VTI SCORE: 95/100
| Dynamic Analysis Report |
| Classification: Riskware, Dropper, Trojan, Ransomware |
335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf (SHA256)
cary.exe
Windows Exe (x86-32)
Created at 2018-11-09 19:45:00
Notifications (2/4)
Due to a WHOIS service error, no query could be made to get WHOIS data of any contacted domain.
Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.
Some extracted files may be missing in the report since the total file extraction size limit was reached during the analysis. You can increase the limit in the configuration settings.
The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.
Kernel Graph 1
Code Block #1 (EP #1)
»
| Information | Value |
|---|---|
| Trigger | IopLoadDriver+0x5e4 |
| Start Address | 0xfffff800e55e9058 |
Execution Path #1 (length: 58, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 58 |
Processes
»
| Process | Count |
|---|---|
| Process 55 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| RtlInitUnicodeString | SourceString = PsAcquireProcessExitSynchronization, DestinationString_out = PsAcquireProcessExitSynchronization |
| MmGetSystemRoutineAddress | SystemRoutineName = PsAcquireProcessExitSynchronization, ret_val_ptr_out = 0xfffff8011b11e204 |
| RtlInitUnicodeString | SourceString = PsReleaseProcessExitSynchronization, DestinationString_out = PsReleaseProcessExitSynchronization |
| MmGetSystemRoutineAddress | SystemRoutineName = PsReleaseProcessExitSynchronization, ret_val_ptr_out = 0xfffff8011b122ce0 |
| RtlInitUnicodeString | SourceString = ObGetObjectType, DestinationString_out = ObGetObjectType |
| MmGetSystemRoutineAddress | SystemRoutineName = ObGetObjectType, ret_val_ptr_out = 0xfffff8011b135ae8 |
| ObGetObjectType | ret_val_out = 0xffffe000ff8694e0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x26, Tag = 0x544f4550, ret_val_ptr_out = 0xffffc0010e396950 |
| ObOpenObjectByName | ObjectAttributes_unk = 0xffffd000b5fbf5a0, ObjectType_unk = 0xffffe000ff8694e0, AccessMode_unk = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0xffffd000000f0001, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Handle_ptr_out = 0xffffd000b5fbf5f8, Handle_out = 0xffffffff80000edc, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffc0010e396950, Tag = 0x0 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000edc, DesiredAccess_unk = 0xf0001, ObjectType_unk = 0xffffe000ff8694e0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd000b5fbf600, Object_out = 0xffffe000ff870f20, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000edc, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe000ff870f20, ret_val_ptr_out = 0x2 |
| RtlInitUnicodeString | SourceString = \Device\PROCEXP152, DestinationString_out = \Device\PROCEXP152 |
| RtlInitUnicodeString | SourceString = D:P(A;;GA;;;SY)(A;;GA;;;BA), DestinationString_out = D:P(A;;GA;;;SY)(A;;GA;;;BA) |
| RtlInitUnicodeString | SourceString = IoCreateDeviceSecure, DestinationString_out = IoCreateDeviceSecure |
| MmGetSystemRoutineAddress | SystemRoutineName = IoCreateDeviceSecure, ret_val_ptr_out = 0x0 |
| RtlInitUnicodeString | SourceString = IoValidateDeviceIoControlAccess, DestinationString_out = IoValidateDeviceIoControlAccess |
| MmGetSystemRoutineAddress | SystemRoutineName = IoValidateDeviceIoControlAccess, ret_val_ptr_out = 0xfffff8011ad0d874 |
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x68, Tag = 0x6c416553, ret_val_ptr_out = 0xffffc0010e4b1d70 |
| _wcsnicmp | _String1 = A, _String2 = A, _MaxCount_ptr = 0x1, ret_val_out = 0 |
| _wcsnicmp | _String1 = GA, _String2 = RC, _MaxCount_ptr = 0x2, ret_val_out = -11 |
| _wcsnicmp | _String1 = GA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -16 |
| _wcsnicmp | _String1 = GA, _String2 = WO, _MaxCount_ptr = 0x2, ret_val_out = -16 |
| _wcsnicmp | _String1 = GA, _String2 = SD, _MaxCount_ptr = 0x2, ret_val_out = -12 |
| _wcsnicmp | _String1 = GA, _String2 = GA, _MaxCount_ptr = 0x2, ret_val_out = 0 |
| _wcsnicmp | _String1 = SY, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -4 |
| _wcsnicmp | _String1 = SY, _String2 = BA, _MaxCount_ptr = 0x2, ret_val_out = 17 |
| _wcsnicmp | _String1 = SY, _String2 = SY, _MaxCount_ptr = 0x2, ret_val_out = 0 |
| RtlLengthSid | Sid_ptr = 0xffffe000ff854740, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x1, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority = 0x12, ret_val_out = 0xc |
| RtlAddAccessAllowedAce | Acl_unk = 0xffffc0010e4b1d70, AceRevision = 0x2, AccessMask_unk = 0x10000000, Sid_ptr = 0xffffe000ff854740, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x1, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority = 0x12, Acl_unk_out = 0xffffc0010e4b1d70, ret_val_out = 0x0 |
| _wcsnicmp | _String1 = A, _String2 = A, _MaxCount_ptr = 0x1, ret_val_out = 0 |
| _wcsnicmp | _String1 = GA, _String2 = RC, _MaxCount_ptr = 0x2, ret_val_out = -11 |
| _wcsnicmp | _String1 = GA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -16 |
| _wcsnicmp | _String1 = GA, _String2 = WO, _MaxCount_ptr = 0x2, ret_val_out = -16 |
| _wcsnicmp | _String1 = GA, _String2 = SD, _MaxCount_ptr = 0x2, ret_val_out = -12 |
| _wcsnicmp | _String1 = GA, _String2 = GA, _MaxCount_ptr = 0x2, ret_val_out = 0 |
| _wcsnicmp | _String1 = BA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -21 |
| _wcsnicmp | _String1 = BA, _String2 = BA, _MaxCount_ptr = 0x2, ret_val_out = 0 |
| RtlLengthSid | Sid_ptr = 0xffffc0010dc00390, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x2, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority_[0]_0 = 0x20, Sid_deref_SubAuthority_[1]_1 = 0x0, ret_val_out = 0x10 |
| RtlAddAccessAllowedAce | Acl_unk = 0xffffc0010e4b1d70, AceRevision = 0x2, AccessMask_unk = 0x10000000, Sid_ptr = 0xffffc0010dc00390, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x2, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority_[0]_0 = 0x20, Sid_deref_SubAuthority_[1]_1 = 0x0, Acl_unk_out = 0xffffc0010e4b1d70, ret_val_out = 0x0 |
| RtlCreateSecurityDescriptor | Revision = 0x1, SecurityDescriptor_unk_out = 0xffffd000b5fbf488, ret_val_out = 0x0 |
| RtlSetDaclSecurityDescriptor | SecurityDescriptor_unk = 0xffffd000b5fbf488, DaclPresent = 1, Dacl_unk = 0xffffc0010e4b1d70, DaclDefaulted = 0, SecurityDescriptor_unk_out = 0xffffd000b5fbf488, ret_val_out = 0x0 |
| RtlAbsoluteToSelfRelativeSD | AbsoluteSecurityDescriptor_unk = 0xffffd000b5fbf488, BufferLength_ptr = 0xffffd000b5fbf4d0, SelfRelativeSecurityDescriptor_unk_out = 0x0, BufferLength_ptr_out = 0xffffd000b5fbf4d0, ret_val_out = 0xc0000023 |
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x48, Tag = 0x64536553, ret_val_ptr_out = 0xffffc00111988580 |
| RtlAbsoluteToSelfRelativeSD | AbsoluteSecurityDescriptor_unk = 0xffffd000b5fbf488, BufferLength_ptr = 0xffffd000b5fbf4d0, SelfRelativeSecurityDescriptor_unk_out = 0xffffc00111988580, BufferLength_ptr_out = 0xffffd000b5fbf4d0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffc0010e4b1d70, Tag = 0x0 |
| IoCreateDevice | DriverObject_unk = 0xffffe0010044c7e0, DeviceExtensionSize = 0x0, DeviceName = \Device\PROCEXP152, DeviceType_unk = 0x8335, DeviceCharacteristics = 0x0, Exclusive = 0, DeviceObject_unk_out = 0xffffd000b5fbf5d0, ret_val_out = 0x0 |
| RtlGetOwnerSecurityDescriptor | SecurityDescriptor_unk = 0xffffc00111988580, Owner_ptr_out = 0xffffd000b5fbf460, Owner_out = 0x0, OwnerDefaulted_ptr_out = 0xffffd000b5fbf498, ret_val_out = 0x0 |
| RtlGetGroupSecurityDescriptor | SecurityDescriptor_unk = 0xffffc00111988580, Group_ptr_out = 0xffffd000b5fbf460, Group_out = 0x0, GroupDefaulted_ptr_out = 0xffffd000b5fbf498, ret_val_out = 0x0 |
| RtlGetSaclSecurityDescriptor | SecurityDescriptor_unk = 0xffffc00111988580, SaclPresent_ptr_out = 0xffffd000b5fbf4a8, Sacl_unk_out = 0xffffd000b5fbf468, SaclDefaulted_ptr_out = 0xffffd000b5fbf498, ret_val_out = 0x0 |
| RtlGetDaclSecurityDescriptor | SecurityDescriptor_unk = 0xffffc00111988580, DaclPresent_ptr_out = 0xffffd000b5fbf4a8, Dacl_unk_out = 0xffffd000b5fbf468, DaclDefaulted_ptr_out = 0xffffd000b5fbf498, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe001003c6bc0, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x40000, ObjectType_unk = 0xffffe000ff882f20, AccessMode_unk = 0xffffe0010044c700, Handle_ptr_out = 0xffffd000b5fbf4d0, Handle_out = 0xffffffff80000edc, ret_val_out = 0x0 |
| ZwSetSecurityObject | Handle_unk = 0xffffffff80000edc, SecurityInformation_unk = 0x4, SecurityDescriptor_unk = 0xffffc00111988580, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000edc, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffc00111988580, Tag = 0x0 |
| RtlInitUnicodeString | SourceString = \DosDevices\PROCEXP152, DestinationString_out = \DosDevices\PROCEXP152 |
| IoCreateSymbolicLink | SymbolicLinkName = \DosDevices\PROCEXP152, DeviceName = \Device\PROCEXP152, ret_val_out = 0x0 |
Kernel Graph 2
Code Block #2 (EP #2, #3, #4, #5, #6, #17, #22)
»
| Information | Value |
|---|---|
| Trigger | IofCallDriver+0x4b |
| Start Address | 0xfffff800e55e2000 |
Execution Path #2 (length: 5, count: 2, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 5 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 1 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| SeCaptureSubjectContext | SubjectContext_unk_out = 0xffffd000b6357328 |
| ExGetPreviousMode | ret_val_unk_out = 0x1 |
| SePrivilegeCheck | RequiredPrivileges_unk = 0xffffd000b6357348, SubjectSecurityContext_unk = 0xffffd000b6357328, AccessMode_unk = 0x1, RequiredPrivileges_unk_out = 0xffffd000b6357348, ret_val_out = 1 |
| SeReleaseSubjectContext | SubjectContext_unk = 0xffffd000b6357328, SubjectContext_unk_out = 0xffffd000b6357328 |
| IoCompleteRequest | ret_val_out = 0x884 |
Execution Path #3 (length: 10, count: 1900, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 10 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 933 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 967 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0x85c, Process_unk_out = 0xffffd000b6357388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe00101b10700, PROCESS_unk_out = 0xffffe00101b10700, ApcState_unk_out = 0xffffd000b6357400 |
| ObReferenceObjectByHandle | Handle_unk = 0xf4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b6357378, Object_out = 0xffffe0010081eb60, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b6357400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101b10700, ret_val_ptr_out = 0x20007 |
| ObQueryNameString | Object_ptr = 0xffffe0010081eb60, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001025dc044, ReturnLength_ptr_out = 0xffffd000b6357380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010081eb60, ret_val_ptr_out = 0x10001 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #4 (length: 13, count: 8, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 13 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 4 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 4 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0x85c, Process_unk_out = 0xffffd000b63573d8, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe00101b10700, PROCESS_unk_out = 0xffffe00101b10700, ApcState_unk_out = 0xffffd000b63573f8 |
| ObReferenceObjectByHandle | Handle_unk = 0xe8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b63573e0, Object_out = 0xffffe001020b5870, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101b10700, ret_val_ptr_out = 0x20002 |
| ZwQueryObject | Handle_unk = 0xe8, ObjectInformationClass_unk = 0x2, ObjectInformationLength = 0x0, ObjectInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd000b63573d4, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x88, Tag = 0x58637250, ret_val_ptr_out = 0xffffc001136061a0 |
| ZwQueryObject | Handle_unk = 0xe8, ObjectInformationClass_unk = 0x2, ObjectInformationLength = 0x88, ObjectInformation_ptr_out = 0xffffc001136061a0, ReturnLength_ptr_out = 0x0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffc001136061a0, Tag = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe001020b5870, ret_val_ptr_out = 0x7ffe |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b63573f8 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #5 (length: 2, count: 16, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 8 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 8 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ZwOpenProcess | DesiredAccess_unk = 0x10000000, ObjectAttributes_ptr = 0xffffd000b63574b8, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd000b63574a8, ClientId_deref_UniqueProcess_unk = 0xd68, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffe001012e3cc0, ProcessHandle_out = 0x1a0, ret_val_out = 0x0 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #6 (length: 4, count: 10, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 4 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 5 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 5 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ZwOpenProcess | DesiredAccess_unk = 0x40, ObjectAttributes_ptr = 0xffffd000b6357438, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x200, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd000b6357428, ClientId_deref_UniqueProcess_unk = 0x4, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd000b6357420, ProcessHandle_out = 0xffffffff8000117c, ret_val_out = 0x0 |
| ZwDuplicateObject | SourceProcessHandle_unk = 0xffffffff8000117c, SourceHandle_unk = 0x11f4, TargetProcessHandle_unk = 0xffffffffffffffff, DesiredAccess_unk = 0x10000000, HandleAttributes = 0x0, Options = 0x0, TargetHandle_ptr_out = 0xffffe001012e3cc0, TargetHandle_out = 0x19c, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff8000117c, ret_val_out = 0x0 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #17 (length: 6, count: 133, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 6 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 68 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 65 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObReferenceObjectByHandle | Handle_unk = 0x19c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b6357498, Object_out = 0xffffe000ff8b7080, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe000ff8b7080, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x10000000, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Handle_ptr_out = 0xffffd000b63574a0, Handle_out = 0xffffffff80000f70, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe000ff8b7080, ret_val_ptr_out = 0x67ffb |
| ZwOpenProcessToken | ProcessHandle_unk = 0xffffffff80000f70, DesiredAccess_unk = 0x8, TokenHandle_ptr_out = 0xffffe000fffd7100, TokenHandle_out = 0x1a4, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000f70, ret_val_out = 0x0 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #22 (length: 5, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 5 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObReferenceObjectByHandle | Handle_unk = 0x18c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b498, Object_out = 0xffffe0010206a840, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0010206a840, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x10000000, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Handle_ptr_out = 0xffffd000b7d7b4a0, Handle_out = 0xffffffff80000e48, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010206a840, ret_val_ptr_out = 0x2ffea |
| ZwOpenProcessToken | ProcessHandle_unk = 0xffffffff80000e48, DesiredAccess_unk = 0x8, TokenHandle_ptr_out = 0xffffe000fff0a300, TokenHandle_out = 0x188, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000e48, ret_val_out = 0x0 |
Kernel Graph 3
Code Block #3 (EP #7)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x2620 |
| Start Address | 0xfffff8011b0d0384 |
Execution Path #7 (length: 1, count: 1725, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 868 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 857 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0x4, Process_unk_out = 0xffffd000b6357388, ret_val_out = 0x0 |
Kernel Graph 4
Code Block #4 (EP #8)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x2641 |
| Start Address | 0xfffff8011b11e204 |
Execution Path #8 (length: 1, count: 1642, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 833 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 809 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
Kernel Graph 5
Code Block #5 (EP #9)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x2669 |
| Start Address | 0xfffff8011ac89dc0 |
Execution Path #9 (length: 1, count: 1633, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 824 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 809 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeStackAttachProcess | PROCESS_unk = 0xffffe000ff87e840, PROCESS_unk_out = 0xffffe000ff87e840, ApcState_unk_out = 0xffffd000b6357400 |
Kernel Graph 6
Code Block #6 (EP #10)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x26a0 |
| Start Address | 0xfffff8011b034640 |
Execution Path #10 (length: 1, count: 1633, processes: 87)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 1 (cary.exe, PID: 3488) | 23 |
| Process 2 (UNKNOWN, PID: UNKNOWN) | 10 |
| Process 5 (nwi6lhb5.exe, PID: 3708) | 10 |
| Process 6 (UNKNOWN, PID: UNKNOWN) | 10 |
| Process 8 (cmd.exe, PID: 3220) | 4 |
| Process 9 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 13 (wscript.exe, PID: 3264) | 7 |
| Process 15 (cmd.exe, PID: 64) | 4 |
| Process 16 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 26 (cmd.exe, PID: 1896) | 5 |
| Process 27 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 35 (cmd.exe, PID: 2660) | 4 |
| Process 36 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 42 (cmd.exe, PID: 3612) | 4 |
| Process 43 (cmd.exe, PID: 2760) | 9 |
| Process 44 (UNKNOWN, PID: UNKNOWN) | 8 |
| Process 45 (g13k6qzj.exe, PID: 4036) | 5 |
| Process 49 (cmd.exe, PID: 2136) | 9 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 4 |
| Process 51 (UNKNOWN, PID: UNKNOWN) | 8 |
| Process 55 (System, PID: 4) | 246 |
| Process 56 (smss.exe, PID: 268) | 12 |
| Process 57 (csrss.exe, PID: 344) | 48 |
| Process 58 (wininit.exe, PID: 408) | 10 |
| Process 59 (csrss.exe, PID: 416) | 103 |
| Process 60 (winlogon.exe, PID: 464) | 8 |
| Process 61 (services.exe, PID: 488) | 16 |
| Process 62 (lsass.exe, PID: 496) | 24 |
| Process 63 (svchost.exe, PID: 584) | 44 |
| Process 64 (svchost.exe, PID: 616) | 20 |
| Process 65 (dwm.exe, PID: 712) | 24 |
| Process 66 (svchost.exe, PID: 816) | 95 |
| Process 67 (svchost.exe, PID: 824) | 111 |
| Process 68 (svchost.exe, PID: 864) | 16 |
| Process 69 (svchost.exe, PID: 872) | 36 |
| Process 70 (svchost.exe, PID: 928) | 24 |
| Process 71 (svchost.exe, PID: 672) | 30 |
| Process 72 (spoolsv.exe, PID: 560) | 36 |
| Process 74 (svchost.exe, PID: 1092) | 22 |
| Process 75 (officeclicktorun.exe, PID: 1256) | 22 |
| Process 76 (svchost.exe, PID: 1536) | 20 |
| Process 77 (sihost.exe, PID: 1912) | 10 |
| Process 78 (taskhostw.exe, PID: 1964) | 22 |
| Process 79 (explorer.exe, PID: 1288) | 196 |
| Process 80 (runtimebroker.exe, PID: 2068) | 8 |
| Process 81 (shellexperiencehost.exe, PID: 2464) | 34 |
| Process 82 (searchui.exe, PID: 2940) | 44 |
| Process 83 (backgroundtaskhost.exe, PID: 1416) | 6 |
| Process 84 (uni-likely-strap.exe, PID: 1848) | 6 |
| Process 85 (turkey.exe, PID: 2960) | 6 |
| Process 86 (comfortable_welsh.exe, PID: 2244) | 6 |
| Process 87 (immediate.exe, PID: 2408) | 6 |
| Process 88 (unlimited-victims.exe, PID: 2264) | 6 |
| Process 89 (dishes neither nepal.exe, PID: 2856) | 6 |
| Process 90 (tenant.exe, PID: 440) | 6 |
| Process 91 (momentum.exe, PID: 740) | 6 |
| Process 92 (pharmaceutical photoshop.exe, PID: 2772) | 6 |
| Process 93 (song_biz_boats.exe, PID: 2080) | 6 |
| Process 94 (tramadol_operates_statute.exe, PID: 2896) | 6 |
| Process 95 (batteries dirty.exe, PID: 2784) | 6 |
| Process 96 (mad.exe, PID: 2836) | 6 |
| Process 97 (downloadedrack.exe, PID: 1716) | 6 |
| Process 98 (command.exe, PID: 2304) | 6 |
| Process 99 (abortionauditordirectors.exe, PID: 1380) | 6 |
| Process 100 (romance.exe, PID: 2632) | 6 |
| Process 101 (markets-represented-quarterly.exe, PID: 2840) | 6 |
| Process 102 (properly.exe, PID: 2268) | 6 |
| Process 103 (publisherfunnydownloaded.exe, PID: 1104) | 6 |
| Process 104 (audiodg.exe, PID: 3340) | 8 |
| Process 105 (svchost.exe, PID: 4040) | 6 |
| Process 106 (sppsvc.exe, PID: 3432) | 4 |
| Process 109 (cmd.exe, PID: 2844) | 6 |
| Process 110 (dllhost.exe, PID: 2140) | 5 |
| Process 111 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 113 (cmd.exe, PID: 1860) | 4 |
| Process 114 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 122 (cmd.exe, PID: 1900) | 4 |
| Process 123 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 129 (cmd.exe, PID: 1404) | 4 |
| Process 130 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 141 (cmd.exe, PID: 1748) | 4 |
| Process 142 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 150 (cmd.exe, PID: 1496) | 4 |
| Process 152 (g13k6qzj.exe, PID: 3260) | 5 |
| Process 155 (cmd.exe, PID: 3184) | 4 |
| Process 156 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 160 (g13k6qzj64.exe, PID: 3156) | 4 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000c0c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd000b6357378, Object_out = 0xffffe00100abaf20, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
Kernel Graph 7
Code Block #7 (EP #11)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x26d2 |
| Start Address | 0xfffff8011ac89eb0 |
Execution Path #11 (length: 1, count: 1633, processes: 87)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 1 (cary.exe, PID: 3488) | 23 |
| Process 2 (UNKNOWN, PID: UNKNOWN) | 10 |
| Process 5 (nwi6lhb5.exe, PID: 3708) | 10 |
| Process 6 (UNKNOWN, PID: UNKNOWN) | 10 |
| Process 8 (cmd.exe, PID: 3220) | 4 |
| Process 9 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 13 (wscript.exe, PID: 3264) | 7 |
| Process 15 (cmd.exe, PID: 64) | 4 |
| Process 16 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 26 (cmd.exe, PID: 1896) | 5 |
| Process 27 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 35 (cmd.exe, PID: 2660) | 4 |
| Process 36 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 42 (cmd.exe, PID: 3612) | 4 |
| Process 43 (cmd.exe, PID: 2760) | 9 |
| Process 44 (UNKNOWN, PID: UNKNOWN) | 8 |
| Process 45 (g13k6qzj.exe, PID: 4036) | 5 |
| Process 49 (cmd.exe, PID: 2136) | 9 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 4 |
| Process 51 (UNKNOWN, PID: UNKNOWN) | 8 |
| Process 55 (System, PID: 4) | 246 |
| Process 56 (smss.exe, PID: 268) | 12 |
| Process 57 (csrss.exe, PID: 344) | 48 |
| Process 58 (wininit.exe, PID: 408) | 10 |
| Process 59 (csrss.exe, PID: 416) | 103 |
| Process 60 (winlogon.exe, PID: 464) | 8 |
| Process 61 (services.exe, PID: 488) | 16 |
| Process 62 (lsass.exe, PID: 496) | 24 |
| Process 63 (svchost.exe, PID: 584) | 44 |
| Process 64 (svchost.exe, PID: 616) | 20 |
| Process 65 (dwm.exe, PID: 712) | 24 |
| Process 66 (svchost.exe, PID: 816) | 95 |
| Process 67 (svchost.exe, PID: 824) | 111 |
| Process 68 (svchost.exe, PID: 864) | 16 |
| Process 69 (svchost.exe, PID: 872) | 36 |
| Process 70 (svchost.exe, PID: 928) | 24 |
| Process 71 (svchost.exe, PID: 672) | 30 |
| Process 72 (spoolsv.exe, PID: 560) | 36 |
| Process 74 (svchost.exe, PID: 1092) | 22 |
| Process 75 (officeclicktorun.exe, PID: 1256) | 22 |
| Process 76 (svchost.exe, PID: 1536) | 20 |
| Process 77 (sihost.exe, PID: 1912) | 10 |
| Process 78 (taskhostw.exe, PID: 1964) | 22 |
| Process 79 (explorer.exe, PID: 1288) | 196 |
| Process 80 (runtimebroker.exe, PID: 2068) | 8 |
| Process 81 (shellexperiencehost.exe, PID: 2464) | 34 |
| Process 82 (searchui.exe, PID: 2940) | 44 |
| Process 83 (backgroundtaskhost.exe, PID: 1416) | 6 |
| Process 84 (uni-likely-strap.exe, PID: 1848) | 6 |
| Process 85 (turkey.exe, PID: 2960) | 6 |
| Process 86 (comfortable_welsh.exe, PID: 2244) | 6 |
| Process 87 (immediate.exe, PID: 2408) | 6 |
| Process 88 (unlimited-victims.exe, PID: 2264) | 6 |
| Process 89 (dishes neither nepal.exe, PID: 2856) | 6 |
| Process 90 (tenant.exe, PID: 440) | 6 |
| Process 91 (momentum.exe, PID: 740) | 6 |
| Process 92 (pharmaceutical photoshop.exe, PID: 2772) | 6 |
| Process 93 (song_biz_boats.exe, PID: 2080) | 6 |
| Process 94 (tramadol_operates_statute.exe, PID: 2896) | 6 |
| Process 95 (batteries dirty.exe, PID: 2784) | 6 |
| Process 96 (mad.exe, PID: 2836) | 6 |
| Process 97 (downloadedrack.exe, PID: 1716) | 6 |
| Process 98 (command.exe, PID: 2304) | 6 |
| Process 99 (abortionauditordirectors.exe, PID: 1380) | 6 |
| Process 100 (romance.exe, PID: 2632) | 6 |
| Process 101 (markets-represented-quarterly.exe, PID: 2840) | 6 |
| Process 102 (properly.exe, PID: 2268) | 6 |
| Process 103 (publisherfunnydownloaded.exe, PID: 1104) | 6 |
| Process 104 (audiodg.exe, PID: 3340) | 8 |
| Process 105 (svchost.exe, PID: 4040) | 6 |
| Process 106 (sppsvc.exe, PID: 3432) | 4 |
| Process 109 (cmd.exe, PID: 2844) | 6 |
| Process 110 (dllhost.exe, PID: 2140) | 5 |
| Process 111 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 113 (cmd.exe, PID: 1860) | 4 |
| Process 114 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 122 (cmd.exe, PID: 1900) | 4 |
| Process 123 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 129 (cmd.exe, PID: 1404) | 4 |
| Process 130 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 141 (cmd.exe, PID: 1748) | 4 |
| Process 142 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 150 (cmd.exe, PID: 1496) | 4 |
| Process 152 (g13k6qzj.exe, PID: 3260) | 5 |
| Process 155 (cmd.exe, PID: 3184) | 4 |
| Process 156 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 160 (g13k6qzj64.exe, PID: 3156) | 4 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b6357400 |
Kernel Graph 8
Code Block #8 (EP #12)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x26ee |
| Start Address | 0xfffff8011b122ce0 |
Execution Path #12 (length: 1, count: 1633, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 824 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 809 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
Kernel Graph 9
Code Block #9 (EP #13)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x26f5 |
| Start Address | 0xfffff8011ac579b0 |
Execution Path #13 (length: 1, count: 3269, processes: 5)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 1648 |
| Process 1 (cary.exe, PID: 3488) | 6 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 1606 |
| Process 13 (wscript.exe, PID: 3264) | 2 |
| Process 55 (System, PID: 4) | 7 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObfDereferenceObject | Object_ptr = 0xffffe000ff87e840, ret_val_ptr_out = 0x2fcee |
Kernel Graph 10
Code Block #10 (EP #14)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x27c8 |
| Start Address | 0xfffff8011b13a118 |
Execution Path #14 (length: 1, count: 1612, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 815 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 797 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObQueryNameString | Object_ptr = 0xffffe00100abaf20, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00101f64044, ReturnLength_ptr_out = 0xffffd000b6357380, ret_val_out = 0x0 |
Kernel Graph 11
Code Block #11 (EP #15)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x20f2 |
| Start Address | 0xfffff8011ac5b150 |
Execution Path #15 (length: 1, count: 1718, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 860 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 858 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoCompleteRequest | ret_val_out = 0x0 |
Kernel Graph 12
Code Block #12 (EP #16, #18, #19, #20, #23)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x211a |
| Start Address | 0xfffff8011b03e17d |
Execution Path #16 (length: 9, count: 11, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 9 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 5 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 6 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0x4, Process_unk_out = 0xffffd000b6357388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe000ff87e840, PROCESS_unk_out = 0xffffe000ff87e840, ApcState_unk_out = 0xffffd000b6357400 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000f9c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd000b6357378, Object_out = 0xffffe0010029bf20, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010029bf20, ret_val_ptr_out = 0x8000 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b6357400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe000ff87e840, ret_val_ptr_out = 0x2fc7d |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #18 (length: 8, count: 5, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 8 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 4 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0x338, Process_unk_out = 0xffffd000b6357388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe00101141840, PROCESS_unk_out = 0xffffe00101141840, ApcState_unk_out = 0xffffd000b6357400 |
| ObReferenceObjectByHandle | Handle_unk = 0x588, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b6357378, Object_out = 0x0, HandleInformation_unk_out = 0x0, ret_val_out = 0xc0000008 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b6357400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101141840, ret_val_ptr_out = 0x40045 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #19 (length: 2, count: 69, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 24 |
| Process 50 (g13k6qzj64.exe, PID: 3456) | 45 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0x428, Process_unk_out = 0xffffd000b6357388, ret_val_out = 0xc000000b |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #20 (length: 612, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 612 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x43c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00100e22c40, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580f0 |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b1e044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00100e22c40, ret_val_ptr_out = 0x800d |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x44c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110c163b0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580ef |
| ObQueryNameString | Object_ptr = 0xffffc00110c163b0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b1f044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110c163b0, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x5a8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b51350, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580ee |
| ObQueryNameString | Object_ptr = 0xffffc00110b51350, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b21044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b51350, ret_val_ptr_out = 0x7fff |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x5f4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101a80530, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580ed |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b22044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101a80530, ret_val_ptr_out = 0x800e |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x5f8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b51490, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580ec |
| ObQueryNameString | Object_ptr = 0xffffc00110b51490, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b26044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b51490, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x658, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101a84a20, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580eb |
| ObQueryNameString | Object_ptr = 0xffffe00101a84a20, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b27044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101a84a20, ret_val_ptr_out = 0x7ff2 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x65c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b714f0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580ea |
| ObQueryNameString | Object_ptr = 0xffffc00110b714f0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102ad27c4, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b714f0, ret_val_ptr_out = 0x3fff8 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x694, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b5d200, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580e9 |
| ObQueryNameString | Object_ptr = 0xffffc00110b5d200, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102a7d044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b5d200, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x698, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101a85d90, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580e8 |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b11044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101a85d90, ret_val_ptr_out = 0x800d |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x6f4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b5b250, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580e7 |
| ObQueryNameString | Object_ptr = 0xffffc00110b5b250, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b15044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b5b250, ret_val_ptr_out = 0x7fff |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x7a8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b714f0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580e6 |
| ObQueryNameString | Object_ptr = 0xffffc00110b714f0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102add044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b714f0, ret_val_ptr_out = 0x3fff7 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x7b0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b714f0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580e5 |
| ObQueryNameString | Object_ptr = 0xffffc00110b714f0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102aeb044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b714f0, ret_val_ptr_out = 0x3fff6 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x7e0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00117420350, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580e4 |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102aef044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00117420350, ret_val_ptr_out = 0x800d |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x7e4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b88940, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580e3 |
| ObQueryNameString | Object_ptr = 0xffffc00110b88940, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102ae87c4, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b88940, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x7e8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101a98480, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580e2 |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b13044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101a98480, ret_val_ptr_out = 0x800d |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x7ec, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b8b9c0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580e1 |
| ObQueryNameString | Object_ptr = 0xffffc00110b8b9c0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102ae6044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b8b9c0, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x7f0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe001174204c0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580e0 |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102ad27c4, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe001174204c0, ret_val_ptr_out = 0x800d |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x7f4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b8d610, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580df |
| ObQueryNameString | Object_ptr = 0xffffc00110b8d610, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102a7d044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b8d610, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x814, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b714f0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580de |
| ObQueryNameString | Object_ptr = 0xffffc00110b714f0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b4a7c4, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b714f0, ret_val_ptr_out = 0x3fff5 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x818, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b714f0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580dd |
| ObQueryNameString | Object_ptr = 0xffffc00110b714f0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b11044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b714f0, ret_val_ptr_out = 0x3fff4 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x828, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00100ae28a0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580dc |
| ObQueryNameString | Object_ptr = 0xffffe00100ae28a0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b15044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00100ae28a0, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x834, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00100ae2090, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580db |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102add044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00100ae2090, ret_val_ptr_out = 0x800d |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x838, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b30430, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580da |
| ObQueryNameString | Object_ptr = 0xffffc00110b30430, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b4f7c4, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b30430, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x83c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101a9a990, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580d9 |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102aeb044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101a9a990, ret_val_ptr_out = 0x800d |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x840, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b90790, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580d8 |
| ObQueryNameString | Object_ptr = 0xffffc00110b90790, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102aef044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b90790, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x85c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b714f0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580d7 |
| ObQueryNameString | Object_ptr = 0xffffc00110b714f0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102ae87c4, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b714f0, ret_val_ptr_out = 0x3fff3 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x868, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101a9b750, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580d6 |
| ObQueryNameString | Object_ptr = 0xffffe00101a9b750, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b13044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101a9b750, ret_val_ptr_out = 0x7fff |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x884, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101ab7b00, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580d5 |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b27044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101ab7b00, ret_val_ptr_out = 0x800d |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x88c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b714f0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580d4 |
| ObQueryNameString | Object_ptr = 0xffffc00110b714f0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102070044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b714f0, ret_val_ptr_out = 0x3fff2 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x8a8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b714f0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580d3 |
| ObQueryNameString | Object_ptr = 0xffffc00110b714f0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102ad27c4, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b714f0, ret_val_ptr_out = 0x3fff1 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x8d4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc001109d0060, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580d2 |
| ObQueryNameString | Object_ptr = 0xffffc001109d0060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102a7d044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc001109d0060, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x8fc, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101a4e090, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580d1 |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b4a7c4, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101a4e090, ret_val_ptr_out = 0x800d |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x90c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc0010ff10330, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580d0 |
| ObQueryNameString | Object_ptr = 0xffffc0010ff10330, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b11044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc0010ff10330, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x910, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101a4eca0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580cf |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b15044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101a4eca0, ret_val_ptr_out = 0x800d |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x92c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00100e22690, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580ce |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102add044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00100e22690, ret_val_ptr_out = 0x7ffc |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x938, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc0010f9b2250, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580cd |
| ObQueryNameString | Object_ptr = 0xffffc0010f9b2250, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b4f7c4, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc0010f9b2250, ret_val_ptr_out = 0x11ffde |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x93c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101a4e7d0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580cc |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102aeb044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101a4e7d0, ret_val_ptr_out = 0x800d |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x940, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc0010f725550, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580cb |
| ObQueryNameString | Object_ptr = 0xffffc0010f725550, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102aef044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc0010f725550, ret_val_ptr_out = 0x117fde |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x948, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110c0d9c0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580ca |
| ObQueryNameString | Object_ptr = 0xffffc00110c0d9c0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102ae87c4, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110c0d9c0, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x95c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101ad05c0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580c9 |
| ObQueryNameString | Object_ptr = 0xffffe00101ad05c0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b13044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101ad05c0, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0x998, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe001013ae630, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580c8 |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102ae6044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe001013ae630, ret_val_ptr_out = 0x7fff |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xaac, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110c8ba30, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580c7 |
| ObQueryNameString | Object_ptr = 0xffffc00110c8ba30, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b12044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110c8ba30, ret_val_ptr_out = 0xfffd |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xac8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b2ba10, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580c6 |
| ObQueryNameString | Object_ptr = 0xffffc00110b2ba10, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b20044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b2ba10, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xae4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101363d30, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580c5 |
| ObQueryNameString | Object_ptr = 0xffffe00101363d30, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b18044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101363d30, ret_val_ptr_out = 0x800d |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xaf4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110c55b10, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580c4 |
| ObQueryNameString | Object_ptr = 0xffffc00110c55b10, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b25044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110c55b10, ret_val_ptr_out = 0xfffd |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xb50, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101390ce0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580c3 |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b28044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101390ce0, ret_val_ptr_out = 0x8002 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xb54, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110c245b0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580c2 |
| ObQueryNameString | Object_ptr = 0xffffc00110c245b0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00101ed8044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110c245b0, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xb58, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe001013789a0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580c1 |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102ab2044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe001013789a0, ret_val_ptr_out = 0x8002 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xb5c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110c21fc0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580c0 |
| ObQueryNameString | Object_ptr = 0xffffc00110c21fc0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102ae9044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110c21fc0, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xb60, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe0010111e190, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580bf |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102aea044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010111e190, ret_val_ptr_out = 0x8003 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xb64, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110c2b520, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580be |
| ObQueryNameString | Object_ptr = 0xffffc00110c2b520, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102aee044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110c2b520, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xb68, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101ae1320, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580bd |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102af0044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101ae1320, ret_val_ptr_out = 0x8003 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xb6c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110c30890, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580bc |
| ObQueryNameString | Object_ptr = 0xffffc00110c30890, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b10044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110c30890, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xb70, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101ae1a50, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580bb |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b14044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101ae1a50, ret_val_ptr_out = 0x8003 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xb74, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110c30110, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580ba |
| ObQueryNameString | Object_ptr = 0xffffc00110c30110, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b1a044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110c30110, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xb78, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe001016a11b0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580b9 |
| ObQueryNameString | Object_ptr = 0xffffe001016a11b0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b1c044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe001016a11b0, ret_val_ptr_out = 0x800d |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xb84, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101867f20, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580b8 |
| ObQueryNameString | Object_ptr = 0xffffe00101867f20, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b1d044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101867f20, ret_val_ptr_out = 0x7fff |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xbc4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00100bf5e50, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580b7 |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b1e044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00100bf5e50, ret_val_ptr_out = 0x8003 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xbf0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc00110b403d0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580b6 |
| ObQueryNameString | Object_ptr = 0xffffc00110b403d0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b1f044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc00110b403d0, ret_val_ptr_out = 0xffff |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xc2c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00100bf5ce0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580b5 |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b21044, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00100bf5ce0, ret_val_ptr_out = 0x7fff |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xc50, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc0011068fbf0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580b4 |
| ObQueryNameString | Object_ptr = 0xffffc0011068fbf0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102070044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc0011068fbf0, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xc54, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe001013947a0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580b3 |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102ad27c4, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe001013947a0, ret_val_ptr_out = 0x7ffa |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xc58, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc001109ed3e0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580b2 |
| ObQueryNameString | Object_ptr = 0xffffc001109ed3e0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102a7d044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc001109ed3e0, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xc5c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101397960, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580b1 |
| ObQueryNameString | Object_ptr = 0xffffe00100a3e060, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b4a7c4, ReturnLength_ptr_out = 0xffffd000b7d7b338, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101397960, ret_val_ptr_out = 0x8003 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xc64, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffc0010ff818c0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580b0 |
| ObQueryNameString | Object_ptr = 0xffffc0010ff818c0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b11044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffc0010ff818c0, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xc68, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101397300, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580af |
| ObQueryNameString | Object_ptr = 0xffffe00101397300, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b15044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101397300, ret_val_ptr_out = 0x7fd6 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xc6c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe001013977f0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580ae |
| ObQueryNameString | Object_ptr = 0xffffe001013977f0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102add044, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe001013977f0, ret_val_ptr_out = 0x7ffe |
| PsLookupProcessByProcessId | ProcessId_unk = 0xb7c, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe0010177d840, PROCESS_unk_out = 0xffffe0010177d840, ApcState_unk_out = 0xffffd000b7d7b400 |
| ObReferenceObjectByHandle | Handle_unk = 0xee4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b7d7b378, Object_out = 0xffffe00101ae2f20, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b7d7b400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe0010177d840, ret_val_ptr_out = 0x580ad |
| ObQueryNameString | Object_ptr = 0xffffe00101ae2f20, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b4f7c4, ReturnLength_ptr_out = 0xffffd000b7d7b380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101ae2f20, ret_val_ptr_out = 0x7ffe |
Execution Path #23 (length: 4, count: 7, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 4 |
Processes
»
| Process | Count |
|---|---|
| Process 160 (g13k6qzj64.exe, PID: 3156) | 7 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0xcf4, Process_unk_out = 0xffffd000b7d7b388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0xc000010a |
| ObfDereferenceObject | Object_ptr = 0xffffe00102acd840, ret_val_ptr_out = 0x27fe4 |
| IoCompleteRequest | ret_val_out = 0x0 |
Kernel Graph 13
Code Block #13 (EP #21)
»
| Information | Value |
|---|---|
| Trigger | KiDpcInterrupt+0x1de |
| Start Address | 0xffffe000fff309b1 |
Execution Path #21 (length: 427, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 427 |
Processes
»
| Process | Count |
|---|---|
| Process 55 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| CmpEnumerateCallback | ret_val_out = 0xfffff800e3bfcc90 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e3bee000 |
| CmpEnumerateCallback | ret_val_out = 0x0 |
| DbgEnumerateCallback | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe000ffbf5ee0 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e3bf9da0 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e3bee000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe000ffbf5eee |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe00101289a40 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e3dd1200 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e3dd8000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe00101289a4e |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe000ff868ca0 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff8011ad0d778 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff8011af87000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe000ff868cae |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe000ff8d7c40 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e30e7750 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e3169000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe000ff8d7c4e |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe000ffbf3e90 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e3bfa290 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e3bee000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe000ffbf3e9e |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe001005fd130 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e2eea040 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e2ee6000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe001005fd13e |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe001009634c0 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e4dd3b30 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e4f9b000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe001009634ce |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe00101e51150 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e379cf90 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e3777000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe00101e5115e |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe00105747390 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e5f4aba0 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e5f43000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe0010574739e |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe000ffbf7940 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e3bf3f10 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e3bee000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe000ffbf794e |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe001135ff600 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e467bf90 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e466c000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe001135ff60e |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xb40, Tag = 0x63426343, ret_val_ptr_out = 0xffffe00100248010 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x6879d, Tag = 0x63426343, ret_val_ptr_out = 0xffffe00102b4b000 |
| KeInsertQueueApc | Apc_unk = 0xffffe000ff8a91f0, SystemArgument1_ptr = 0xffffe000ffb3560b, SystemArgument2_ptr = 0x0, PriorityBoost_unk = 0x0, ret_val_out = 1 |
Kernel Graph 14
Code Block #14 (EP #24)
»
| Information | Value |
|---|---|
| Trigger | KiDispatchCallout+0x18a |
| Start Address | 0xffffe00102b4b003 |
Execution Path #24 (length: 2, count: 2, processes: 2 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 66 (svchost.exe, PID: 816) | 1 |
| Process 55 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe00102b4b56b, SpinLock_unk_out = 0xffffe00102b4b56b, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe00102b4b56b, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe00102b4b56b |
Kernel Graph 15
Code Block #15 (EP #25)
»
| Information | Value |
|---|---|
| Trigger | ExpWorkerThread+0xe7 |
| Start Address | 0xffffe00102b5cd04 |
Execution Path #25 (length: 1, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 55 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeWaitForMutexObject | - |
Kernel Graph 16
Code Block #16 (EP #26)
»
| Information | Value |
|---|---|
| Trigger | KiMarkBugCheckRegions+0x3f6 |
| Start Address | 0xffffd000b92d7098 |
Execution Path #26 (length: 3, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 3 |
Processes
»
| Process | Count |
|---|---|
| Process 55 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmAllocateIndependentPages | ret_val_out = 0xffffd000bc600000 |
| MmSetPageProtection | ret_val_out = 0x1 |
| KeSetCoalescableTimer | Timer_unk = 0xffffe000ff85fda4, DueTime_unk = 0xffffffffb32d9bc3, Period = 0x0, TolerableDelay = 0xc5, Dpc_unk = 0xffffe000ff85fac1, Timer_unk_out = 0xffffe000ff85fda4, ret_val_out = 0 |
