c7408dcd...f350 | Kernel
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Ransomware
Dropper
Spyware
Threat Names:
Generic.Ransom.Matrix.CA56E05D
VBS.Heur.Laburrak.11.Gen
Trojan.GenericKD.40672878
...

dlnxsw.exe

Windows Exe (x86-32)

Created at 2020-09-04T06:44:00

...

Remarks (2/2)

(0x02000008): One or more processes crashed during the analysis. Analysis results may be incomplete.

(0x0200003A): A task was rescheduled ahead of time to reveal dormant functionality.

Kernel Graph 1

Kernel Graph

Kernel Graph Legend
Code Block #1 (EP #1)
»
Information Value
Trigger IopLoadDriver+0xa04
Start Address 0xfffff88004590058
Execution Path #1 (length: 58, count: 1, processes: 1)
»
Information Value
Sequence Length 58
Processes
»
Process Count
Process 30 (System, PID: 4) 1
Sequence
»
Symbol Parameters
RtlInitUnicodeString SourceString = PsAcquireProcessExitSynchronization, DestinationString_out = PsAcquireProcessExitSynchronization
MmGetSystemRoutineAddress SystemRoutineName = PsAcquireProcessExitSynchronization, ret_val_ptr_out = 0xfffff80002c10d90
RtlInitUnicodeString SourceString = PsReleaseProcessExitSynchronization, DestinationString_out = PsReleaseProcessExitSynchronization
MmGetSystemRoutineAddress SystemRoutineName = PsReleaseProcessExitSynchronization, ret_val_ptr_out = 0xfffff80002c1f770
RtlInitUnicodeString SourceString = ObGetObjectType, DestinationString_out = ObGetObjectType
MmGetSystemRoutineAddress SystemRoutineName = ObGetObjectType, ret_val_ptr_out = 0xfffff80002b49b54
ObGetObjectType ret_val_out = 0xfffffa800184acd0
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0x26, Tag = 0x544f4550, ret_val_ptr_out = 0xfffff8a002b0a660
ObOpenObjectByName ObjectAttributes_unk = 0xfffff88002fa46a0, ObjectType_unk = 0xfffffa800184acd0, AccessMode_unk = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0xfffff880000f0001, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Handle_ptr_out = 0xfffff88002fa46f8, Handle_out = 0xffffffff800007b0, ret_val_out = 0x0
ExFreePoolWithTag P_ptr = 0xfffff8a002b0a660, Tag = 0x0
ObReferenceObjectByHandle Handle_unk = 0xffffffff800007b0, DesiredAccess_unk = 0xf0001, ObjectType_unk = 0xfffffa800184acd0, AccessMode_unk = 0x0, Object_ptr_out = 0xfffff88002fa4700, Object_out = 0xfffffa80018be570, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff800007b0, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xfffffa80018be570, ret_val_ptr_out = 0x2
RtlInitUnicodeString SourceString = \Device\PROCEXP152, DestinationString_out = \Device\PROCEXP152
RtlInitUnicodeString SourceString = D:P(A;;GA;;;SY)(A;;GA;;;BA), DestinationString_out = D:P(A;;GA;;;SY)(A;;GA;;;BA)
RtlInitUnicodeString SourceString = IoCreateDeviceSecure, DestinationString_out = IoCreateDeviceSecure
MmGetSystemRoutineAddress SystemRoutineName = IoCreateDeviceSecure, ret_val_ptr_out = 0x0
RtlInitUnicodeString SourceString = IoValidateDeviceIoControlAccess, DestinationString_out = IoValidateDeviceIoControlAccess
MmGetSystemRoutineAddress SystemRoutineName = IoValidateDeviceIoControlAccess, ret_val_ptr_out = 0xfffff8000292d4c0
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0x68, Tag = 0x6c416553, ret_val_ptr_out = 0xfffff8a002b15270
_wcsnicmp _String1 = A, _String2 = A, _MaxCount_ptr = 0x1, ret_val_out = 0
_wcsnicmp _String1 = GA, _String2 = RC, _MaxCount_ptr = 0x2, ret_val_out = -11
_wcsnicmp _String1 = GA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -16
_wcsnicmp _String1 = GA, _String2 = WO, _MaxCount_ptr = 0x2, ret_val_out = -16
_wcsnicmp _String1 = GA, _String2 = SD, _MaxCount_ptr = 0x2, ret_val_out = -12
_wcsnicmp _String1 = GA, _String2 = GA, _MaxCount_ptr = 0x2, ret_val_out = 0
_wcsnicmp _String1 = SY, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -4
_wcsnicmp _String1 = SY, _String2 = BA, _MaxCount_ptr = 0x2, ret_val_out = 17
_wcsnicmp _String1 = SY, _String2 = SY, _MaxCount_ptr = 0x2, ret_val_out = 0
RtlLengthSid Sid_ptr = 0xfffffa800184a8a0, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x1, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority = 0x12, ret_val_out = 0xc
RtlAddAccessAllowedAce Acl_unk = 0xfffff8a002b15270, AceRevision = 0x2, AccessMask_unk = 0x10000000, Sid_ptr = 0xfffffa800184a8a0, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x1, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority = 0x12, Acl_unk_out = 0xfffff8a002b15270, ret_val_out = 0x0
_wcsnicmp _String1 = A, _String2 = A, _MaxCount_ptr = 0x1, ret_val_out = 0
_wcsnicmp _String1 = GA, _String2 = RC, _MaxCount_ptr = 0x2, ret_val_out = -11
_wcsnicmp _String1 = GA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -16
_wcsnicmp _String1 = GA, _String2 = WO, _MaxCount_ptr = 0x2, ret_val_out = -16
_wcsnicmp _String1 = GA, _String2 = SD, _MaxCount_ptr = 0x2, ret_val_out = -12
_wcsnicmp _String1 = GA, _String2 = GA, _MaxCount_ptr = 0x2, ret_val_out = 0
_wcsnicmp _String1 = BA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -21
_wcsnicmp _String1 = BA, _String2 = BA, _MaxCount_ptr = 0x2, ret_val_out = 0
RtlLengthSid Sid_ptr = 0xfffff8a000001840, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x2, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority_[0]_0 = 0x20, Sid_deref_SubAuthority_[1]_1 = 0x0, ret_val_out = 0x10
RtlAddAccessAllowedAce Acl_unk = 0xfffff8a002b15270, AceRevision = 0x2, AccessMask_unk = 0x10000000, Sid_ptr = 0xfffff8a000001840, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x2, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority_[0]_0 = 0x20, Sid_deref_SubAuthority_[1]_1 = 0x0, Acl_unk_out = 0xfffff8a002b15270, ret_val_out = 0x0
RtlCreateSecurityDescriptor Revision = 0x1, SecurityDescriptor_unk_out = 0xfffff88002fa4588, ret_val_out = 0x0
RtlSetDaclSecurityDescriptor SecurityDescriptor_unk = 0xfffff88002fa4588, DaclPresent = 1, Dacl_unk = 0xfffff8a002b15270, DaclDefaulted = 0, SecurityDescriptor_unk_out = 0xfffff88002fa4588, ret_val_out = 0x0
RtlAbsoluteToSelfRelativeSD AbsoluteSecurityDescriptor_unk = 0xfffff88002fa4588, BufferLength_ptr = 0xfffff88002fa45d0, SelfRelativeSecurityDescriptor_unk_out = 0x0, BufferLength_ptr_out = 0xfffff88002fa45d0, ret_val_out = 0xc0000023
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0x48, Tag = 0x64536553, ret_val_ptr_out = 0xfffff8a001c64150
RtlAbsoluteToSelfRelativeSD AbsoluteSecurityDescriptor_unk = 0xfffff88002fa4588, BufferLength_ptr = 0xfffff88002fa45d0, SelfRelativeSecurityDescriptor_unk_out = 0xfffff8a001c64150, BufferLength_ptr_out = 0xfffff88002fa45d0, ret_val_out = 0x0
ExFreePoolWithTag P_ptr = 0xfffff8a002b15270, Tag = 0x0
IoCreateDevice DriverObject_unk = 0xfffffa80036e8060, DeviceExtensionSize = 0x0, DeviceName = \Device\PROCEXP152, DeviceType_unk = 0x8335, DeviceCharacteristics = 0x0, Exclusive = 0, DeviceObject_unk_out = 0xfffff88002fa46d0, ret_val_out = 0x0
RtlGetOwnerSecurityDescriptor SecurityDescriptor_unk = 0xfffff8a001c64150, Owner_ptr_out = 0xfffff88002fa4560, Owner_out = 0x0, OwnerDefaulted_ptr_out = 0xfffff88002fa4598, ret_val_out = 0x0
RtlGetGroupSecurityDescriptor SecurityDescriptor_unk = 0xfffff8a001c64150, Group_ptr_out = 0xfffff88002fa4560, Group_out = 0x0, GroupDefaulted_ptr_out = 0xfffff88002fa4598, ret_val_out = 0x0
RtlGetSaclSecurityDescriptor SecurityDescriptor_unk = 0xfffff8a001c64150, SaclPresent_ptr_out = 0xfffff88002fa45a8, Sacl_unk_out = 0xfffff88002fa4568, SaclDefaulted_ptr_out = 0xfffff88002fa4598, ret_val_out = 0x0
RtlGetDaclSecurityDescriptor SecurityDescriptor_unk = 0xfffff8a001c64150, DaclPresent_ptr_out = 0xfffff88002fa45a8, Dacl_unk_out = 0xfffff88002fa4568, DaclDefaulted_ptr_out = 0xfffff88002fa4598, ret_val_out = 0x0
ObOpenObjectByPointer Object_ptr = 0xfffffa80019e2370, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x40000, ObjectType_unk = 0xfffffa8001933900, AccessMode_unk = 0xfffffa80036e8000, Handle_ptr_out = 0xfffff88002fa45d0, Handle_out = 0xffffffff800007b0, ret_val_out = 0x0
ZwSetSecurityObject Handle_unk = 0xffffffff800007b0, SecurityInformation_unk = 0x4, SecurityDescriptor_unk = 0xfffff8a001c64150, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff800007b0, ret_val_out = 0x0
ExFreePoolWithTag P_ptr = 0xfffff8a001c64150, Tag = 0x0
RtlInitUnicodeString SourceString = \DosDevices\PROCEXP152, DestinationString_out = \DosDevices\PROCEXP152
IoCreateSymbolicLink SymbolicLinkName = \DosDevices\PROCEXP152, DeviceName = \Device\PROCEXP152, ret_val_out = 0x0

Kernel Graph 2

Kernel Graph

Kernel Graph Legend
Code Block #2 (EP #2, #3, #4, #5, #6, #7, #8, #9, #10, #11, #12, #13)
»
Information Value
Trigger IofCallDriver+0x50
Start Address 0xfffff88004589000
Execution Path #2 (length: 5, count: 4, processes: 4)
»
Information Value
Sequence Length 5
Processes
»
Process Count
Process 27 (tdq963ii64.exe, PID: 836) 1
Process 172 (tdq963ii64.exe, PID: 2332) 1
Process 191 (tdq963ii64.exe, PID: 2596) 1
Process 256 (tdq963ii64.exe, PID: 1488) 1
Sequence
»
Symbol Parameters
SeCaptureSubjectContext SubjectContext_unk_out = 0xfffff88005163598
ExGetPreviousMode ret_val_unk_out = 0xfffffa8003825b01
SePrivilegeCheck RequiredPrivileges_unk = 0xfffff880051635b8, SubjectSecurityContext_unk = 0xfffff88005163598, AccessMode_unk = 0x1, RequiredPrivileges_unk_out = 0xfffff880051635b8, ret_val_out = 1
SeReleaseSubjectContext SubjectContext_unk = 0xfffff88005163598, SubjectContext_unk_out = 0xfffff88005163598
IofCompleteRequest Irp_unk = 0xfffffa800c187a90, PriorityBoost = 0
Execution Path #3 (length: 10, count: 3898, processes: 4)
»
Information Value
Sequence Length 10
Processes
»
Process Count
Process 27 (tdq963ii64.exe, PID: 836) 1258
Process 172 (tdq963ii64.exe, PID: 2332) 93
Process 191 (tdq963ii64.exe, PID: 2596) 1262
Process 256 (tdq963ii64.exe, PID: 1488) 1285
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x67c, Process_unk_out = 0xfffff88005163558, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xfffffa80025564f0, PROCESS_unk_out = 0xfffffa80025564f0, ApcState_unk_out = 0xfffff880051635d0
ObReferenceObjectByHandle Handle_unk = 0x28, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffffa80025f0601, Object_ptr_out = 0xfffff88005163548, Object_out = 0xfffff8a002626630, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xfffff880051635d0
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xfffffa80025564f0, ret_val_ptr_out = 0xd
ObQueryNameString Object_ptr = 0xfffff8a002626630, Length = 0x800, ObjectNameInfo_unk_out = 0xfffffa800269a044, ReturnLength_ptr_out = 0xfffff88005163550, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xfffff8a002626630, ret_val_ptr_out = 0x4
IofCompleteRequest Irp_unk = 0xfffffa800c187a90, PriorityBoost = 0
Execution Path #4 (length: 13, count: 12, processes: 4)
»
Information Value
Sequence Length 13
Processes
»
Process Count
Process 27 (tdq963ii64.exe, PID: 836) 3
Process 172 (tdq963ii64.exe, PID: 2332) 3
Process 191 (tdq963ii64.exe, PID: 2596) 3
Process 256 (tdq963ii64.exe, PID: 1488) 3
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x3a4, Process_unk_out = 0xfffff880051635a8, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xfffffa8002664760, PROCESS_unk_out = 0xfffffa8002664760, ApcState_unk_out = 0xfffff880051635c8
ObReferenceObjectByHandle Handle_unk = 0xc0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffffa80025f0601, Object_ptr_out = 0xfffff880051635b0, Object_out = 0xfffffa80023dc3f0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xfffffa8002664760, ret_val_ptr_out = 0x1e
ZwQueryObject Handle_unk = 0xc0, ObjectInformationClass_unk = 0x2, ObjectInformationLength = 0x0, ObjectInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xfffff880051635a4, ret_val_out = 0xc0000004
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0x88, Tag = 0x58637250, ret_val_ptr_out = 0xfffff8a002c06070
ZwQueryObject Handle_unk = 0xc0, ObjectInformationClass_unk = 0x2, ObjectInformationLength = 0x88, ObjectInformation_ptr_out = 0xfffff8a002c06070, ReturnLength_ptr_out = 0x0, ret_val_out = 0x0
ExFreePoolWithTag P_ptr = 0xfffff8a002c06070, Tag = 0x0
ObfDereferenceObject Object_ptr = 0xfffffa80023dc3f0, ret_val_ptr_out = 0x1
KeUnstackDetachProcess ApcState_unk = 0xfffff880051635c8
IofCompleteRequest Irp_unk = 0xfffffa800c187a90, PriorityBoost = 0
Execution Path #5 (length: 8, count: 1, processes: 1)
»
Information Value
Sequence Length 8
Processes
»
Process Count
Process 27 (tdq963ii64.exe, PID: 836) 1
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x3a4, Process_unk_out = 0xfffff880051635a8, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xfffffa8002664760, PROCESS_unk_out = 0xfffffa8002664760, ApcState_unk_out = 0xfffff880051635c8
ObReferenceObjectByHandle Handle_unk = 0xb8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffffa80025f0601, Object_ptr_out = 0xfffff880051635b0, Object_out = 0x0, HandleInformation_unk_out = 0x0, ret_val_out = 0xc0000008
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xfffffa8002664760, ret_val_ptr_out = 0x1e
KeUnstackDetachProcess ApcState_unk = 0xfffff880051635c8
IofCompleteRequest Irp_unk = 0xfffffa800c187a90, PriorityBoost = 0
Execution Path #6 (length: 8, count: 12, processes: 3)
»
Information Value
Sequence Length 8
Processes
»
Process Count
Process 27 (tdq963ii64.exe, PID: 836) 7
Process 191 (tdq963ii64.exe, PID: 2596) 4
Process 256 (tdq963ii64.exe, PID: 1488) 1
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x3a4, Process_unk_out = 0xfffff88005163558, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xfffffa8002664760, PROCESS_unk_out = 0xfffffa8002664760, ApcState_unk_out = 0xfffff880051635d0
ObReferenceObjectByHandle Handle_unk = 0xb8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffffa80025f0601, Object_ptr_out = 0xfffff88005163548, Object_out = 0x0, HandleInformation_unk_out = 0x0, ret_val_out = 0xc0000008
KeUnstackDetachProcess ApcState_unk = 0xfffff880051635d0
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xfffffa8002664760, ret_val_ptr_out = 0x1e
IofCompleteRequest Irp_unk = 0xfffffa800c187a90, PriorityBoost = 0
Execution Path #7 (length: 2, count: 8, processes: 4)
»
Information Value
Sequence Length 2
Processes
»
Process Count
Process 27 (tdq963ii64.exe, PID: 836) 2
Process 172 (tdq963ii64.exe, PID: 2332) 2
Process 191 (tdq963ii64.exe, PID: 2596) 2
Process 256 (tdq963ii64.exe, PID: 1488) 2
Sequence
»
Symbol Parameters
ZwOpenProcess DesiredAccess_unk = 0x10000000, ObjectAttributes_ptr = 0xfffff88005163688, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xfffff88005163678, ClientId_deref_UniqueProcess_unk = 0x4, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xfffffa80025f40c0, ProcessHandle_out = 0xc8, ret_val_out = 0x0
IofCompleteRequest Irp_unk = 0xfffffa800c187a90, PriorityBoost = 0
Execution Path #8 (length: 4, count: 8, processes: 4)
»
Information Value
Sequence Length 4
Processes
»
Process Count
Process 27 (tdq963ii64.exe, PID: 836) 2
Process 172 (tdq963ii64.exe, PID: 2332) 2
Process 191 (tdq963ii64.exe, PID: 2596) 2
Process 256 (tdq963ii64.exe, PID: 1488) 2
Sequence
»
Symbol Parameters
ZwOpenProcess DesiredAccess_unk = 0x40, ObjectAttributes_ptr = 0xfffff88005163608, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x200, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xfffff880051635f8, ClientId_deref_UniqueProcess_unk = 0x4, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xfffff880051635f0, ProcessHandle_out = 0xffffffff800005a4, ret_val_out = 0x0
ZwDuplicateObject SourceProcessHandle_unk = 0xffffffff800005a4, SourceHandle_unk = 0x42c, TargetProcessHandle_unk = 0xffffffffffffffff, DesiredAccess_unk = 0xfffff88010000000, HandleAttributes = 0x0, Options = 0x0, TargetHandle_ptr_out = 0xfffffa80025f40c0, TargetHandle_out = 0xc4, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff800005a4, ret_val_out = 0x0
IofCompleteRequest Irp_unk = 0xfffffa800c187a90, PriorityBoost = 0
Execution Path #9 (length: 6, count: 426, processes: 4)
»
Information Value
Sequence Length 6
Processes
»
Process Count
Process 27 (tdq963ii64.exe, PID: 836) 110
Process 172 (tdq963ii64.exe, PID: 2332) 91
Process 191 (tdq963ii64.exe, PID: 2596) 113
Process 256 (tdq963ii64.exe, PID: 1488) 112
Sequence
»
Symbol Parameters
ObReferenceObjectByHandle Handle_unk = 0xc8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xfffff88005163668, Object_out = 0xfffffa8007ff84f0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
ObOpenObjectByPointer Object_ptr = 0xfffffa8007ff84f0, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x10000000, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Handle_ptr_out = 0xfffff88005163670, Handle_out = 0xffffffff80000654, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xfffffa8007ff84f0, ret_val_ptr_out = 0x19
ZwOpenProcessToken ProcessHandle_unk = 0xffffffff80000654, DesiredAccess_unk = 0x8, TokenHandle_ptr_out = 0xfffffa8001eb3d00, TokenHandle_out = 0xc4, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff80000654, ret_val_out = 0x0
IofCompleteRequest Irp_unk = 0xfffffa800c187a90, PriorityBoost = 0
Execution Path #10 (length: 9, count: 16, processes: 3)
»
Information Value
Sequence Length 9
Processes
»
Process Count
Process 27 (tdq963ii64.exe, PID: 836) 7
Process 191 (tdq963ii64.exe, PID: 2596) 6
Process 256 (tdq963ii64.exe, PID: 1488) 3
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x370, Process_unk_out = 0xfffff88005163558, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xfffffa800382ab30, PROCESS_unk_out = 0xfffffa800382ab30, ApcState_unk_out = 0xfffff880051635d0
ObReferenceObjectByHandle Handle_unk = 0xa70, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffffa80025f0601, Object_ptr_out = 0xfffff88005163548, Object_out = 0xfffffa8002f796c0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xfffffa8002f796c0, ret_val_ptr_out = 0x17
KeUnstackDetachProcess ApcState_unk = 0xfffff880051635d0
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xfffffa800382ab30, ret_val_ptr_out = 0x1d0
IofCompleteRequest Irp_unk = 0xfffffa800c187a90, PriorityBoost = 0
Execution Path #11 (length: 2, count: 173, processes: 3)
»
Information Value
Sequence Length 2
Processes
»
Process Count
Process 27 (tdq963ii64.exe, PID: 836) 20
Process 191 (tdq963ii64.exe, PID: 2596) 107
Process 256 (tdq963ii64.exe, PID: 1488) 46
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x9bc, Process_unk_out = 0xfffff88005163558, ret_val_out = 0xc000000b
IofCompleteRequest Irp_unk = 0xfffffa800c187a90, PriorityBoost = 0
Execution Path #12 (length: 1, count: 4, processes: 4)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 27 (tdq963ii64.exe, PID: 836) 1
Process 172 (tdq963ii64.exe, PID: 2332) 1
Process 191 (tdq963ii64.exe, PID: 2596) 1
Process 256 (tdq963ii64.exe, PID: 1488) 1
Sequence
»
Symbol Parameters
IofCompleteRequest Irp_unk = 0xfffffa8002989340, PriorityBoost = 0
Execution Path #13 (length: 8, count: 1, processes: 1)
»
Information Value
Sequence Length 8
Processes
»
Process Count
Process 172 (tdq963ii64.exe, PID: 2332) 1
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0xb40, Process_unk_out = 0xfffff88002aab5f0, ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xfffffa800287e060, PROCESS_unk_out = 0xfffffa800287e060, ApcState_unk_out = 0xfffff88002aab608
ObReferenceObjectByHandle Handle_unk = 0x130, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffffa80030d1b01, Object_ptr_out = 0xfffff88002aab5f8, Object_out = 0xfffffa8002009290, HandleInformation_unk_out = 0xfffff88002aab600, ret_val_out = 0x0
ObCloseHandle Handle_unk = 0x130, AccessMode_unk = 0x1, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xfffffa8002009290, ret_val_ptr_out = 0x1
KeUnstackDetachProcess ApcState_unk = 0xfffff88002aab608
ObfDereferenceObject Object_ptr = 0xfffffa800287e060, ret_val_ptr_out = 0x4a
IofCompleteRequest Irp_unk = 0xfffffa800c187a90, PriorityBoost = 0
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image