aad588dd...b03f | Kernel
Logo
Try VMRay Analyzer
VTI SCORE: 95/100
Dynamic Analysis Report
Classification: Dropper, Riskware, Downloader, Trojan, Ransomware

aad588dd12577aba808566cab9ce0a8a005fd6d78216c535e618f6a64b59b03f (SHA256)

mngrxc.exe

Windows Exe (x86-32)

Created at 2019-01-23 14:09:00

...

Notifications (2/3)

Due to a WHOIS service error, no query could be made to get WHOIS data of any contacted domain.

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.

Kernel Graph 1

Kernel Graph

Kernel Graph Legend
Code Block #1 (EP #1)
»
Information Value
Trigger IopLoadDriver+0x5e4
Start Address 0xfffff80083f99058
Execution Path #1 (length: 58, count: 1, processes: 1)
»
Information Value
Sequence Length 58
Processes
»
Process Count
Process 40 (System, PID: 4) 1
Sequence
»
Symbol Parameters
RtlInitUnicodeString SourceString = PsAcquireProcessExitSynchronization, DestinationString_out = PsAcquireProcessExitSynchronization
MmGetSystemRoutineAddress SystemRoutineName = PsAcquireProcessExitSynchronization, ret_val_ptr_out = 0xfffff8001fb87204
RtlInitUnicodeString SourceString = PsReleaseProcessExitSynchronization, DestinationString_out = PsReleaseProcessExitSynchronization
MmGetSystemRoutineAddress SystemRoutineName = PsReleaseProcessExitSynchronization, ret_val_ptr_out = 0xfffff8001fb8bce0
RtlInitUnicodeString SourceString = ObGetObjectType, DestinationString_out = ObGetObjectType
MmGetSystemRoutineAddress SystemRoutineName = ObGetObjectType, ret_val_ptr_out = 0xfffff8001fb9eae8
ObGetObjectType ret_val_out = 0xffffe001ad0718c0
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0x26, Tag = 0x544f4550, ret_val_ptr_out = 0xffffc000068fb990
ObOpenObjectByName ObjectAttributes_unk = 0xffffd000d13345a0, ObjectType_unk = 0xffffe001ad0718c0, AccessMode_unk = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0xffffd000000f0001, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Handle_ptr_out = 0xffffd000d13345f8, Handle_out = 0xffffffff800010d8, ret_val_out = 0x0
ExFreePoolWithTag P_ptr = 0xffffc000068fb990, Tag = 0x0
ObReferenceObjectByHandle Handle_unk = 0xffffffff800010d8, DesiredAccess_unk = 0xf0001, ObjectType_unk = 0xffffe001ad0718c0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd000d1334600, Object_out = 0xffffe001ad069c10, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff800010d8, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001ad069c10, ret_val_ptr_out = 0x2
RtlInitUnicodeString SourceString = \Device\PROCEXP152, DestinationString_out = \Device\PROCEXP152
RtlInitUnicodeString SourceString = D:P(A;;GA;;;SY)(A;;GA;;;BA), DestinationString_out = D:P(A;;GA;;;SY)(A;;GA;;;BA)
RtlInitUnicodeString SourceString = IoCreateDeviceSecure, DestinationString_out = IoCreateDeviceSecure
MmGetSystemRoutineAddress SystemRoutineName = IoCreateDeviceSecure, ret_val_ptr_out = 0x0
RtlInitUnicodeString SourceString = IoValidateDeviceIoControlAccess, DestinationString_out = IoValidateDeviceIoControlAccess
MmGetSystemRoutineAddress SystemRoutineName = IoValidateDeviceIoControlAccess, ret_val_ptr_out = 0xfffff8001f776874
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0x68, Tag = 0x6c416553, ret_val_ptr_out = 0xffffc00004be6630
_wcsnicmp _String1 = A, _String2 = A, _MaxCount_ptr = 0x1, ret_val_out = 0
_wcsnicmp _String1 = GA, _String2 = RC, _MaxCount_ptr = 0x2, ret_val_out = -11
_wcsnicmp _String1 = GA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -16
_wcsnicmp _String1 = GA, _String2 = WO, _MaxCount_ptr = 0x2, ret_val_out = -16
_wcsnicmp _String1 = GA, _String2 = SD, _MaxCount_ptr = 0x2, ret_val_out = -12
_wcsnicmp _String1 = GA, _String2 = GA, _MaxCount_ptr = 0x2, ret_val_out = 0
_wcsnicmp _String1 = SY, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -4
_wcsnicmp _String1 = SY, _String2 = BA, _MaxCount_ptr = 0x2, ret_val_out = 17
_wcsnicmp _String1 = SY, _String2 = SY, _MaxCount_ptr = 0x2, ret_val_out = 0
RtlLengthSid Sid_ptr = 0xffffe001ad06d380, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x1, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority = 0x12, ret_val_out = 0xc
RtlAddAccessAllowedAce Acl_unk = 0xffffc00004be6630, AceRevision = 0x2, AccessMask_unk = 0x10000000, Sid_ptr = 0xffffe001ad06d380, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x1, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority = 0x12, Acl_unk_out = 0xffffc00004be6630, ret_val_out = 0x0
_wcsnicmp _String1 = A, _String2 = A, _MaxCount_ptr = 0x1, ret_val_out = 0
_wcsnicmp _String1 = GA, _String2 = RC, _MaxCount_ptr = 0x2, ret_val_out = -11
_wcsnicmp _String1 = GA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -16
_wcsnicmp _String1 = GA, _String2 = WO, _MaxCount_ptr = 0x2, ret_val_out = -16
_wcsnicmp _String1 = GA, _String2 = SD, _MaxCount_ptr = 0x2, ret_val_out = -12
_wcsnicmp _String1 = GA, _String2 = GA, _MaxCount_ptr = 0x2, ret_val_out = 0
_wcsnicmp _String1 = BA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -21
_wcsnicmp _String1 = BA, _String2 = BA, _MaxCount_ptr = 0x2, ret_val_out = 0
RtlLengthSid Sid_ptr = 0xffffc00001e00390, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x2, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority_[0]_0 = 0x20, Sid_deref_SubAuthority_[1]_1 = 0x0, ret_val_out = 0x10
RtlAddAccessAllowedAce Acl_unk = 0xffffc00004be6630, AceRevision = 0x2, AccessMask_unk = 0x10000000, Sid_ptr = 0xffffc00001e00390, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x2, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority_[0]_0 = 0x20, Sid_deref_SubAuthority_[1]_1 = 0x0, Acl_unk_out = 0xffffc00004be6630, ret_val_out = 0x0
RtlCreateSecurityDescriptor Revision = 0x1, SecurityDescriptor_unk_out = 0xffffd000d1334488, ret_val_out = 0x0
RtlSetDaclSecurityDescriptor SecurityDescriptor_unk = 0xffffd000d1334488, DaclPresent = 1, Dacl_unk = 0xffffc00004be6630, DaclDefaulted = 0, SecurityDescriptor_unk_out = 0xffffd000d1334488, ret_val_out = 0x0
RtlAbsoluteToSelfRelativeSD AbsoluteSecurityDescriptor_unk = 0xffffd000d1334488, BufferLength_ptr = 0xffffd000d13344d0, SelfRelativeSecurityDescriptor_unk_out = 0x0, BufferLength_ptr_out = 0xffffd000d13344d0, ret_val_out = 0xc0000023
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0x48, Tag = 0x64536553, ret_val_ptr_out = 0xffffc00007aeaaa0
RtlAbsoluteToSelfRelativeSD AbsoluteSecurityDescriptor_unk = 0xffffd000d1334488, BufferLength_ptr = 0xffffd000d13344d0, SelfRelativeSecurityDescriptor_unk_out = 0xffffc00007aeaaa0, BufferLength_ptr_out = 0xffffd000d13344d0, ret_val_out = 0x0
ExFreePoolWithTag P_ptr = 0xffffc00004be6630, Tag = 0x0
IoCreateDevice DriverObject_unk = 0xffffe001aefe8420, DeviceExtensionSize = 0x0, DeviceName = \Device\PROCEXP152, DeviceType_unk = 0x8335, DeviceCharacteristics = 0x0, Exclusive = 0, DeviceObject_unk_out = 0xffffd000d13345d0, ret_val_out = 0x0
RtlGetOwnerSecurityDescriptor SecurityDescriptor_unk = 0xffffc00007aeaaa0, Owner_ptr_out = 0xffffd000d1334460, Owner_out = 0x0, OwnerDefaulted_ptr_out = 0xffffd000d1334498, ret_val_out = 0x0
RtlGetGroupSecurityDescriptor SecurityDescriptor_unk = 0xffffc00007aeaaa0, Group_ptr_out = 0xffffd000d1334460, Group_out = 0x0, GroupDefaulted_ptr_out = 0xffffd000d1334498, ret_val_out = 0x0
RtlGetSaclSecurityDescriptor SecurityDescriptor_unk = 0xffffc00007aeaaa0, SaclPresent_ptr_out = 0xffffd000d13344a8, Sacl_unk_out = 0xffffd000d1334468, SaclDefaulted_ptr_out = 0xffffd000d1334498, ret_val_out = 0x0
RtlGetDaclSecurityDescriptor SecurityDescriptor_unk = 0xffffc00007aeaaa0, DaclPresent_ptr_out = 0xffffd000d13344a8, Dacl_unk_out = 0xffffd000d1334468, DaclDefaulted_ptr_out = 0xffffd000d1334498, ret_val_out = 0x0
ObOpenObjectByPointer Object_ptr = 0xffffe001af38ce40, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x40000, ObjectType_unk = 0xffffe001ad09edc0, AccessMode_unk = 0xffffe001aefe8400, Handle_ptr_out = 0xffffd000d13344d0, Handle_out = 0xffffffff800010d8, ret_val_out = 0x0
ZwSetSecurityObject Handle_unk = 0xffffffff800010d8, SecurityInformation_unk = 0x4, SecurityDescriptor_unk = 0xffffc00007aeaaa0, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff800010d8, ret_val_out = 0x0
ExFreePoolWithTag P_ptr = 0xffffc00007aeaaa0, Tag = 0x0
RtlInitUnicodeString SourceString = \DosDevices\PROCEXP152, DestinationString_out = \DosDevices\PROCEXP152
IoCreateSymbolicLink SymbolicLinkName = \DosDevices\PROCEXP152, DeviceName = \Device\PROCEXP152, ret_val_out = 0x0

Kernel Graph 2

Kernel Graph

Kernel Graph Legend
Code Block #2 (EP #2, #3, #4, #5, #6, #7, #28)
»
Information Value
Trigger IofCallDriver+0x4b
Start Address 0xfffff80083f92000
Execution Path #2 (length: 5, count: 4, processes: 4)
»
Information Value
Sequence Length 5
Processes
»
Process Count
Process 168 (qry2vco264.exe, PID: 2384) 1
Process 204 (qry2vco264.exe, PID: 2224) 1
Process 37 (qry2vco264.exe, PID: 3112) 1
Process 238 (qry2vco264.exe, PID: 1364) 1
Sequence
»
Symbol Parameters
SeCaptureSubjectContext SubjectContext_unk_out = 0xffffd000d2c06328
ExGetPreviousMode ret_val_unk_out = 0x1
SePrivilegeCheck RequiredPrivileges_unk = 0xffffd000d2c06348, SubjectSecurityContext_unk = 0xffffd000d2c06328, AccessMode_unk = 0x1, RequiredPrivileges_unk_out = 0xffffd000d2c06348, ret_val_out = 1
SeReleaseSubjectContext SubjectContext_unk = 0xffffd000d2c06328, SubjectContext_unk_out = 0xffffd000d2c06328
IoCompleteRequest ret_val_out = 0x884
Execution Path #3 (length: 10, count: 2354, processes: 4)
»
Information Value
Sequence Length 10
Processes
»
Process Count
Process 168 (qry2vco264.exe, PID: 2384) 993
Process 204 (qry2vco264.exe, PID: 2224) 246
Process 37 (qry2vco264.exe, PID: 3112) 958
Process 238 (qry2vco264.exe, PID: 1364) 157
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x764, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001ae9565c0, PROCESS_unk_out = 0xffffe001ae9565c0, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x30, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffc0000850ffc0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001ae9565c0, ret_val_ptr_out = 0x17fe5
ObQueryNameString Object_ptr = 0xffffc0000850ffc0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afa427c4, ReturnLength_ptr_out = 0xffffd000d2c06380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc0000850ffc0, ret_val_ptr_out = 0x10000
IoCompleteRequest ret_val_out = 0x0
Execution Path #4 (length: 13, count: 16, processes: 4)
»
Information Value
Sequence Length 13
Processes
»
Process Count
Process 168 (qry2vco264.exe, PID: 2384) 4
Process 204 (qry2vco264.exe, PID: 2224) 4
Process 37 (qry2vco264.exe, PID: 3112) 4
Process 238 (qry2vco264.exe, PID: 1364) 4
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0xba4, Process_unk_out = 0xffffd000d2c063d8, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001ad844080, PROCESS_unk_out = 0xffffe001ad844080, ApcState_unk_out = 0xffffd000d2c063f8
ObReferenceObjectByHandle Handle_unk = 0x11c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c063e0, Object_out = 0xffffe001af236f90, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001ad844080, ret_val_ptr_out = 0x2ffee
ZwQueryObject Handle_unk = 0x11c, ObjectInformationClass_unk = 0x2, ObjectInformationLength = 0x0, ObjectInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd000d2c063d4, ret_val_out = 0xc0000004
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0x88, Tag = 0x58637250, ret_val_ptr_out = 0xffffc00004935290
ZwQueryObject Handle_unk = 0x11c, ObjectInformationClass_unk = 0x2, ObjectInformationLength = 0x88, ObjectInformation_ptr_out = 0xffffc00004935290, ReturnLength_ptr_out = 0x0, ret_val_out = 0x0
ExFreePoolWithTag P_ptr = 0xffffc00004935290, Tag = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af236f90, ret_val_ptr_out = 0x7ffe
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c063f8
IoCompleteRequest ret_val_out = 0x0
Execution Path #5 (length: 2, count: 28, processes: 4)
»
Information Value
Sequence Length 2
Processes
»
Process Count
Process 168 (qry2vco264.exe, PID: 2384) 8
Process 204 (qry2vco264.exe, PID: 2224) 6
Process 37 (qry2vco264.exe, PID: 3112) 8
Process 238 (qry2vco264.exe, PID: 1364) 6
Sequence
»
Symbol Parameters
ZwOpenProcess DesiredAccess_unk = 0x10000000, ObjectAttributes_ptr = 0xffffd000d2c064b8, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd000d2c064a8, ClientId_deref_UniqueProcess_unk = 0xef4, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffe001aedcb640, ProcessHandle_out = 0x1a0, ret_val_out = 0x0
IoCompleteRequest ret_val_out = 0x0
Execution Path #6 (length: 4, count: 20, processes: 4)
»
Information Value
Sequence Length 4
Processes
»
Process Count
Process 168 (qry2vco264.exe, PID: 2384) 5
Process 204 (qry2vco264.exe, PID: 2224) 5
Process 37 (qry2vco264.exe, PID: 3112) 5
Process 238 (qry2vco264.exe, PID: 1364) 5
Sequence
»
Symbol Parameters
ZwOpenProcess DesiredAccess_unk = 0x40, ObjectAttributes_ptr = 0xffffd000d2c06438, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x200, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd000d2c06428, ClientId_deref_UniqueProcess_unk = 0x4, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd000d2c06420, ProcessHandle_out = 0xffffffff80000bd8, ret_val_out = 0x0
ZwDuplicateObject SourceProcessHandle_unk = 0xffffffff80000bd8, SourceHandle_unk = 0xcc4, TargetProcessHandle_unk = 0xffffffffffffffff, DesiredAccess_unk = 0x10000000, HandleAttributes = 0x0, Options = 0x0, TargetHandle_ptr_out = 0xffffe001aedcbfc0, TargetHandle_out = 0x1a4, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff80000bd8, ret_val_out = 0x0
IoCompleteRequest ret_val_out = 0x0
Execution Path #7 (length: 9, count: 13, processes: 2)
»
Information Value
Sequence Length 9
Processes
»
Process Count
Process 168 (qry2vco264.exe, PID: 2384) 1
Process 37 (qry2vco264.exe, PID: 3112) 12
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x4, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001ad074040, PROCESS_unk_out = 0xffffe001ad074040, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0xffffffff80000904, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffc00006a3f430, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc00006a3f430, ret_val_ptr_out = 0x7ffe
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001ad074040, ret_val_ptr_out = 0x2fe04
IoCompleteRequest ret_val_out = 0x0
Execution Path #28 (length: 5, count: 1, processes: 1)
»
Information Value
Sequence Length 5
Processes
»
Process Count
Process 238 (qry2vco264.exe, PID: 1364) 1
Sequence
»
Symbol Parameters
ObReferenceObjectByHandle Handle_unk = 0x18c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d20b9498, Object_out = 0xffffe001aeb93080, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
ObOpenObjectByPointer Object_ptr = 0xffffe001aeb93080, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x10000000, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Handle_ptr_out = 0xffffd000d20b94a0, Handle_out = 0xffffffff80000f20, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001aeb93080, ret_val_ptr_out = 0x27ffe
ZwOpenProcessToken ProcessHandle_unk = 0xffffffff80000f20, DesiredAccess_unk = 0x8, TokenHandle_ptr_out = 0xffffe001af99ac40, TokenHandle_out = 0x184, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff80000f20, ret_val_out = 0x0

Kernel Graph 3

Kernel Graph

Kernel Graph Legend
Code Block #3 (EP #8)
»
Information Value
Trigger PROCEXP152.SYS+0x2620
Start Address 0xfffff8001fb39384
Execution Path #8 (length: 1, count: 1858, processes: 3)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 168 (qry2vco264.exe, PID: 2384) 913
Process 204 (qry2vco264.exe, PID: 2224) 92
Process 37 (qry2vco264.exe, PID: 3112) 853
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x4, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0

Kernel Graph 4

Kernel Graph

Kernel Graph Legend
Code Block #4 (EP #9)
»
Information Value
Trigger PROCEXP152.SYS+0x2641
Start Address 0xfffff8001fb87204
Execution Path #9 (length: 1, count: 3252, processes: 4)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 168 (qry2vco264.exe, PID: 2384) 879
Process 204 (qry2vco264.exe, PID: 2224) 792
Process 37 (qry2vco264.exe, PID: 3112) 810
Process 238 (qry2vco264.exe, PID: 1364) 771
Sequence
»
Symbol Parameters
PsAcquireProcessExitSynchronization ret_val_out = 0x0

Kernel Graph 5

Kernel Graph

Kernel Graph Legend
Code Block #5 (EP #10)
»
Information Value
Trigger PROCEXP152.SYS+0x2669
Start Address 0xfffff8001f6f2dc0
Execution Path #10 (length: 1, count: 3248, processes: 4)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 168 (qry2vco264.exe, PID: 2384) 875
Process 204 (qry2vco264.exe, PID: 2224) 792
Process 37 (qry2vco264.exe, PID: 3112) 810
Process 238 (qry2vco264.exe, PID: 1364) 771
Sequence
»
Symbol Parameters
KeStackAttachProcess PROCESS_unk = 0xffffe001ad074040, PROCESS_unk_out = 0xffffe001ad074040, ApcState_unk_out = 0xffffd000d2c06400

Kernel Graph 6

Kernel Graph

Kernel Graph Legend
Code Block #6 (EP #11)
»
Information Value
Trigger PROCEXP152.SYS+0x26a0
Start Address 0xfffff8001fa9d640
Execution Path #11 (length: 1, count: 3248, processes: 115)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 1 (mngrxc.exe, PID: 2672) 29
Process 2 (UNKNOWN, PID: UNKNOWN) 20
Process 5 (nwserbna.exe, PID: 832) 10
Process 6 (UNKNOWN, PID: UNKNOWN) 10
Process 14 (cmd.exe, PID: 3284) 4
Process 15 (UNKNOWN, PID: UNKNOWN) 4
Process 17 (cmd.exe, PID: 2928) 4
Process 18 (UNKNOWN, PID: UNKNOWN) 4
Process 19 (cmd.exe, PID: 436) 5
Process 20 (UNKNOWN, PID: UNKNOWN) 4
Process 24 (cmd.exe, PID: 3768) 4
Process 25 (UNKNOWN, PID: UNKNOWN) 4
Process 32 (cmd.exe, PID: 3192) 4
Process 33 (qry2vco2.exe, PID: 1548) 5
Process 35 (cmd.exe, PID: 336) 4
Process 36 (UNKNOWN, PID: UNKNOWN) 4
Process 37 (qry2vco264.exe, PID: 3112) 4
Process 39 (svchost.exe, PID: 804) 189
Process 40 (System, PID: 4) 392
Process 41 (cmd.exe, PID: 1892) 7
Process 42 (smss.exe, PID: 264) 22
Process 43 (csrss.exe, PID: 340) 99
Process 44 (wininit.exe, PID: 404) 23
Process 45 (csrss.exe, PID: 412) 227
Process 46 (winlogon.exe, PID: 460) 16
Process 47 (services.exe, PID: 484) 32
Process 48 (lsass.exe, PID: 492) 48
Process 49 (svchost.exe, PID: 572) 84
Process 50 (svchost.exe, PID: 616) 40
Process 51 (dwm.exe, PID: 724) 52
Process 52 (svchost.exe, PID: 812) 221
Process 53 (svchost.exe, PID: 856) 32
Process 54 (svchost.exe, PID: 864) 68
Process 55 (svchost.exe, PID: 920) 48
Process 56 (svchost.exe, PID: 592) 60
Process 57 (spoolsv.exe, PID: 356) 72
Process 59 (svchost.exe, PID: 1092) 40
Process 60 (officeclicktorun.exe, PID: 1220) 38
Process 61 (svchost.exe, PID: 1656) 32
Process 62 (sihost.exe, PID: 1796) 20
Process 63 (taskhostw.exe, PID: 1916) 44
Process 64 (explorer.exe, PID: 1404) 366
Process 65 (runtimebroker.exe, PID: 2040) 37
Process 66 (shellexperiencehost.exe, PID: 2432) 68
Process 67 (searchui.exe, PID: 2532) 152
Process 68 (backgroundtaskhost.exe, PID: 1264) 28
Process 69 (commands-xerox-relationship.exe, PID: 1356) 12
Process 70 (recorder.exe, PID: 1988) 12
Process 71 (shift.exe, PID: 500) 12
Process 72 (unsubscribe-wisdom.exe, PID: 480) 12
Process 73 (shoe-associations.exe, PID: 1952) 12
Process 74 (israeli-runtime-recommendation.exe, PID: 1048) 12
Process 75 (les lodging.exe, PID: 1816) 12
Process 76 (normally.exe, PID: 2104) 12
Process 77 (dir.exe, PID: 1208) 12
Process 78 (baseball-showing-idaho.exe, PID: 2780) 12
Process 79 (returned.exe, PID: 2772) 12
Process 80 (sweden_decorative_wit.exe, PID: 2192) 12
Process 81 (se-viii.exe, PID: 2640) 12
Process 82 (separate.exe, PID: 2244) 12
Process 83 (bulgaria.exe, PID: 888) 12
Process 84 (advertisement-beginners.exe, PID: 2648) 12
Process 85 (semiconductorphysfisheries.exe, PID: 1676) 12
Process 86 (medicare.exe, PID: 1976) 12
Process 87 (spain-chart.exe, PID: 1372) 12
Process 88 (females-ward.exe, PID: 988) 12
Process 89 (beast.exe, PID: 3092) 12
Process 90 (audiodg.exe, PID: 3856) 16
Process 91 (svchost.exe, PID: 3152) 12
Process 92 (sppsvc.exe, PID: 3828) 8
Process 94 (UNKNOWN, PID: UNKNOWN) 4
Process 95 (cmd.exe, PID: 1316) 4
Process 97 (UNKNOWN, PID: UNKNOWN) 4
Process 108 (cmd.exe, PID: 2692) 4
Process 109 (UNKNOWN, PID: UNKNOWN) 4
Process 116 (UNKNOWN, PID: UNKNOWN) 4
Process 121 (cmd.exe, PID: 932) 5
Process 125 (cmd.exe, PID: 2544) 4
Process 126 (UNKNOWN, PID: UNKNOWN) 4
Process 131 (cmd.exe, PID: 1124) 9
Process 135 (UNKNOWN, PID: UNKNOWN) 8
Process 138 (cmd.exe, PID: 1308) 4
Process 139 (UNKNOWN, PID: UNKNOWN) 8
Process 140 (UNKNOWN, PID: UNKNOWN) 4
Process 141 (cmd.exe, PID: 1256) 8
Process 143 (UNKNOWN, PID: UNKNOWN) 8
Process 149 (wmiadap.exe, PID: 3456) 9
Process 152 (cmd.exe, PID: 3784) 13
Process 153 (UNKNOWN, PID: UNKNOWN) 12
Process 158 (cmd.exe, PID: 4072) 4
Process 161 (cmd.exe, PID: 3552) 13
Process 163 (UNKNOWN, PID: UNKNOWN) 12
Process 164 (qry2vco2.exe, PID: 1428) 5
Process 167 (cmd.exe, PID: 1904) 6
Process 168 (qry2vco264.exe, PID: 2384) 4
Process 169 (UNKNOWN, PID: UNKNOWN) 5
Process 171 (wmiprvse.exe, PID: 1056) 10
Process 178 (cmd.exe, PID: 3868) 8
Process 181 (UNKNOWN, PID: UNKNOWN) 8
Process 189 (cmd.exe, PID: 3744) 8
Process 191 (UNKNOWN, PID: UNKNOWN) 8
Process 192 (cmd.exe, PID: 3956) 4
Process 196 (qry2vco2.exe, PID: 2540) 5
Process 200 (cmd.exe, PID: 2272) 8
Process 202 (UNKNOWN, PID: UNKNOWN) 8
Process 204 (qry2vco264.exe, PID: 2224) 4
Process 207 (cmd.exe, PID: 1200) 6
Process 208 (UNKNOWN, PID: UNKNOWN) 7
Process 213 (cmd.exe, PID: 996) 4
Process 214 (UNKNOWN, PID: UNKNOWN) 4
Process 220 (cmd.exe, PID: 3816) 4
Process 221 (UNKNOWN, PID: UNKNOWN) 4
Process 224 (cmd.exe, PID: 3632) 4
Process 225 (dllhost.exe, PID: 772) 3
Process 228 (cmd.exe, PID: 1032) 4
Sequence
»
Symbol Parameters
ObReferenceObjectByHandle Handle_unk = 0xffffffff80000ab4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffe001af73b6c0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0

Kernel Graph 7

Kernel Graph

Kernel Graph Legend
Code Block #7 (EP #12)
»
Information Value
Trigger PROCEXP152.SYS+0x26d2
Start Address 0xfffff8001f6f2eb0
Execution Path #12 (length: 1, count: 3248, processes: 115)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 1 (mngrxc.exe, PID: 2672) 29
Process 2 (UNKNOWN, PID: UNKNOWN) 20
Process 5 (nwserbna.exe, PID: 832) 10
Process 6 (UNKNOWN, PID: UNKNOWN) 10
Process 14 (cmd.exe, PID: 3284) 4
Process 15 (UNKNOWN, PID: UNKNOWN) 4
Process 17 (cmd.exe, PID: 2928) 4
Process 18 (UNKNOWN, PID: UNKNOWN) 4
Process 19 (cmd.exe, PID: 436) 5
Process 20 (UNKNOWN, PID: UNKNOWN) 4
Process 24 (cmd.exe, PID: 3768) 4
Process 25 (UNKNOWN, PID: UNKNOWN) 4
Process 32 (cmd.exe, PID: 3192) 4
Process 33 (qry2vco2.exe, PID: 1548) 5
Process 35 (cmd.exe, PID: 336) 4
Process 36 (UNKNOWN, PID: UNKNOWN) 4
Process 37 (qry2vco264.exe, PID: 3112) 4
Process 39 (svchost.exe, PID: 804) 189
Process 40 (System, PID: 4) 392
Process 41 (cmd.exe, PID: 1892) 7
Process 42 (smss.exe, PID: 264) 22
Process 43 (csrss.exe, PID: 340) 99
Process 44 (wininit.exe, PID: 404) 23
Process 45 (csrss.exe, PID: 412) 227
Process 46 (winlogon.exe, PID: 460) 16
Process 47 (services.exe, PID: 484) 32
Process 48 (lsass.exe, PID: 492) 48
Process 49 (svchost.exe, PID: 572) 84
Process 50 (svchost.exe, PID: 616) 40
Process 51 (dwm.exe, PID: 724) 52
Process 52 (svchost.exe, PID: 812) 221
Process 53 (svchost.exe, PID: 856) 32
Process 54 (svchost.exe, PID: 864) 68
Process 55 (svchost.exe, PID: 920) 48
Process 56 (svchost.exe, PID: 592) 60
Process 57 (spoolsv.exe, PID: 356) 72
Process 59 (svchost.exe, PID: 1092) 40
Process 60 (officeclicktorun.exe, PID: 1220) 38
Process 61 (svchost.exe, PID: 1656) 32
Process 62 (sihost.exe, PID: 1796) 20
Process 63 (taskhostw.exe, PID: 1916) 44
Process 64 (explorer.exe, PID: 1404) 366
Process 65 (runtimebroker.exe, PID: 2040) 37
Process 66 (shellexperiencehost.exe, PID: 2432) 68
Process 67 (searchui.exe, PID: 2532) 152
Process 68 (backgroundtaskhost.exe, PID: 1264) 28
Process 69 (commands-xerox-relationship.exe, PID: 1356) 12
Process 70 (recorder.exe, PID: 1988) 12
Process 71 (shift.exe, PID: 500) 12
Process 72 (unsubscribe-wisdom.exe, PID: 480) 12
Process 73 (shoe-associations.exe, PID: 1952) 12
Process 74 (israeli-runtime-recommendation.exe, PID: 1048) 12
Process 75 (les lodging.exe, PID: 1816) 12
Process 76 (normally.exe, PID: 2104) 12
Process 77 (dir.exe, PID: 1208) 12
Process 78 (baseball-showing-idaho.exe, PID: 2780) 12
Process 79 (returned.exe, PID: 2772) 12
Process 80 (sweden_decorative_wit.exe, PID: 2192) 12
Process 81 (se-viii.exe, PID: 2640) 12
Process 82 (separate.exe, PID: 2244) 12
Process 83 (bulgaria.exe, PID: 888) 12
Process 84 (advertisement-beginners.exe, PID: 2648) 12
Process 85 (semiconductorphysfisheries.exe, PID: 1676) 12
Process 86 (medicare.exe, PID: 1976) 12
Process 87 (spain-chart.exe, PID: 1372) 12
Process 88 (females-ward.exe, PID: 988) 12
Process 89 (beast.exe, PID: 3092) 12
Process 90 (audiodg.exe, PID: 3856) 16
Process 91 (svchost.exe, PID: 3152) 12
Process 92 (sppsvc.exe, PID: 3828) 8
Process 94 (UNKNOWN, PID: UNKNOWN) 4
Process 95 (cmd.exe, PID: 1316) 4
Process 97 (UNKNOWN, PID: UNKNOWN) 4
Process 108 (cmd.exe, PID: 2692) 4
Process 109 (UNKNOWN, PID: UNKNOWN) 4
Process 116 (UNKNOWN, PID: UNKNOWN) 4
Process 121 (cmd.exe, PID: 932) 5
Process 125 (cmd.exe, PID: 2544) 4
Process 126 (UNKNOWN, PID: UNKNOWN) 4
Process 131 (cmd.exe, PID: 1124) 9
Process 135 (UNKNOWN, PID: UNKNOWN) 8
Process 138 (cmd.exe, PID: 1308) 4
Process 139 (UNKNOWN, PID: UNKNOWN) 8
Process 140 (UNKNOWN, PID: UNKNOWN) 4
Process 141 (cmd.exe, PID: 1256) 8
Process 143 (UNKNOWN, PID: UNKNOWN) 8
Process 149 (wmiadap.exe, PID: 3456) 9
Process 152 (cmd.exe, PID: 3784) 13
Process 153 (UNKNOWN, PID: UNKNOWN) 12
Process 158 (cmd.exe, PID: 4072) 4
Process 161 (cmd.exe, PID: 3552) 13
Process 163 (UNKNOWN, PID: UNKNOWN) 12
Process 164 (qry2vco2.exe, PID: 1428) 5
Process 167 (cmd.exe, PID: 1904) 6
Process 168 (qry2vco264.exe, PID: 2384) 4
Process 169 (UNKNOWN, PID: UNKNOWN) 5
Process 171 (wmiprvse.exe, PID: 1056) 10
Process 178 (cmd.exe, PID: 3868) 8
Process 181 (UNKNOWN, PID: UNKNOWN) 8
Process 189 (cmd.exe, PID: 3744) 8
Process 191 (UNKNOWN, PID: UNKNOWN) 8
Process 192 (cmd.exe, PID: 3956) 4
Process 196 (qry2vco2.exe, PID: 2540) 5
Process 200 (cmd.exe, PID: 2272) 8
Process 202 (UNKNOWN, PID: UNKNOWN) 8
Process 204 (qry2vco264.exe, PID: 2224) 4
Process 207 (cmd.exe, PID: 1200) 6
Process 208 (UNKNOWN, PID: UNKNOWN) 7
Process 213 (cmd.exe, PID: 996) 4
Process 214 (UNKNOWN, PID: UNKNOWN) 4
Process 220 (cmd.exe, PID: 3816) 4
Process 221 (UNKNOWN, PID: UNKNOWN) 4
Process 224 (cmd.exe, PID: 3632) 4
Process 225 (dllhost.exe, PID: 772) 3
Process 228 (cmd.exe, PID: 1032) 4
Sequence
»
Symbol Parameters
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400

Kernel Graph 8

Kernel Graph

Kernel Graph Legend
Code Block #8 (EP #13)
»
Information Value
Trigger PROCEXP152.SYS+0x26ee
Start Address 0xfffff8001fb8bce0
Execution Path #13 (length: 1, count: 3248, processes: 4)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 168 (qry2vco264.exe, PID: 2384) 875
Process 204 (qry2vco264.exe, PID: 2224) 792
Process 37 (qry2vco264.exe, PID: 3112) 810
Process 238 (qry2vco264.exe, PID: 1364) 771
Sequence
»
Symbol Parameters
PsReleaseProcessExitSynchronization ret_val_out = 0x2

Kernel Graph 9

Kernel Graph

Kernel Graph Legend
Code Block #9 (EP #14)
»
Information Value
Trigger PROCEXP152.SYS+0x26f5
Start Address 0xfffff8001f6c09b0
Execution Path #14 (length: 1, count: 6489, processes: 8)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 37 (qry2vco264.exe, PID: 3112) 1602
Process 39 (svchost.exe, PID: 804) 1
Process 40 (System, PID: 4) 14
Process 41 (cmd.exe, PID: 1892) 1
Process 204 (qry2vco264.exe, PID: 2224) 1575
Process 238 (qry2vco264.exe, PID: 1364) 1541
Process 208 (UNKNOWN, PID: UNKNOWN) 2
Process 168 (qry2vco264.exe, PID: 2384) 1753
Sequence
»
Symbol Parameters
ObfDereferenceObject Object_ptr = 0xffffe001ad074040, ret_val_ptr_out = 0x2fdcb

Kernel Graph 10

Kernel Graph

Kernel Graph Legend
Code Block #10 (EP #15)
»
Information Value
Trigger PROCEXP152.SYS+0x27c8
Start Address 0xfffff8001fba3118
Execution Path #15 (length: 1, count: 3219, processes: 4)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 168 (qry2vco264.exe, PID: 2384) 874
Process 204 (qry2vco264.exe, PID: 2224) 783
Process 37 (qry2vco264.exe, PID: 3112) 792
Process 238 (qry2vco264.exe, PID: 1364) 770
Sequence
»
Symbol Parameters
ObQueryNameString Object_ptr = 0xffffe001af73b6c0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afaf7044, ReturnLength_ptr_out = 0xffffd000d2c06380, ret_val_out = 0x0

Kernel Graph 11

Kernel Graph

Kernel Graph Legend
Code Block #11 (EP #16)
»
Information Value
Trigger PROCEXP152.SYS+0x20f2
Start Address 0xfffff8001f6c4150
Execution Path #16 (length: 1, count: 3332, processes: 4)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 168 (qry2vco264.exe, PID: 2384) 914
Process 204 (qry2vco264.exe, PID: 2224) 793
Process 37 (qry2vco264.exe, PID: 3112) 854
Process 238 (qry2vco264.exe, PID: 1364) 771
Sequence
»
Symbol Parameters
IoCompleteRequest ret_val_out = 0x0

Kernel Graph 12

Kernel Graph

Kernel Graph Legend
Code Block #12 (EP #17, #18, #19, #20, #21, #22, #23, #24, #25, #26, #27)
»
Information Value
Trigger PROCEXP152.SYS+0x211a
Start Address 0xfffff8001faa717d
Execution Path #17 (length: 8, count: 15, processes: 3)
»
Information Value
Sequence Length 8
Processes
»
Process Count
Process 168 (qry2vco264.exe, PID: 2384) 4
Process 204 (qry2vco264.exe, PID: 2224) 2
Process 37 (qry2vco264.exe, PID: 3112) 9
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x4, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001ad074040, PROCESS_unk_out = 0xffffe001ad074040, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0xffffffff80000d74, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0x0, HandleInformation_unk_out = 0x0, ret_val_out = 0xc0000008
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001ad074040, ret_val_ptr_out = 0x2fd80
IoCompleteRequest ret_val_out = 0x0
Execution Path #18 (length: 6, count: 278, processes: 4)
»
Information Value
Sequence Length 6
Processes
»
Process Count
Process 168 (qry2vco264.exe, PID: 2384) 76
Process 204 (qry2vco264.exe, PID: 2224) 71
Process 37 (qry2vco264.exe, PID: 3112) 62
Process 238 (qry2vco264.exe, PID: 1364) 69
Sequence
»
Symbol Parameters
ObReferenceObjectByHandle Handle_unk = 0x1a4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06498, Object_out = 0xffffe001ad105080, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
ObOpenObjectByPointer Object_ptr = 0xffffe001ad105080, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x10000000, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Handle_ptr_out = 0xffffd000d2c064a0, Handle_out = 0xffffffff80000ff4, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001ad105080, ret_val_ptr_out = 0x67ffa
ZwOpenProcessToken ProcessHandle_unk = 0xffffffff80000ff4, DesiredAccess_unk = 0x8, TokenHandle_ptr_out = 0xffffe001af8c7bc0, TokenHandle_out = 0x19c, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff80000ff4, ret_val_out = 0x0
IoCompleteRequest ret_val_out = 0x0
Execution Path #19 (length: 2, count: 72, processes: 2)
»
Information Value
Sequence Length 2
Processes
»
Process Count
Process 168 (qry2vco264.exe, PID: 2384) 32
Process 37 (qry2vco264.exe, PID: 3112) 40
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x420, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0xc000000b
IoCompleteRequest ret_val_out = 0x0
Execution Path #20 (length: 171, count: 1, processes: 1)
»
Information Value
Sequence Length 171
Processes
»
Process Count
Process 37 (qry2vco264.exe, PID: 3112) 1
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x1ce8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffe001af396f20, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea7b
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afad87c4, ReturnLength_ptr_out = 0xffffd000d2c06338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af396f20, ret_val_ptr_out = 0x7ffb
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x1d08, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffc0000564bb50, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea7a
ObQueryNameString Object_ptr = 0xffffc0000564bb50, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001af9403c4, ReturnLength_ptr_out = 0xffffd000d2c06380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc0000564bb50, ret_val_ptr_out = 0x7fff
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x1d2c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffc000076efa60, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea79
ObQueryNameString Object_ptr = 0xffffc000076efa60, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001af92b344, ReturnLength_ptr_out = 0xffffd000d2c06380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc000076efa60, ret_val_ptr_out = 0x7fff
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x1d30, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffe001af8bf920, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea78
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afa19044, ReturnLength_ptr_out = 0xffffd000d2c06338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af8bf920, ret_val_ptr_out = 0x7ff4
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x1d5c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffc00004b6c9b0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea77
ObQueryNameString Object_ptr = 0xffffc00004b6c9b0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afa0c044, ReturnLength_ptr_out = 0xffffd000d2c06380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc00004b6c9b0, ret_val_ptr_out = 0x8000
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x1e58, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffe001ae509450, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea76
ObQueryNameString Object_ptr = 0xffffe001ae509450, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001ad810044, ReturnLength_ptr_out = 0xffffd000d2c06380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001ae509450, ret_val_ptr_out = 0x7fff
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x1e64, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffe001ae1edce0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea75
ObQueryNameString Object_ptr = 0xffffe001ae1edce0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001ae0317c4, ReturnLength_ptr_out = 0xffffd000d2c06380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001ae1edce0, ret_val_ptr_out = 0x7fff
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x1f84, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffe001aef24730, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea74
ObQueryNameString Object_ptr = 0xffffe001aef24730, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001af6bf044, ReturnLength_ptr_out = 0xffffd000d2c06380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001aef24730, ret_val_ptr_out = 0x800e
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x1fb8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffe001af2b1b10, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea73
ObQueryNameString Object_ptr = 0xffffe001af2b1b10, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001af727044, ReturnLength_ptr_out = 0xffffd000d2c06380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af2b1b10, ret_val_ptr_out = 0x800f
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x1fbc, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffe001ae2133a0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea72
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001af6057c4, ReturnLength_ptr_out = 0xffffd000d2c06338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001ae2133a0, ret_val_ptr_out = 0x8000
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x1fd8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffe001af232b00, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea71
ObQueryNameString Object_ptr = 0xffffe001ae1141d0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001aee4d7c4, ReturnLength_ptr_out = 0xffffd000d2c06338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af232b00, ret_val_ptr_out = 0x7ff1
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x1fe0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffe001aed85980, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea70
ObQueryNameString Object_ptr = 0xffffe001aed85980, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001adcd6044, ReturnLength_ptr_out = 0xffffd000d2c06380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001aed85980, ret_val_ptr_out = 0x800d
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x1ffc, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffc00004c49150, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea6f
ObQueryNameString Object_ptr = 0xffffc00004c49150, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001ae0a6044, ReturnLength_ptr_out = 0xffffd000d2c06380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc00004c49150, ret_val_ptr_out = 0x7fff
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x2008, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffe001af57d9f0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea6e
ObQueryNameString Object_ptr = 0xffffe001af57d9f0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001af230044, ReturnLength_ptr_out = 0xffffd000d2c06380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af57d9f0, ret_val_ptr_out = 0x7fff
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x201c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffe001af577db0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea6d
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001ae0b57c4, ReturnLength_ptr_out = 0xffffd000d2c06338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af577db0, ret_val_ptr_out = 0x7fff
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x2040, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffc00004c54c80, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea6c
ObQueryNameString Object_ptr = 0xffffc00004c54c80, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001af9fb7c4, ReturnLength_ptr_out = 0xffffd000d2c06380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc00004c54c80, ret_val_ptr_out = 0x8000
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x2044, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffc000046cd080, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea6b
ObQueryNameString Object_ptr = 0xffffc000046cd080, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001ae0cc7c4, ReturnLength_ptr_out = 0xffffd000d2c06380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc000046cd080, ret_val_ptr_out = 0xffff
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x204c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffe001ae218850, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea6a
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001ae0a2044, ReturnLength_ptr_out = 0xffffd000d2c06338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001ae218850, ret_val_ptr_out = 0x7fe8
PsLookupProcessByProcessId ProcessId_unk = 0x57c, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x2054, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffc00004c64180, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5ea69
ObQueryNameString Object_ptr = 0xffffc00004c64180, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001ad85b044, ReturnLength_ptr_out = 0xffffd000d2c06380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc00004c64180, ret_val_ptr_out = 0x7fff
Execution Path #21 (length: 9, count: 1, processes: 1)
»
Information Value
Sequence Length 9
Processes
»
Process Count
Process 37 (qry2vco264.exe, PID: 3112) 1
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0xc78, Process_unk_out = 0xffffd000d2c06388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001afb0f840, PROCESS_unk_out = 0xffffe001afb0f840, ApcState_unk_out = 0xffffd000d2c06400
ObReferenceObjectByHandle Handle_unk = 0x3c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d2c06378, Object_out = 0xffffe001ad9829c0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d2c06400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001afb0f840, ret_val_ptr_out = 0x27fe2
ObQueryNameString Object_ptr = 0xffffe001aed5cd80, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afc02044, ReturnLength_ptr_out = 0xffffd000d2c06338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001ad9829c0, ret_val_ptr_out = 0x2ff90
Execution Path #22 (length: 4, count: 4, processes: 1)
»
Information Value
Sequence Length 4
Processes
»
Process Count
Process 168 (qry2vco264.exe, PID: 2384) 4
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x85c, Process_unk_out = 0xffffd000d52d3388, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0xc000010a
ObfDereferenceObject Object_ptr = 0xffffe001af84d080, ret_val_ptr_out = 0x17fd4
IoCompleteRequest ret_val_out = 0x0
Execution Path #23 (length: 9, count: 1396, processes: 2)
»
Information Value
Sequence Length 9
Processes
»
Process Count
Process 204 (qry2vco264.exe, PID: 2224) 661
Process 238 (qry2vco264.exe, PID: 1364) 735
Sequence
»
Symbol Parameters
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001ae6c8840, PROCESS_unk_out = 0xffffe001ae6c8840, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x10, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001ae6c8470, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001ae6c8840, ret_val_ptr_out = 0x28005
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001aface044, ReturnLength_ptr_out = 0xffffd000d6646338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001ae6c8470, ret_val_ptr_out = 0x7ffd
IoCompleteRequest ret_val_out = 0x0
Execution Path #24 (length: 7, count: 2, processes: 2)
»
Information Value
Sequence Length 7
Processes
»
Process Count
Process 204 (qry2vco264.exe, PID: 2224) 1
Process 238 (qry2vco264.exe, PID: 1364) 1
Sequence
»
Symbol Parameters
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x330, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0x0, HandleInformation_unk_out = 0x0, ret_val_out = 0xc0000008
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e6fa
IoCompleteRequest ret_val_out = 0x0
Execution Path #25 (length: 8, count: 4, processes: 2)
»
Information Value
Sequence Length 8
Processes
»
Process Count
Process 204 (qry2vco264.exe, PID: 2224) 3
Process 238 (qry2vco264.exe, PID: 1364) 1
Sequence
»
Symbol Parameters
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x7f4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001aeff2200, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001aeff2200, ret_val_ptr_out = 0x7ffe
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e6cd
IoCompleteRequest ret_val_out = 0x0
Execution Path #26 (length: 304, count: 1, processes: 1)
»
Information Value
Sequence Length 304
Processes
»
Process Count
Process 204 (qry2vco264.exe, PID: 2224) 1
Sequence
»
Symbol Parameters
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1824, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001aebb4570, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e665
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afd6e044, ReturnLength_ptr_out = 0xffffd000d6646338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001aebb4570, ret_val_ptr_out = 0x7ffe
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1828, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffc00004b916c0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e664
ObQueryNameString Object_ptr = 0xffffc00004b916c0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001aff39044, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc00004b916c0, ret_val_ptr_out = 0x7ffd
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1848, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001aedb1f20, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e663
ObQueryNameString Object_ptr = 0xffffe001aedb1f20, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afe747c4, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001aedb1f20, ret_val_ptr_out = 0x7ffd
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1860, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001aee3bf20, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e662
ObQueryNameString Object_ptr = 0xffffe001aee3bf20, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001ad8347c4, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001aee3bf20, ret_val_ptr_out = 0x7ffd
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1864, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001aeb49720, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e661
ObQueryNameString Object_ptr = 0xffffe001aeb49720, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001aff5e044, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001aeb49720, ret_val_ptr_out = 0x7ffd
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1890, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffc000036dce30, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e660
ObQueryNameString Object_ptr = 0xffffc000036dce30, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afc92044, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc000036dce30, ret_val_ptr_out = 0x2fff2
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x18bc, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffc0000307ee50, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e65f
ObQueryNameString Object_ptr = 0xffffc0000307ee50, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001ad9f07c4, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc0000307ee50, ret_val_ptr_out = 0x7ffe
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x18c0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001aef94860, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e65e
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001aff3a504, ReturnLength_ptr_out = 0xffffd000d6646338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001aef94860, ret_val_ptr_out = 0x7ffe
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x18ec, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001aefd2090, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e65d
ObQueryNameString Object_ptr = 0xffffe001aefd2090, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001adcd17c4, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001aefd2090, ret_val_ptr_out = 0x7ffa
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1b58, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001af7326c0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e65c
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001aff41044, ReturnLength_ptr_out = 0xffffd000d6646338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af7326c0, ret_val_ptr_out = 0xfffa
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1bac, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffc000056c25f0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e65b
ObQueryNameString Object_ptr = 0xffffc000056c25f0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001add267c4, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc000056c25f0, ret_val_ptr_out = 0x7ffd
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1bc4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001af2393a0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e65a
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001ae0117c4, ReturnLength_ptr_out = 0xffffd000d6646338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af2393a0, ret_val_ptr_out = 0xffa6
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1bc8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001af229db0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e659
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001add757c4, ReturnLength_ptr_out = 0xffffd000d6646338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af229db0, ret_val_ptr_out = 0x7ffe
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1bdc, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffc00006d03c60, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e658
ObQueryNameString Object_ptr = 0xffffc00006d03c60, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001b00a07c4, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc00006d03c60, ret_val_ptr_out = 0x7fff
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1c28, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001af2393a0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e657
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001add4f7c4, ReturnLength_ptr_out = 0xffffd000d6646338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af2393a0, ret_val_ptr_out = 0xffa5
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1c2c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffc00004c38fc0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e656
ObQueryNameString Object_ptr = 0xffffc00004c38fc0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001aff36404, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc00004c38fc0, ret_val_ptr_out = 0x7ff8
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1c30, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001ae341cb0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e655
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001aff3e7c4, ReturnLength_ptr_out = 0xffffd000d6646338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001ae341cb0, ret_val_ptr_out = 0xfff4
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1cb0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffc000036a0dc0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e654
ObQueryNameString Object_ptr = 0xffffc000036a0dc0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afef6044, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc000036a0dc0, ret_val_ptr_out = 0x7ffd
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1cb8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001af7326c0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e653
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afd6e044, ReturnLength_ptr_out = 0xffffd000d6646338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af7326c0, ret_val_ptr_out = 0xfff9
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1ce8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001af396f20, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e652
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001aff39044, ReturnLength_ptr_out = 0xffffd000d6646338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af396f20, ret_val_ptr_out = 0x7ff9
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1d08, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffc0000564bb50, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e651
ObQueryNameString Object_ptr = 0xffffc0000564bb50, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afe747c4, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc0000564bb50, ret_val_ptr_out = 0x7ffd
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1d2c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffc000076efa60, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e650
ObQueryNameString Object_ptr = 0xffffc000076efa60, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001ad8347c4, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc000076efa60, ret_val_ptr_out = 0x7ffd
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1d30, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001af8bf920, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e64f
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001aff5e044, ReturnLength_ptr_out = 0xffffd000d6646338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af8bf920, ret_val_ptr_out = 0x7fef
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1d5c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffc00004b6c9b0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e64e
ObQueryNameString Object_ptr = 0xffffc00004b6c9b0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001aff3a504, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc00004b6c9b0, ret_val_ptr_out = 0x7ffe
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1e58, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001ae509450, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e64d
ObQueryNameString Object_ptr = 0xffffe001ae509450, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001adcd17c4, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001ae509450, ret_val_ptr_out = 0x7ffd
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1e64, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001ae1edce0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e64c
ObQueryNameString Object_ptr = 0xffffe001ae1edce0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001aff41044, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001ae1edce0, ret_val_ptr_out = 0x7ffd
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1f84, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001aef24730, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e64b
ObQueryNameString Object_ptr = 0xffffe001aef24730, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001add267c4, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001aef24730, ret_val_ptr_out = 0x800c
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1fb8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001af2b1b10, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e64a
ObQueryNameString Object_ptr = 0xffffe001af2b1b10, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001ae0117c4, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af2b1b10, ret_val_ptr_out = 0x800d
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1fbc, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001ae2133a0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e649
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001add757c4, ReturnLength_ptr_out = 0xffffd000d6646338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001ae2133a0, ret_val_ptr_out = 0x7ffe
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1fd8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001af232b00, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e648
ObQueryNameString Object_ptr = 0xffffe001ae1141d0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001b00a07c4, ReturnLength_ptr_out = 0xffffd000d6646338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af232b00, ret_val_ptr_out = 0x7fef
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1fe0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001aed85980, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e647
ObQueryNameString Object_ptr = 0xffffe001aed85980, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001add4f7c4, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001aed85980, ret_val_ptr_out = 0x800b
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x1ffc, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffc00004c49150, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e646
ObQueryNameString Object_ptr = 0xffffc00004c49150, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001aff36404, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc00004c49150, ret_val_ptr_out = 0x7ffd
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x2008, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001af57d9f0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e645
ObQueryNameString Object_ptr = 0xffffe001af57d9f0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001aff3e7c4, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af57d9f0, ret_val_ptr_out = 0x7ffd
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x201c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001af577db0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e644
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afef6044, ReturnLength_ptr_out = 0xffffd000d6646338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af577db0, ret_val_ptr_out = 0x7ffd
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x2040, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffc00004c54c80, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e643
ObQueryNameString Object_ptr = 0xffffc00004c54c80, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afd6e044, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc00004c54c80, ret_val_ptr_out = 0x7ffe
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x2044, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffc000046cd080, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e642
ObQueryNameString Object_ptr = 0xffffc000046cd080, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001aff39044, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc000046cd080, ret_val_ptr_out = 0xfffb
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x204c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffe001ae218850, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e641
ObQueryNameString Object_ptr = 0xffffe001ae235680, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afe747c4, ReturnLength_ptr_out = 0xffffd000d6646338, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001ae218850, ret_val_ptr_out = 0x7fda
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001aee23400, PROCESS_unk_out = 0xffffe001aee23400, ApcState_unk_out = 0xffffd000d6646400
ObReferenceObjectByHandle Handle_unk = 0x2054, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d6646378, Object_out = 0xffffc00004c64180, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d6646400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001aee23400, ret_val_ptr_out = 0x5e640
ObQueryNameString Object_ptr = 0xffffc00004c64180, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001ad8347c4, ReturnLength_ptr_out = 0xffffd000d6646380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc00004c64180, ret_val_ptr_out = 0x7ffd
Execution Path #27 (length: 24, count: 1, processes: 1)
»
Information Value
Sequence Length 24
Processes
»
Process Count
Process 238 (qry2vco264.exe, PID: 1364) 1
Sequence
»
Symbol Parameters
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001ae9dc540, PROCESS_unk_out = 0xffffe001ae9dc540, ApcState_unk_out = 0xffffd000d20b9400
ObReferenceObjectByHandle Handle_unk = 0x208, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d20b9378, Object_out = 0xffffc00003806ee0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d20b9400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001ae9dc540, ret_val_ptr_out = 0x37c03
ObQueryNameString Object_ptr = 0xffffc00003806ee0, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afde5044, ReturnLength_ptr_out = 0xffffd000d20b9380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffc00003806ee0, ret_val_ptr_out = 0x8ffe5
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001ae9dc540, PROCESS_unk_out = 0xffffe001ae9dc540, ApcState_unk_out = 0xffffd000d20b9400
ObReferenceObjectByHandle Handle_unk = 0x23c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d20b9378, Object_out = 0xffffe001ae205d00, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d20b9400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001ae9dc540, ret_val_ptr_out = 0x37c02
ObQueryNameString Object_ptr = 0xffffe001ae205d00, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afce7684, ReturnLength_ptr_out = 0xffffd000d20b9380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001ae205d00, ret_val_ptr_out = 0x7ffa
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xffffe001ae9dc540, PROCESS_unk_out = 0xffffe001ae9dc540, ApcState_unk_out = 0xffffd000d20b9400
ObReferenceObjectByHandle Handle_unk = 0x2c0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000d20b9378, Object_out = 0xffffe001af93c090, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xffffd000d20b9400
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xffffe001ae9dc540, ret_val_ptr_out = 0x37c01
ObQueryNameString Object_ptr = 0xffffe001af93c090, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe001afe26044, ReturnLength_ptr_out = 0xffffd000d20b9380, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xffffe001af93c090, ret_val_ptr_out = 0x7ffc

Kernel Graph 13

Kernel Graph

Kernel Graph Legend
Code Block #13 (EP #29)
»
Information Value
Trigger ??_C@_1DA@HOOFFHMM@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAM?$AAU?$AAI?$AA?9?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe?$AA?9?$AAS?$AAK?$AAU?$AA?$AA@FNODOBFM@+0x1684
Start Address 0xffffe001af6c051a
Execution Path #29 (length: 2, count: 1, processes: 1 incomplete)
»
Information Value
Sequence Length 2
Processes
»
Process Count
Process 40 (System, PID: 4) 1
Sequence
»
Symbol Parameters
KeAcquireSpinLockRaiseToDpc SpinLock_unk = 0xffffe001af6c0a82, SpinLock_unk_out = 0xffffe001af6c0a82, ret_val_unk_out = 0x2
KeReleaseSpinLock SpinLock_unk = 0xffffe001af6c0a82, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe001af6c0a82

Kernel Graph 14

Kernel Graph

Kernel Graph Legend
Code Block #14 (EP #30)
»
Information Value
Trigger ExpWorkerThread+0xe7
Start Address 0xffffe001af6d220b
Execution Path #30 (length: 1, count: 1, processes: 1 incomplete)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 40 (System, PID: 4) 1
Sequence
»
Symbol Parameters
ExAllocatePoolWithTag PoolType_unk = 0x0, NumberOfBytes_ptr = 0x577ca, Tag = 0x58434f46, ret_val_ptr_out = 0xffffe001afcf9000
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image