242713ef...bd95 | Kernel
Logo
Try VMRay Analyzer
VTI SCORE: 95/100
Dynamic Analysis Report
Classification: Dropper, Riskware, Downloader, Trojan, Ransomware

242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95 (SHA256)

CURRENT_DIRnwovkcyl.exe

Windows Exe (x86-32)

Created at 2018-10-03 03:03:00

...

Notifications (1/1)

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

Kernel Graph 1

Kernel Graph

Kernel Graph Legend
Code Block #1 (EP #1)
»
Information Value
Trigger IopLoadDriver+0x5e4
Start Address 0xfffff800f36d9058
Execution Path #1 (length: 58, count: 1, processes: 1)
»
Information Value
Sequence Length 58
Processes
»
Process Count
Process 31 (System, PID: 4) 1
Sequence
»
Symbol Parameters
RtlInitUnicodeString SourceString = PsAcquireProcessExitSynchronization, DestinationString_out = PsAcquireProcessExitSynchronization
MmGetSystemRoutineAddress SystemRoutineName = PsAcquireProcessExitSynchronization, ret_val_ptr_out = 0xfffff803f3d90204
RtlInitUnicodeString SourceString = PsReleaseProcessExitSynchronization, DestinationString_out = PsReleaseProcessExitSynchronization
MmGetSystemRoutineAddress SystemRoutineName = PsReleaseProcessExitSynchronization, ret_val_ptr_out = 0xfffff803f3d94ce0
RtlInitUnicodeString SourceString = ObGetObjectType, DestinationString_out = ObGetObjectType
MmGetSystemRoutineAddress SystemRoutineName = ObGetObjectType, ret_val_ptr_out = 0xfffff803f3da7ae8
ObGetObjectType ret_val_out = 0xffffe00067e6e2b0
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0x26, Tag = 0x544f4550, ret_val_ptr_out = 0xffffc00147f64a50
ObOpenObjectByName ObjectAttributes_unk = 0xffffd000abd4f5a0, ObjectType_unk = 0xffffe00067e6e2b0, AccessMode_unk = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0xffffd000000f0001, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Handle_ptr_out = 0xffffd000abd4f5f8, Handle_out = 0xffffffff80001248, ret_val_out = 0x0
ExFreePoolWithTag P_ptr = 0xffffc00147f64a50, Tag = 0x0
ObReferenceObjectByHandle Handle_unk = 0xffffffff80001248, DesiredAccess_unk = 0xf0001, ObjectType_unk = 0xffffe00067e6e2b0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd000abd4f600, Object_out = 0xffffe00067e85f20, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff80001248, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe00067e85f20, ret_val_ptr_out = 0x2
RtlInitUnicodeString SourceString = \Device\PROCEXP152, DestinationString_out = \Device\PROCEXP152
RtlInitUnicodeString SourceString = D:P(A;;GA;;;SY)(A;;GA;;;BA), DestinationString_out = D:P(A;;GA;;;SY)(A;;GA;;;BA)
RtlInitUnicodeString SourceString = IoCreateDeviceSecure, DestinationString_out = IoCreateDeviceSecure
MmGetSystemRoutineAddress SystemRoutineName = IoCreateDeviceSecure, ret_val_ptr_out = 0x0
RtlInitUnicodeString SourceString = IoValidateDeviceIoControlAccess, DestinationString_out = IoValidateDeviceIoControlAccess
MmGetSystemRoutineAddress SystemRoutineName = IoValidateDeviceIoControlAccess, ret_val_ptr_out = 0xfffff803f397f874
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0x68, Tag = 0x6c416553, ret_val_ptr_out = 0xffffc0014a4c5650
_wcsnicmp _String1 = A, _String2 = A, _MaxCount_ptr = 0x1, ret_val_out = 0
_wcsnicmp _String1 = GA, _String2 = RC, _MaxCount_ptr = 0x2, ret_val_out = -11
_wcsnicmp _String1 = GA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -16
_wcsnicmp _String1 = GA, _String2 = WO, _MaxCount_ptr = 0x2, ret_val_out = -16
_wcsnicmp _String1 = GA, _String2 = SD, _MaxCount_ptr = 0x2, ret_val_out = -12
_wcsnicmp _String1 = GA, _String2 = GA, _MaxCount_ptr = 0x2, ret_val_out = 0
_wcsnicmp _String1 = SY, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -4
_wcsnicmp _String1 = SY, _String2 = BA, _MaxCount_ptr = 0x2, ret_val_out = 17
_wcsnicmp _String1 = SY, _String2 = SY, _MaxCount_ptr = 0x2, ret_val_out = 0
RtlLengthSid Sid_ptr = 0xffffe00067e760b0, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x1, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority = 0x12, ret_val_out = 0xc
RtlAddAccessAllowedAce Acl_unk = 0xffffc0014a4c5650, AceRevision = 0x2, AccessMask_unk = 0x10000000, Sid_ptr = 0xffffe00067e760b0, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x1, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority = 0x12, Acl_unk_out = 0xffffc0014a4c5650, ret_val_out = 0x0
_wcsnicmp _String1 = A, _String2 = A, _MaxCount_ptr = 0x1, ret_val_out = 0
_wcsnicmp _String1 = GA, _String2 = RC, _MaxCount_ptr = 0x2, ret_val_out = -11
_wcsnicmp _String1 = GA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -16
_wcsnicmp _String1 = GA, _String2 = WO, _MaxCount_ptr = 0x2, ret_val_out = -16
_wcsnicmp _String1 = GA, _String2 = SD, _MaxCount_ptr = 0x2, ret_val_out = -12
_wcsnicmp _String1 = GA, _String2 = GA, _MaxCount_ptr = 0x2, ret_val_out = 0
_wcsnicmp _String1 = BA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -21
_wcsnicmp _String1 = BA, _String2 = BA, _MaxCount_ptr = 0x2, ret_val_out = 0
RtlLengthSid Sid_ptr = 0xffffc00147800390, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x2, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority_[0]_0 = 0x20, Sid_deref_SubAuthority_[1]_1 = 0x0, ret_val_out = 0x10
RtlAddAccessAllowedAce Acl_unk = 0xffffc0014a4c5650, AceRevision = 0x2, AccessMask_unk = 0x10000000, Sid_ptr = 0xffffc00147800390, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x2, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority_[0]_0 = 0x20, Sid_deref_SubAuthority_[1]_1 = 0x0, Acl_unk_out = 0xffffc0014a4c5650, ret_val_out = 0x0
RtlCreateSecurityDescriptor Revision = 0x1, SecurityDescriptor_unk_out = 0xffffd000abd4f488, ret_val_out = 0x0
RtlSetDaclSecurityDescriptor SecurityDescriptor_unk = 0xffffd000abd4f488, DaclPresent = 1, Dacl_unk = 0xffffc0014a4c5650, DaclDefaulted = 0, SecurityDescriptor_unk_out = 0xffffd000abd4f488, ret_val_out = 0x0
RtlAbsoluteToSelfRelativeSD AbsoluteSecurityDescriptor_unk = 0xffffd000abd4f488, BufferLength_ptr = 0xffffd000abd4f4d0, SelfRelativeSecurityDescriptor_unk_out = 0x0, BufferLength_ptr_out = 0xffffd000abd4f4d0, ret_val_out = 0xc0000023
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0x48, Tag = 0x64536553, ret_val_ptr_out = 0xffffc0014a4faac0
RtlAbsoluteToSelfRelativeSD AbsoluteSecurityDescriptor_unk = 0xffffd000abd4f488, BufferLength_ptr = 0xffffd000abd4f4d0, SelfRelativeSecurityDescriptor_unk_out = 0xffffc0014a4faac0, BufferLength_ptr_out = 0xffffd000abd4f4d0, ret_val_out = 0x0
ExFreePoolWithTag P_ptr = 0xffffc0014a4c5650, Tag = 0x0
IoCreateDevice DriverObject_unk = 0xffffe0006a4e8740, DeviceExtensionSize = 0x0, DeviceName = \Device\PROCEXP152, DeviceType_unk = 0x8335, DeviceCharacteristics = 0x0, Exclusive = 0, DeviceObject_unk_out = 0xffffd000abd4f5d0, ret_val_out = 0x0
RtlGetOwnerSecurityDescriptor SecurityDescriptor_unk = 0xffffc0014a4faac0, Owner_ptr_out = 0xffffd000abd4f460, Owner_out = 0x0, OwnerDefaulted_ptr_out = 0xffffd000abd4f498, ret_val_out = 0x0
RtlGetGroupSecurityDescriptor SecurityDescriptor_unk = 0xffffc0014a4faac0, Group_ptr_out = 0xffffd000abd4f460, Group_out = 0x0, GroupDefaulted_ptr_out = 0xffffd000abd4f498, ret_val_out = 0x0
RtlGetSaclSecurityDescriptor SecurityDescriptor_unk = 0xffffc0014a4faac0, SaclPresent_ptr_out = 0xffffd000abd4f4a8, Sacl_unk_out = 0xffffd000abd4f468, SaclDefaulted_ptr_out = 0xffffd000abd4f498, ret_val_out = 0x0
RtlGetDaclSecurityDescriptor SecurityDescriptor_unk = 0xffffc0014a4faac0, DaclPresent_ptr_out = 0xffffd000abd4f4a8, Dacl_unk_out = 0xffffd000abd4f468, DaclDefaulted_ptr_out = 0xffffd000abd4f498, ret_val_out = 0x0
ObOpenObjectByPointer Object_ptr = 0xffffe0006a372e40, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x40000, ObjectType_unk = 0xffffe00067ea1f20, AccessMode_unk = 0xffffe0006a4e8700, Handle_ptr_out = 0xffffd000abd4f4d0, Handle_out = 0xffffffff80001248, ret_val_out = 0x0
ZwSetSecurityObject Handle_unk = 0xffffffff80001248, SecurityInformation_unk = 0x4, SecurityDescriptor_unk = 0xffffc0014a4faac0, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff80001248, ret_val_out = 0x0
ExFreePoolWithTag P_ptr = 0xffffc0014a4faac0, Tag = 0x0
RtlInitUnicodeString SourceString = \DosDevices\PROCEXP152, DestinationString_out = \DosDevices\PROCEXP152
IoCreateSymbolicLink SymbolicLinkName = \DosDevices\PROCEXP152, DeviceName = \Device\PROCEXP152, ret_val_out = 0x0

Kernel Graph 2

Kernel Graph

Kernel Graph Legend
Code Block #2 (EP #2, #3, #4, #5, #6, #7, #18, #21, #22)
»
Information Value
Trigger IofCallDriver+0x4b
Start Address 0xfffff800f36d2000
Execution Path #2 (length: 5, count: 2, processes: 2)
»
Information Value
Sequence Length 5
Processes
»
Process Count
Process 26 (vidhs3md64.exe, PID: 2644) 1
Process 125 (vidhs3md64.exe, PID: 2100) 1
Sequence
»
Symbol Parameters
SeCaptureSubjectContext SubjectContext_unk_out = 0xffffd000b1b8e328
ExGetPreviousMode ret_val_unk_out = 0x1
SePrivilegeCheck RequiredPrivileges_unk = 0xffffd000b1b8e348, SubjectSecurityContext_unk = 0xffffd000b1b8e328, AccessMode_unk = 0x1, RequiredPrivileges_unk_out = 0xffffd000b1b8e348, ret_val_out = 1
SeReleaseSubjectContext SubjectContext_unk = 0xffffd000b1b8e328, SubjectContext_unk_out = 0xffffd000b1b8e328
IoCompleteRequest ret_val_out = 0x884
Execution Path #3 (length: 10, count: 1141, processes: 2)
»
Information Value
Sequence Length 10
Processes
»
Process Count
Process 26 (vidhs3md64.exe, PID: 2644) 463
Process 125 (vidhs3md64.exe, PID: 2100) 678
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0xed4, Process_unk_out = 0xffffd000b1b8e388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe0006845c080, PROCESS_unk_out = 0xffffe0006845c080, ApcState_unk_out = 0xffffd000b1b8e400
ObReferenceObjectByHandle Handle_unk = 0xc0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b1b8e378, Object_out = 0xffffe0006a261d00, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000b1b8e400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe0006845c080, ret_val_ptr_out = 0x17ff1
ObQueryNameString Object_ptr = 0xffffe000756919d0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe000685023c4, ReturnLength_ptr_out = 0xffffd000b1b8e338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe0006a261d00, ret_val_ptr_out = 0x17ffd
IoCompleteRequest ret_val_out = 0x0
Execution Path #4 (length: 13, count: 8, processes: 2)
»
Information Value
Sequence Length 13
Processes
»
Process Count
Process 26 (vidhs3md64.exe, PID: 2644) 4
Process 125 (vidhs3md64.exe, PID: 2100) 4
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x190, Process_unk_out = 0xffffd000b1b8e3d8, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe0006a5c0080, PROCESS_unk_out = 0xffffe0006a5c0080, ApcState_unk_out = 0xffffd000b1b8e3f8
ObReferenceObjectByHandle Handle_unk = 0xb4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b1b8e3e0, Object_out = 0xffffe0006a3714b0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe0006a5c0080, ret_val_ptr_out = 0x27fe9
ZwQueryObject Handle_unk = 0xb4, ObjectInformationClass_unk = 0x2, ObjectInformationLength = 0x0, ObjectInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd000b1b8e3d4, ret_val_out = 0xc0000004
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0x88, Tag = 0x58637250, ret_val_ptr_out = 0xffffc0014a23eb00
ZwQueryObject Handle_unk = 0xb4, ObjectInformationClass_unk = 0x2, ObjectInformationLength = 0x88, ObjectInformation_ptr_out = 0xffffc0014a23eb00, ReturnLength_ptr_out = 0x0, ret_val_out = 0x0
ExFreePoolWithTag P_ptr = 0xffffc0014a23eb00, Tag = 0x0
ObfDereferenceObject Object_ptr = 0xffffe0006a3714b0, ret_val_ptr_out = 0x7ffe
KeUnstackDetachProcess ApcState_unk = 0xffffd000b1b8e3f8
IoCompleteRequest ret_val_out = 0x0
Execution Path #5 (length: 2, count: 14, processes: 2)
»
Information Value
Sequence Length 2
Processes
»
Process Count
Process 26 (vidhs3md64.exe, PID: 2644) 8
Process 125 (vidhs3md64.exe, PID: 2100) 6
Sequence
»
Symbol Parameters
ZwOpenProcess DesiredAccess_unk = 0x10000000, ObjectAttributes_ptr = 0xffffd000b1b8e4b8, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd000b1b8e4a8, ClientId_deref_UniqueProcess_unk = 0xf74, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffe0006a519a40, ProcessHandle_out = 0x1a0, ret_val_out = 0x0
IoCompleteRequest ret_val_out = 0x0
Execution Path #6 (length: 4, count: 10, processes: 2)
»
Information Value
Sequence Length 4
Processes
»
Process Count
Process 26 (vidhs3md64.exe, PID: 2644) 5
Process 125 (vidhs3md64.exe, PID: 2100) 5
Sequence
»
Symbol Parameters
ZwOpenProcess DesiredAccess_unk = 0x40, ObjectAttributes_ptr = 0xffffd000b1b8e438, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x200, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd000b1b8e428, ClientId_deref_UniqueProcess_unk = 0x4, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd000b1b8e420, ProcessHandle_out = 0xffffffff8000111c, ret_val_out = 0x0
ZwDuplicateObject SourceProcessHandle_unk = 0xffffffff8000111c, SourceHandle_unk = 0xa5c, TargetProcessHandle_unk = 0xffffffffffffffff, DesiredAccess_unk = 0x10000000, HandleAttributes = 0x0, Options = 0x0, TargetHandle_ptr_out = 0xffffe0006a3f1300, TargetHandle_out = 0x1a4, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff8000111c, ret_val_out = 0x0
IoCompleteRequest ret_val_out = 0x0
Execution Path #7 (length: 8, count: 100, processes: 2)
»
Information Value
Sequence Length 8
Processes
»
Process Count
Process 26 (vidhs3md64.exe, PID: 2644) 98
Process 125 (vidhs3md64.exe, PID: 2100) 2
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x4, Process_unk_out = 0xffffd000b1b8e388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe00067e72040, PROCESS_unk_out = 0xffffe00067e72040, ApcState_unk_out = 0xffffd000b1b8e400
ObReferenceObjectByHandle Handle_unk = 0xffffffff8000065c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd000b1b8e378, Object_out = 0x0, HandleInformation_unk_out = 0x0, ret_val_out = 0xc0000008
KeUnstackDetachProcess ApcState_unk = 0xffffd000b1b8e400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe00067e72040, ret_val_ptr_out = 0x2fa53
IoCompleteRequest ret_val_out = 0x0
Execution Path #18 (length: 6, count: 77, processes: 2)
»
Information Value
Sequence Length 6
Processes
»
Process Count
Process 26 (vidhs3md64.exe, PID: 2644) 7
Process 125 (vidhs3md64.exe, PID: 2100) 70
Sequence
»
Symbol Parameters
ObReferenceObjectByHandle Handle_unk = 0x180, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b1b8e498, Object_out = 0xffffe00067eea080, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
ObOpenObjectByPointer Object_ptr = 0xffffe00067eea080, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x10000000, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Handle_ptr_out = 0xffffd000b1b8e4a0, Handle_out = 0xffffffff80000d8c, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe00067eea080, ret_val_ptr_out = 0x67fff
ZwOpenProcessToken ProcessHandle_unk = 0xffffffff80000d8c, DesiredAccess_unk = 0x8, TokenHandle_ptr_out = 0xffffe0006a2989c0, TokenHandle_out = 0x1a8, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff80000d8c, ret_val_out = 0x0
IoCompleteRequest ret_val_out = 0x0
Execution Path #21 (length: 5, count: 48, processes: 1)
»
Information Value
Sequence Length 5
Processes
»
Process Count
Process 26 (vidhs3md64.exe, PID: 2644) 48
Sequence
»
Symbol Parameters
ObReferenceObjectByHandle Handle_unk = 0x180, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b1b8e498, Object_out = 0xffffe0006985a840, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
ObOpenObjectByPointer Object_ptr = 0xffffe0006985a840, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x10000000, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Handle_ptr_out = 0xffffd000b1b8e4a0, Handle_out = 0xffffffff80000d8c, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe0006985a840, ret_val_ptr_out = 0x5000e
ZwOpenProcessToken ProcessHandle_unk = 0xffffffff80000d8c, DesiredAccess_unk = 0x8, TokenHandle_ptr_out = 0xffffe0006a287b00, TokenHandle_out = 0x1a8, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff80000d8c, ret_val_out = 0x0
Execution Path #22 (length: 8, count: 1, processes: 1)
»
Information Value
Sequence Length 8
Processes
»
Process Count
Process 125 (vidhs3md64.exe, PID: 2100) 1
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0xde8, Process_unk_out = 0xffffd000ac0cf3d8, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe0006a327840, PROCESS_unk_out = 0xffffe0006a327840, ApcState_unk_out = 0xffffd000ac0cf3f8
ObReferenceObjectByHandle Handle_unk = 0x12c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000ac0cf3e0, Object_out = 0x0, HandleInformation_unk_out = 0x0, ret_val_out = 0xc0000008
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe0006a327840, ret_val_ptr_out = 0x2fff7
KeUnstackDetachProcess ApcState_unk = 0xffffd000ac0cf3f8
IoCompleteRequest ret_val_out = 0x0

Kernel Graph 3

Kernel Graph

Kernel Graph Legend
Code Block #3 (EP #8)
»
Information Value
Trigger PROCEXP152.SYS+0x2620
Start Address 0xfffff803f3d42384
Execution Path #8 (length: 1, count: 1027, processes: 2)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 26 (vidhs3md64.exe, PID: 2644) 504
Process 125 (vidhs3md64.exe, PID: 2100) 523
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x4, Process_unk_out = 0xffffd000b1b8e388, ret_val_out = 0x0

Kernel Graph 4

Kernel Graph

Kernel Graph Legend
Code Block #4 (EP #9)
»
Information Value
Trigger PROCEXP152.SYS+0x2641
Start Address 0xfffff803f3d90204
Execution Path #9 (length: 1, count: 1022, processes: 2)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 26 (vidhs3md64.exe, PID: 2644) 504
Process 125 (vidhs3md64.exe, PID: 2100) 518
Sequence
»
Symbol Parameters
PsAcquireProcessExitSynchronization ret_val_out = 0x0

Kernel Graph 5

Kernel Graph

Kernel Graph Legend
Code Block #5 (EP #10)
»
Information Value
Trigger PROCEXP152.SYS+0x2669
Start Address 0xfffff803f38fbdc0
Execution Path #10 (length: 1, count: 1022, processes: 2)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 26 (vidhs3md64.exe, PID: 2644) 504
Process 125 (vidhs3md64.exe, PID: 2100) 518
Sequence
»
Symbol Parameters
KeStackAttachProcess PROCESS_unk = 0xffffe00067e72040, PROCESS_unk_out = 0xffffe00067e72040, ApcState_unk_out = 0xffffd000b1b8e400

Kernel Graph 6

Kernel Graph

Kernel Graph Legend
Code Block #6 (EP #11)
»
Information Value
Trigger PROCEXP152.SYS+0x26a0
Start Address 0xfffff803f3ca6640
Execution Path #11 (length: 1, count: 1022, processes: 78)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 1 (current_dirnwovkcyl.exe, PID: 3024) 10
Process 2 (UNKNOWN, PID: UNKNOWN) 3
Process 8 (cmd.exe, PID: 4004) 4
Process 9 (UNKNOWN, PID: UNKNOWN) 3
Process 12 (wscript.exe, PID: 3628) 5
Process 31 (System, PID: 4) 142
Process 33 (smss.exe, PID: 264) 10
Process 34 (csrss.exe, PID: 340) 27
Process 35 (wininit.exe, PID: 404) 10
Process 36 (csrss.exe, PID: 412) 49
Process 37 (winlogon.exe, PID: 460) 7
Process 38 (services.exe, PID: 484) 15
Process 39 (lsass.exe, PID: 492) 23
Process 40 (svchost.exe, PID: 576) 38
Process 41 (svchost.exe, PID: 620) 19
Process 42 (dwm.exe, PID: 728) 14
Process 43 (svchost.exe, PID: 792) 87
Process 44 (svchost.exe, PID: 832) 109
Process 45 (svchost.exe, PID: 856) 51
Process 46 (svchost.exe, PID: 872) 23
Process 47 (svchost.exe, PID: 932) 31
Process 48 (svchost.exe, PID: 660) 45
Process 49 (spoolsv.exe, PID: 320) 50
Process 50 (svchost.exe, PID: 1100) 10
Process 51 (officeclicktorun.exe, PID: 1232) 8
Process 52 (svchost.exe, PID: 1504) 6
Process 53 (sihost.exe, PID: 1992) 3
Process 54 (taskhostw.exe, PID: 2000) 6
Process 55 (runtimebroker.exe, PID: 1688) 2
Process 56 (explorer.exe, PID: 2080) 56
Process 57 (shellexperiencehost.exe, PID: 2480) 5
Process 58 (searchui.exe, PID: 2588) 18
Process 59 (nigeria reached hindu.exe, PID: 508) 2
Process 60 (style-percent.exe, PID: 808) 2
Process 61 (italian.exe, PID: 1028) 2
Process 62 (november.exe, PID: 1312) 2
Process 63 (photoshop_hormone_protein.exe, PID: 2688) 2
Process 64 (expenditurevincenttablet.exe, PID: 1300) 2
Process 65 (deaths.exe, PID: 752) 2
Process 66 (alfred.exe, PID: 1332) 2
Process 67 (admit.exe, PID: 2876) 2
Process 68 (set.exe, PID: 2212) 2
Process 69 (regulations_consensus_score.exe, PID: 896) 2
Process 70 (upgrading.exe, PID: 2132) 2
Process 71 (syria promptly.exe, PID: 1284) 2
Process 72 (tones engaging.exe, PID: 2252) 2
Process 73 (restaurant.exe, PID: 1324) 2
Process 74 (th-italia.exe, PID: 1052) 2
Process 75 (audiodg.exe, PID: 356) 3
Process 76 (svchost.exe, PID: 1112) 2
Process 77 (sppsvc.exe, PID: 3956) 2
Process 79 (wmiadap.exe, PID: 1164) 2
Process 80 (taskhostw.exe, PID: 1796) 3
Process 81 (cmd.exe, PID: 3780) 4
Process 82 (cmd.exe, PID: 3756) 4
Process 83 (cmd.exe, PID: 3660) 4
Process 84 (dllhost.exe, PID: 2820) 2
Process 85 (UNKNOWN, PID: UNKNOWN) 3
Process 86 (UNKNOWN, PID: UNKNOWN) 3
Process 87 (UNKNOWN, PID: UNKNOWN) 3
Process 88 (cmd.exe, PID: 3844) 5
Process 90 (UNKNOWN, PID: UNKNOWN) 3
Process 95 (cmd.exe, PID: 2420) 4
Process 96 (taskeng.exe, PID: 1836) 2
Process 99 (UNKNOWN, PID: UNKNOWN) 3
Process 101 (wmiprvse.exe, PID: 2456) 3
Process 105 (cmd.exe, PID: 3916) 4
Process 107 (UNKNOWN, PID: UNKNOWN) 3
Process 109 (cmd.exe, PID: 3580) 4
Process 110 (UNKNOWN, PID: UNKNOWN) 3
Process 115 (cmd.exe, PID: 3568) 4
Process 116 (UNKNOWN, PID: UNKNOWN) 3
Process 117 (cmd.exe, PID: 3804) 4
Process 118 (cmd.exe, PID: 1472) 4
Process 119 (UNKNOWN, PID: UNKNOWN) 3
Process 120 (vidhs3md.exe, PID: 2308) 5
Process 123 (schtasks.exe, PID: 2412) 5
Process 125 (vidhs3md64.exe, PID: 2100) 4
Sequence
»
Symbol Parameters
ObReferenceObjectByHandle Handle_unk = 0xffffffff80000b8c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd000b1b8e378, Object_out = 0x0, HandleInformation_unk_out = 0x0, ret_val_out = 0xc0000008

Kernel Graph 7

Kernel Graph

Kernel Graph Legend
Code Block #7 (EP #12)
»
Information Value
Trigger PROCEXP152.SYS+0x26d2
Start Address 0xfffff803f38fbeb0
Execution Path #12 (length: 1, count: 1022, processes: 78)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 1 (current_dirnwovkcyl.exe, PID: 3024) 10
Process 2 (UNKNOWN, PID: UNKNOWN) 3
Process 8 (cmd.exe, PID: 4004) 4
Process 9 (UNKNOWN, PID: UNKNOWN) 3
Process 12 (wscript.exe, PID: 3628) 5
Process 31 (System, PID: 4) 142
Process 33 (smss.exe, PID: 264) 10
Process 34 (csrss.exe, PID: 340) 27
Process 35 (wininit.exe, PID: 404) 10
Process 36 (csrss.exe, PID: 412) 49
Process 37 (winlogon.exe, PID: 460) 7
Process 38 (services.exe, PID: 484) 15
Process 39 (lsass.exe, PID: 492) 23
Process 40 (svchost.exe, PID: 576) 38
Process 41 (svchost.exe, PID: 620) 19
Process 42 (dwm.exe, PID: 728) 14
Process 43 (svchost.exe, PID: 792) 87
Process 44 (svchost.exe, PID: 832) 109
Process 45 (svchost.exe, PID: 856) 51
Process 46 (svchost.exe, PID: 872) 23
Process 47 (svchost.exe, PID: 932) 31
Process 48 (svchost.exe, PID: 660) 45
Process 49 (spoolsv.exe, PID: 320) 50
Process 50 (svchost.exe, PID: 1100) 10
Process 51 (officeclicktorun.exe, PID: 1232) 8
Process 52 (svchost.exe, PID: 1504) 6
Process 53 (sihost.exe, PID: 1992) 3
Process 54 (taskhostw.exe, PID: 2000) 6
Process 55 (runtimebroker.exe, PID: 1688) 2
Process 56 (explorer.exe, PID: 2080) 56
Process 57 (shellexperiencehost.exe, PID: 2480) 5
Process 58 (searchui.exe, PID: 2588) 18
Process 59 (nigeria reached hindu.exe, PID: 508) 2
Process 60 (style-percent.exe, PID: 808) 2
Process 61 (italian.exe, PID: 1028) 2
Process 62 (november.exe, PID: 1312) 2
Process 63 (photoshop_hormone_protein.exe, PID: 2688) 2
Process 64 (expenditurevincenttablet.exe, PID: 1300) 2
Process 65 (deaths.exe, PID: 752) 2
Process 66 (alfred.exe, PID: 1332) 2
Process 67 (admit.exe, PID: 2876) 2
Process 68 (set.exe, PID: 2212) 2
Process 69 (regulations_consensus_score.exe, PID: 896) 2
Process 70 (upgrading.exe, PID: 2132) 2
Process 71 (syria promptly.exe, PID: 1284) 2
Process 72 (tones engaging.exe, PID: 2252) 2
Process 73 (restaurant.exe, PID: 1324) 2
Process 74 (th-italia.exe, PID: 1052) 2
Process 75 (audiodg.exe, PID: 356) 3
Process 76 (svchost.exe, PID: 1112) 2
Process 77 (sppsvc.exe, PID: 3956) 2
Process 79 (wmiadap.exe, PID: 1164) 2
Process 80 (taskhostw.exe, PID: 1796) 3
Process 81 (cmd.exe, PID: 3780) 4
Process 82 (cmd.exe, PID: 3756) 4
Process 83 (cmd.exe, PID: 3660) 4
Process 84 (dllhost.exe, PID: 2820) 2
Process 85 (UNKNOWN, PID: UNKNOWN) 3
Process 86 (UNKNOWN, PID: UNKNOWN) 3
Process 87 (UNKNOWN, PID: UNKNOWN) 3
Process 88 (cmd.exe, PID: 3844) 5
Process 90 (UNKNOWN, PID: UNKNOWN) 3
Process 95 (cmd.exe, PID: 2420) 4
Process 96 (taskeng.exe, PID: 1836) 2
Process 99 (UNKNOWN, PID: UNKNOWN) 3
Process 101 (wmiprvse.exe, PID: 2456) 3
Process 105 (cmd.exe, PID: 3916) 4
Process 107 (UNKNOWN, PID: UNKNOWN) 3
Process 109 (cmd.exe, PID: 3580) 4
Process 110 (UNKNOWN, PID: UNKNOWN) 3
Process 115 (cmd.exe, PID: 3568) 4
Process 116 (UNKNOWN, PID: UNKNOWN) 3
Process 117 (cmd.exe, PID: 3804) 4
Process 118 (cmd.exe, PID: 1472) 4
Process 119 (UNKNOWN, PID: UNKNOWN) 3
Process 120 (vidhs3md.exe, PID: 2308) 5
Process 123 (schtasks.exe, PID: 2412) 5
Process 125 (vidhs3md64.exe, PID: 2100) 4
Sequence
»
Symbol Parameters
KeUnstackDetachProcess ApcState_unk = 0xffffd000b1b8e400

Kernel Graph 8

Kernel Graph

Kernel Graph Legend
Code Block #8 (EP #13)
»
Information Value
Trigger PROCEXP152.SYS+0x26ee
Start Address 0xfffff803f3d94ce0
Execution Path #13 (length: 1, count: 1022, processes: 2)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 26 (vidhs3md64.exe, PID: 2644) 504
Process 125 (vidhs3md64.exe, PID: 2100) 518
Sequence
»
Symbol Parameters
PsReleaseProcessExitSynchronization ret_val_out = 0x2

Kernel Graph 9

Kernel Graph

Kernel Graph Legend
Code Block #9 (EP #14)
»
Information Value
Trigger PROCEXP152.SYS+0x26f5
Start Address 0xfffff803f38c99b0
Execution Path #14 (length: 1, count: 1965, processes: 5)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 1 (current_dirnwovkcyl.exe, PID: 3024) 5
Process 26 (vidhs3md64.exe, PID: 2644) 924
Process 43 (svchost.exe, PID: 792) 1
Process 125 (vidhs3md64.exe, PID: 2100) 1031
Process 31 (System, PID: 4) 4
Sequence
»
Symbol Parameters
ObfDereferenceObject Object_ptr = 0xffffe00067e72040, ret_val_ptr_out = 0x2f9ef

Kernel Graph 10

Kernel Graph

Kernel Graph Legend
Code Block #10 (EP #15)
»
Information Value
Trigger PROCEXP152.SYS+0x20f2
Start Address 0xfffff803f38cd150
Execution Path #15 (length: 1, count: 890, processes: 2)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 26 (vidhs3md64.exe, PID: 2644) 366
Process 125 (vidhs3md64.exe, PID: 2100) 524
Sequence
»
Symbol Parameters
IoCompleteRequest ret_val_out = 0x0

Kernel Graph 11

Kernel Graph

Kernel Graph Legend
Code Block #11 (EP #16)
»
Information Value
Trigger PROCEXP152.SYS+0x27c8
Start Address 0xfffff803f3dac118
Execution Path #16 (length: 1, count: 1105, processes: 2)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 26 (vidhs3md64.exe, PID: 2644) 592
Process 125 (vidhs3md64.exe, PID: 2100) 513
Sequence
»
Symbol Parameters
ObQueryNameString Object_ptr = 0xffffe00069208850, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe0006a3277c4, ReturnLength_ptr_out = 0xffffd000b1b8e380, ret_val_out = 0x0

Kernel Graph 12

Kernel Graph

Kernel Graph Legend
Code Block #12 (EP #17, #19, #20, #23)
»
Information Value
Trigger PROCEXP152.SYS+0x211a
Start Address 0xfffff803f3cb017d
Execution Path #17 (length: 9, count: 9, processes: 2)
»
Information Value
Sequence Length 9
Processes
»
Process Count
Process 26 (vidhs3md64.exe, PID: 2644) 5
Process 125 (vidhs3md64.exe, PID: 2100) 4
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x4, Process_unk_out = 0xffffd000b1b8e388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe00067e72040, PROCESS_unk_out = 0xffffe00067e72040, ApcState_unk_out = 0xffffd000b1b8e400
ObReferenceObjectByHandle Handle_unk = 0xffffffff80000e98, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd000b1b8e378, Object_out = 0xffffe00069ba2080, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe00069ba2080, ret_val_ptr_out = 0x20004
KeUnstackDetachProcess ApcState_unk = 0xffffd000b1b8e400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe00067e72040, ret_val_ptr_out = 0x2f9ab
IoCompleteRequest ret_val_out = 0x0
Execution Path #19 (length: 27, count: 1, processes: 1)
»
Information Value
Sequence Length 27
Processes
»
Process Count
Process 26 (vidhs3md64.exe, PID: 2644) 1
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x240, Process_unk_out = 0xffffd000b1b8e388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe000696a6840, PROCESS_unk_out = 0xffffe000696a6840, ApcState_unk_out = 0xffffd000b1b8e400
ObReferenceObjectByHandle Handle_unk = 0x704, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b1b8e378, Object_out = 0xffffc001484bf7d0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000b1b8e400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe000696a6840, ret_val_ptr_out = 0x7817b
ObQueryNameString Object_ptr = 0xffffc001484bf7d0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe0006843c7c4, ReturnLength_ptr_out = 0xffffd000b1b8e380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc001484bf7d0, ret_val_ptr_out = 0x17fff
PsLookupProcessByProcessId ProcessId_unk = 0x240, Process_unk_out = 0xffffd000b1b8e388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe000696a6840, PROCESS_unk_out = 0xffffe000696a6840, ApcState_unk_out = 0xffffd000b1b8e400
ObReferenceObjectByHandle Handle_unk = 0x774, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b1b8e378, Object_out = 0xffffe00069f534d0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000b1b8e400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe000696a6840, ret_val_ptr_out = 0x7817a
ObQueryNameString Object_ptr = 0xffffe00069a2b060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe0006a0d0044, ReturnLength_ptr_out = 0xffffd000b1b8e338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe00069f534d0, ret_val_ptr_out = 0x7fe9
PsLookupProcessByProcessId ProcessId_unk = 0x240, Process_unk_out = 0xffffd000b1b8e388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe000696a6840, PROCESS_unk_out = 0xffffe000696a6840, ApcState_unk_out = 0xffffd000b1b8e400
ObReferenceObjectByHandle Handle_unk = 0x77c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b1b8e378, Object_out = 0xffffe00069f54090, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000b1b8e400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe000696a6840, ret_val_ptr_out = 0x78179
ObQueryNameString Object_ptr = 0xffffe0006907e3f0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe0006840f7c4, ReturnLength_ptr_out = 0xffffd000b1b8e338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe00069f54090, ret_val_ptr_out = 0x7cb4
Execution Path #20 (length: 18, count: 1, processes: 1)
»
Information Value
Sequence Length 18
Processes
»
Process Count
Process 26 (vidhs3md64.exe, PID: 2644) 1
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x340, Process_unk_out = 0xffffd000b1b8e388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe00069851840, PROCESS_unk_out = 0xffffe00069851840, ApcState_unk_out = 0xffffd000b1b8e400
ObReferenceObjectByHandle Handle_unk = 0x928, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b1b8e378, Object_out = 0xffffe00069fd1a30, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000b1b8e400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe00069851840, ret_val_ptr_out = 0x3fffe
ObQueryNameString Object_ptr = 0xffffe00069086c90, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe000684197c4, ReturnLength_ptr_out = 0xffffd000b1b8e338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe00069fd1a30, ret_val_ptr_out = 0x8006
PsLookupProcessByProcessId ProcessId_unk = 0x340, Process_unk_out = 0xffffd000b1b8e388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe00069851840, PROCESS_unk_out = 0xffffe00069851840, ApcState_unk_out = 0xffffd000b1b8e400
ObReferenceObjectByHandle Handle_unk = 0x944, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b1b8e378, Object_out = 0xffffe0006a50d8c0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000b1b8e400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe00069851840, ret_val_ptr_out = 0x3fffd
ObQueryNameString Object_ptr = 0xffffe00069086c90, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe0006a3b4344, ReturnLength_ptr_out = 0xffffd000b1b8e338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe0006a50d8c0, ret_val_ptr_out = 0x800e
Execution Path #23 (length: 2, count: 5, processes: 1)
»
Information Value
Sequence Length 2
Processes
»
Process Count
Process 125 (vidhs3md64.exe, PID: 2100) 5
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0xde8, Process_unk_out = 0xffffd000ac0cf388, ret_val_out = 0xc000000b
IoCompleteRequest ret_val_out = 0x0
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image