Source: adminpriv.exe |
ReversingLabs: Detection: 54% |
Source: adminpriv.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: E:\Projects\NSudo\Output\Release\x64\NSudo.pdbSS source: adminpriv.exe |
Source: |
Binary string: E:\Projects\NSudo\Output\Release\x64\NSudo.pdb source: adminpriv.exe |
Source: adminpriv.exe |
String found in binary or memory: https://forums.mydigitallife.net/threads/59268/ |
Source: adminpriv.exe |
String found in binary or memory: https://github.com/M2Team/NSudo |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C204AC memset,GetCurrentProcess,OpenProcessToken,CreateProcessAsUserW,SetPriorityClass,ResumeThread,WaitForSingleObjectEx,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle, |
5_2_00007FF746C204AC |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C1F0D8 |
5_2_00007FF746C1F0D8 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C21DCC |
5_2_00007FF746C21DCC |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C20B88 |
5_2_00007FF746C20B88 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C19A08 |
5_2_00007FF746C19A08 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C20104 |
5_2_00007FF746C20104 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C26088 |
5_2_00007FF746C26088 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C15E0C |
5_2_00007FF746C15E0C |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C2CE91 |
5_2_00007FF746C2CE91 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C1F680 |
5_2_00007FF746C1F680 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C13508 |
5_2_00007FF746C13508 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C2C294 |
5_2_00007FF746C2C294 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C16224 |
5_2_00007FF746C16224 |
Source: adminpriv.exe |
Binary or memory string: OriginalFilename vs adminpriv.exe |
Source: adminpriv.exe, 00000005.00000000.52386766550.00007FF746C3D000.00000002.00000001.01000000.00000004.sdmp |
Binary or memory string: OriginalFilenameNSudo.exe, vs adminpriv.exe |
Source: adminpriv.exe |
Binary or memory string: OriginalFilenameNSudo.exe, vs adminpriv.exe |
Source: classification engine |
Classification label: sus36.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C21348 AdjustTokenPrivileges,GetLastError, |
5_2_00007FF746C21348 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C21168 GetTokenInformation,GetLastError,malloc,GetTokenInformation,AdjustTokenPrivileges,GetLastError,SetLastError,free, |
5_2_00007FF746C21168 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C13450 SetLastError,FindResourceExW,SizeofResource,LoadResource,LockResource,GetLastError,GetLastError,GetLastError, |
5_2_00007FF746C13450 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C13508 OpenSCManagerW,OpenServiceW,QueryServiceStatusEx,StartServiceW,GetTickCount64,SleepEx,CloseServiceHandle,CloseServiceHandle, |
5_2_00007FF746C13508 |
Source: adminpriv.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\adminpriv.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: adminpriv.exe |
ReversingLabs: Detection: 54% |
Source: adminpriv.exe |
String found in binary or memory: t console window. PS: If you want to create a process with the new console window, please do not include the "-UseCurrentConsole" parameter. -Version Show version information of NSudo. -? Show this content. -H Show this content. -Help Show this cont |
Source: adminpriv.exe |
String found in binary or memory: nt. Context Menu: -Install Copy NSudo to the Windows directory and add the context menu. -Uninstall Remove NSudo in the Windows directory and the context menu. PS: 1. All NSudo command arguments is case-insensitive. 2. You can use the |
Source: adminpriv.exe |
String found in binary or memory: -? -H -Help -Install NSudoWindows |
Source: adminpriv.exe |
String found in binary or memory: -? -H -Help -Install NSudoWindows |
Source: adminpriv.exe |
String found in binary or memory: -Help |
Source: adminpriv.exe |
String found in binary or memory: -Install |
Source: adminpriv.exe |
String found in binary or memory: -Help Show this content. |
Source: adminpriv.exe |
String found in binary or memory: -Install Copy NSudo to the Windows directory and add the context menu. |
Source: adminpriv.exe |
String found in binary or memory: -Help Affiche l'aide. |
Source: adminpriv.exe |
String found in binary or memory: -Install Copie NSudo dans le r |
Source: C:\Users\user\Desktop\adminpriv.exe |
Section loaded: wtsapi32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Section loaded: msvcp60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Section loaded: edgegdi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Section loaded: atlthunk.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Section loaded: iconcodecservice.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: Run |
Source: C:\Users\user\Desktop\adminpriv.exe |
Automated click: OK |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: adminpriv.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: adminpriv.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: adminpriv.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: adminpriv.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: adminpriv.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: adminpriv.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: adminpriv.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: adminpriv.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: adminpriv.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: E:\Projects\NSudo\Output\Release\x64\NSudo.pdbSS source: adminpriv.exe |
Source: |
Binary string: E:\Projects\NSudo\Output\Release\x64\NSudo.pdb source: adminpriv.exe |
Source: adminpriv.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: adminpriv.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: adminpriv.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: adminpriv.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: adminpriv.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C1E1E0 LoadLibraryW,GetProcAddress,FreeLibrary, |
5_2_00007FF746C1E1E0 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C13508 OpenSCManagerW,OpenServiceW,QueryServiceStatusEx,StartServiceW,GetTickCount64,SleepEx,CloseServiceHandle,CloseServiceHandle, |
5_2_00007FF746C13508 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\Desktop\adminpriv.exe |
API coverage: 9.6 % |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C2B808 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, |
5_2_00007FF746C2B808 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C2B808 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, |
5_2_00007FF746C2B808 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C1E1E0 LoadLibraryW,GetProcAddress,FreeLibrary, |
5_2_00007FF746C1E1E0 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C2BB3C GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, |
5_2_00007FF746C2BB3C |
Source: C:\Users\user\Desktop\adminpriv.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C2C850 IsProcessorFeaturePresent,memset,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
5_2_00007FF746C2C850 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C2C5D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
5_2_00007FF746C2C5D0 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C2B280 SetUnhandledExceptionFilter, |
5_2_00007FF746C2B280 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C2B470 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
5_2_00007FF746C2B470 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C20104 CreateRestrictedToken,GetTokenInformation,GetLastError,malloc,SetLastError,GetTokenInformation,SetTokenInformation,GetTokenInformation,GetLastError,malloc,GetTokenInformation,AllocateAndInitializeSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,EqualSid,AddAce,GetAce,SetTokenInformation,SetTokenInformation,free,FreeSid,free,free,CloseHandle, |
5_2_00007FF746C20104 |
Source: C:\Users\user\Desktop\adminpriv.exe |
Code function: 5_2_00007FF746C2B6D0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,GetTickCount64,GetTickCount64,QueryPerformanceCounter, |
5_2_00007FF746C2B6D0 |