Lab11-03.exe contains the strings
net start cisvc, which means that
it probably starts the CiSvc indexing service. Lab11-03.dll contains the string
C:\WINDOWS\System32\kernel64x.dll and imports the API calls
GetForegroundWindow, which makes us suspect it is a keylogger that logs to
The malware starts by copying Lab11-03.dll to inet_epar32.dll in the Windows system directory. The malware writes data to cisvc.exe and starts the indexing service. The malware also appears to write keystrokes to C:\Windows\System32\kernel64x.dll.
The malware persistently installs Lab11-03.dll by trojanizing the indexing service by entry-point redirection. It redirects the entry point ...