 |
| stockpile | 95ad5d69-563e-477b-802b-4855bfb3be09.yml | description: Dll Hijack of WOW64 logger wow64log.dll using Akagi.exe |
Apache-2.0 |
MIT License. Copyright (c) 2020-2021 Strontic.