Find if a .TMP file is an executable

system · June 5, 2013, 1:05am

(imported topic written by SecurityMG)

Hello all,

Another one for you…

I am trying to take this output and look at the files to determine if they are executable…

This works:

(pathnames whose (it ends with “.tmp”) of files of folders of folders of folders of folder “c:\users”) whose (it as lowercase contains “\appdata”)

A: c:\users<username>\AppData\LocalLow\test_file.tmp

This does not:

if (exists line containing “whateverString” of files whose (pathname of it ends with “.tmp”) of folders of folders of folders of folder “c:\users”) then (pathnames whose (it ends with “.tmp” and exists line containing “VirualAllocEx”) of files of folders of folders of folders of folder “c:\users”) whose (it as lowercase contains “\appdata”) else “Nope”

So the goal is for the analysis to show the path of the file that contains the string.

help

MG

system · June 5, 2013, 2:58am

(imported comment written by SecurityMG)

This works for it:

if (exists files whose (exists line whose (it contains “VirtualAllocEx”) of it) of folders of folders of folders of folder “c:\users”) then (pathnames of files whose (exists line whose (it contains “VirtualAllocEx”) of it) of folders of folders of folders of folder “c:\users”) whose (it contains “\AppData” and it ends with “.tmp”) else “nope”

Returns just the path of a file that has this string in it.