The 2 trojans:


Here's the code that I believe is causing the issue. The purpose is to create/modify a registry key to make the program run on startup:
void CSoftwareDlg::SetSURegValue(string regValue) {
string regSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\");
string regValueName = "Software";
DEBUG_PRINT(regValue)
try
{
size_t bufferSize = 0xFFF; // If too small, will be resized down below.
auto cbData = static_cast<DWORD>(regValue.size() * sizeof(char) + sizeof(char));
HKEY hKey;
DWORD position;
auto rc = RegCreateKeyEx(HKEY_CURRENT_USER, regSubKey.c_str(), 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &position);
if ((position == REG_OPENED_EXISTING_KEY || position == REG_CREATED_NEW_KEY) && rc == ERROR_SUCCESS) {
if (position == REG_OPENED_EXISTING_KEY) {
DEBUG_PRINT("Key already exists & has been opened.")
}
else if (position == REG_CREATED_NEW_KEY) {
DEBUG_PRINT("Created new key.")
}
auto rc = RegSetValueEx(hKey, regValueName.c_str(), 0, REG_SZ, (BYTE*)regValue.data(), cbData);
if (rc != ERROR_SUCCESS){
throw std::runtime_error("Windows system error code: " + to_string(rc));
}
}
else if(rc != ERROR_SUCCESS){
DEBUG_PRINT("Error setting key.\n")
}
else {
DEBUG_PRINT("UNKNOWN ERROR: Key does not exist, and a new key was not created.")
}
}
catch (std::exception& e)
{
DEBUG_PRINT(e.what())
}
}
In my attempts to solve this issue I began testing different scenarios of creating/modifying the key, but my results became inconclusive when I realized that Windows Defender had seemingly stopped logging each run as "new threats" and seemed to log them together as a single "permeant threat" I guess? Not really sure.
With that said, Windows Defender did not seem to log the threat when I would initially create the key or when I would open it and assign it the same value, but did appear to log the threat when I would move the program to a new directory(and the program would attempt to change the value of the "Software" registry value to the new EXE location).
That's left me with several questions:
Does my program mimic the behavior of the 2 trojans through some coding mistake?
Or do I have some latent, opportunistic piece of malware on my machine that's just been waiting to take advantage?
Is deleting the existing value necessary before attempting to change it? The behavior of RegCreateKeyEx leads me to believe this is not the case.
Is writing to the registry without elevated permissions a no-no? If so... why does my machine let me do it?
Am I doing some incorrect type conversion in the RegSetValueEx() function?
If #4 is the case, I guess I'm just really surprised that I was notified by Windows Defender and not Visual Studio or a UAC prompt.
Also: No engines on VirusTotal.com detected the file as malware.