VTI SCORE: 95/100
| Dynamic Analysis Report |
| Classification: Dropper, Riskware, Downloader, Trojan, Ransomware |
e644b88e3ab8e153ad0fef9c511c1844f1652becd860ac90c3091e1b1113e4aa (SHA256)
e644b88e3ab8e153ad0fef9c511c1844f1652becd860ac90c3091e1b1113e4aa.exe
Windows Exe (x86-32)
Created at 2018-10-20 15:54:00
Notifications (2/4)
Due to a WHOIS service error, no query could be made to get WHOIS data of any contacted domain.
Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.
Some extracted files may be missing in the report since the total file extraction size limit was reached during the analysis. You can increase the limit in the configuration settings.
The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.
Kernel Graph 1
Code Block #1 (EP #1)
»
| Information | Value |
|---|---|
| Trigger | IopLoadDriver+0x5e4 |
| Start Address | 0xfffff800e5619058 |
Execution Path #1 (length: 58, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 58 |
Processes
»
| Process | Count |
|---|---|
| Process 69 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| RtlInitUnicodeString | SourceString = PsAcquireProcessExitSynchronization, DestinationString_out = PsAcquireProcessExitSynchronization |
| MmGetSystemRoutineAddress | SystemRoutineName = PsAcquireProcessExitSynchronization, ret_val_ptr_out = 0xfffff8011b11e204 |
| RtlInitUnicodeString | SourceString = PsReleaseProcessExitSynchronization, DestinationString_out = PsReleaseProcessExitSynchronization |
| MmGetSystemRoutineAddress | SystemRoutineName = PsReleaseProcessExitSynchronization, ret_val_ptr_out = 0xfffff8011b122ce0 |
| RtlInitUnicodeString | SourceString = ObGetObjectType, DestinationString_out = ObGetObjectType |
| MmGetSystemRoutineAddress | SystemRoutineName = ObGetObjectType, ret_val_ptr_out = 0xfffff8011b135ae8 |
| ObGetObjectType | ret_val_out = 0xffffe000ff8694e0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x26, Tag = 0x544f4550, ret_val_ptr_out = 0xffffc0011a00ab40 |
| ObOpenObjectByName | ObjectAttributes_unk = 0xffffd000b5dcf5a0, ObjectType_unk = 0xffffe000ff8694e0, AccessMode_unk = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0xffffd000000f0001, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Handle_ptr_out = 0xffffd000b5dcf5f8, Handle_out = 0xffffffff80000c8c, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffc0011a00ab40, Tag = 0x0 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000c8c, DesiredAccess_unk = 0xf0001, ObjectType_unk = 0xffffe000ff8694e0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd000b5dcf600, Object_out = 0xffffe000ff870f20, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000c8c, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe000ff870f20, ret_val_ptr_out = 0x2 |
| RtlInitUnicodeString | SourceString = \Device\PROCEXP152, DestinationString_out = \Device\PROCEXP152 |
| RtlInitUnicodeString | SourceString = D:P(A;;GA;;;SY)(A;;GA;;;BA), DestinationString_out = D:P(A;;GA;;;SY)(A;;GA;;;BA) |
| RtlInitUnicodeString | SourceString = IoCreateDeviceSecure, DestinationString_out = IoCreateDeviceSecure |
| MmGetSystemRoutineAddress | SystemRoutineName = IoCreateDeviceSecure, ret_val_ptr_out = 0x0 |
| RtlInitUnicodeString | SourceString = IoValidateDeviceIoControlAccess, DestinationString_out = IoValidateDeviceIoControlAccess |
| MmGetSystemRoutineAddress | SystemRoutineName = IoValidateDeviceIoControlAccess, ret_val_ptr_out = 0xfffff8011ad0d874 |
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x68, Tag = 0x6c416553, ret_val_ptr_out = 0xffffc001133db6c0 |
| _wcsnicmp | _String1 = A, _String2 = A, _MaxCount_ptr = 0x1, ret_val_out = 0 |
| _wcsnicmp | _String1 = GA, _String2 = RC, _MaxCount_ptr = 0x2, ret_val_out = -11 |
| _wcsnicmp | _String1 = GA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -16 |
| _wcsnicmp | _String1 = GA, _String2 = WO, _MaxCount_ptr = 0x2, ret_val_out = -16 |
| _wcsnicmp | _String1 = GA, _String2 = SD, _MaxCount_ptr = 0x2, ret_val_out = -12 |
| _wcsnicmp | _String1 = GA, _String2 = GA, _MaxCount_ptr = 0x2, ret_val_out = 0 |
| _wcsnicmp | _String1 = SY, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -4 |
| _wcsnicmp | _String1 = SY, _String2 = BA, _MaxCount_ptr = 0x2, ret_val_out = 17 |
| _wcsnicmp | _String1 = SY, _String2 = SY, _MaxCount_ptr = 0x2, ret_val_out = 0 |
| RtlLengthSid | Sid_ptr = 0xffffe000ff854740, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x1, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority = 0x12, ret_val_out = 0xc |
| RtlAddAccessAllowedAce | Acl_unk = 0xffffc001133db6c0, AceRevision = 0x2, AccessMask_unk = 0x10000000, Sid_ptr = 0xffffe000ff854740, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x1, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority = 0x12, Acl_unk_out = 0xffffc001133db6c0, ret_val_out = 0x0 |
| _wcsnicmp | _String1 = A, _String2 = A, _MaxCount_ptr = 0x1, ret_val_out = 0 |
| _wcsnicmp | _String1 = GA, _String2 = RC, _MaxCount_ptr = 0x2, ret_val_out = -11 |
| _wcsnicmp | _String1 = GA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -16 |
| _wcsnicmp | _String1 = GA, _String2 = WO, _MaxCount_ptr = 0x2, ret_val_out = -16 |
| _wcsnicmp | _String1 = GA, _String2 = SD, _MaxCount_ptr = 0x2, ret_val_out = -12 |
| _wcsnicmp | _String1 = GA, _String2 = GA, _MaxCount_ptr = 0x2, ret_val_out = 0 |
| _wcsnicmp | _String1 = BA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -21 |
| _wcsnicmp | _String1 = BA, _String2 = BA, _MaxCount_ptr = 0x2, ret_val_out = 0 |
| RtlLengthSid | Sid_ptr = 0xffffc0010dc00390, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x2, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority_[0]_0 = 0x20, Sid_deref_SubAuthority_[1]_1 = 0x0, ret_val_out = 0x10 |
| RtlAddAccessAllowedAce | Acl_unk = 0xffffc001133db6c0, AceRevision = 0x2, AccessMask_unk = 0x10000000, Sid_ptr = 0xffffc0010dc00390, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x2, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority_[0]_0 = 0x20, Sid_deref_SubAuthority_[1]_1 = 0x0, Acl_unk_out = 0xffffc001133db6c0, ret_val_out = 0x0 |
| RtlCreateSecurityDescriptor | Revision = 0x1, SecurityDescriptor_unk_out = 0xffffd000b5dcf488, ret_val_out = 0x0 |
| RtlSetDaclSecurityDescriptor | SecurityDescriptor_unk = 0xffffd000b5dcf488, DaclPresent = 1, Dacl_unk = 0xffffc001133db6c0, DaclDefaulted = 0, SecurityDescriptor_unk_out = 0xffffd000b5dcf488, ret_val_out = 0x0 |
| RtlAbsoluteToSelfRelativeSD | AbsoluteSecurityDescriptor_unk = 0xffffd000b5dcf488, BufferLength_ptr = 0xffffd000b5dcf4d0, SelfRelativeSecurityDescriptor_unk_out = 0x0, BufferLength_ptr_out = 0xffffd000b5dcf4d0, ret_val_out = 0xc0000023 |
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x48, Tag = 0x64536553, ret_val_ptr_out = 0xffffc0010e5fecd0 |
| RtlAbsoluteToSelfRelativeSD | AbsoluteSecurityDescriptor_unk = 0xffffd000b5dcf488, BufferLength_ptr = 0xffffd000b5dcf4d0, SelfRelativeSecurityDescriptor_unk_out = 0xffffc0010e5fecd0, BufferLength_ptr_out = 0xffffd000b5dcf4d0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffc001133db6c0, Tag = 0x0 |
| IoCreateDevice | DriverObject_unk = 0xffffe00102cbaca0, DeviceExtensionSize = 0x0, DeviceName = \Device\PROCEXP152, DeviceType_unk = 0x8335, DeviceCharacteristics = 0x0, Exclusive = 0, DeviceObject_unk_out = 0xffffd000b5dcf5d0, ret_val_out = 0x0 |
| RtlGetOwnerSecurityDescriptor | SecurityDescriptor_unk = 0xffffc0010e5fecd0, Owner_ptr_out = 0xffffd000b5dcf460, Owner_out = 0x0, OwnerDefaulted_ptr_out = 0xffffd000b5dcf498, ret_val_out = 0x0 |
| RtlGetGroupSecurityDescriptor | SecurityDescriptor_unk = 0xffffc0010e5fecd0, Group_ptr_out = 0xffffd000b5dcf460, Group_out = 0x0, GroupDefaulted_ptr_out = 0xffffd000b5dcf498, ret_val_out = 0x0 |
| RtlGetSaclSecurityDescriptor | SecurityDescriptor_unk = 0xffffc0010e5fecd0, SaclPresent_ptr_out = 0xffffd000b5dcf4a8, Sacl_unk_out = 0xffffd000b5dcf468, SaclDefaulted_ptr_out = 0xffffd000b5dcf498, ret_val_out = 0x0 |
| RtlGetDaclSecurityDescriptor | SecurityDescriptor_unk = 0xffffc0010e5fecd0, DaclPresent_ptr_out = 0xffffd000b5dcf4a8, Dacl_unk_out = 0xffffd000b5dcf468, DaclDefaulted_ptr_out = 0xffffd000b5dcf498, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe00102cbaa80, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x40000, ObjectType_unk = 0xffffe000ff882f20, AccessMode_unk = 0xffffe00102cbac00, Handle_ptr_out = 0xffffd000b5dcf4d0, Handle_out = 0xffffffff80000c8c, ret_val_out = 0x0 |
| ZwSetSecurityObject | Handle_unk = 0xffffffff80000c8c, SecurityInformation_unk = 0x4, SecurityDescriptor_unk = 0xffffc0010e5fecd0, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000c8c, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffc0010e5fecd0, Tag = 0x0 |
| RtlInitUnicodeString | SourceString = \DosDevices\PROCEXP152, DestinationString_out = \DosDevices\PROCEXP152 |
| IoCreateSymbolicLink | SymbolicLinkName = \DosDevices\PROCEXP152, DeviceName = \Device\PROCEXP152, ret_val_out = 0x0 |
Kernel Graph 2
Code Block #2 (EP #2, #3, #4, #5, #6)
»
| Information | Value |
|---|---|
| Trigger | IofCallDriver+0x4b |
| Start Address | 0xfffff800e5612000 |
Execution Path #2 (length: 5, count: 2, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 5 |
Processes
»
| Process | Count |
|---|---|
| Process 57 (3oobmnjy64.exe, PID: 2952) | 1 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| SeCaptureSubjectContext | SubjectContext_unk_out = 0xffffd000b6d97328 |
| ExGetPreviousMode | ret_val_unk_out = 0x1 |
| SePrivilegeCheck | RequiredPrivileges_unk = 0xffffd000b6d97348, SubjectSecurityContext_unk = 0xffffd000b6d97328, AccessMode_unk = 0x1, RequiredPrivileges_unk_out = 0xffffd000b6d97348, ret_val_out = 1 |
| SeReleaseSubjectContext | SubjectContext_unk = 0xffffd000b6d97328, SubjectContext_unk_out = 0xffffd000b6d97328 |
| IoCompleteRequest | ret_val_out = 0x884 |
Execution Path #3 (length: 10, count: 1762, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 10 |
Processes
»
| Process | Count |
|---|---|
| Process 57 (3oobmnjy64.exe, PID: 2952) | 994 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 768 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0x8ec, Process_unk_out = 0xffffd000b6d97388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe00102af9840, PROCESS_unk_out = 0xffffe00102af9840, ApcState_unk_out = 0xffffd000b6d97400 |
| ObReferenceObjectByHandle | Handle_unk = 0x44, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b6d97378, Object_out = 0xffffe001004e9c00, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b6d97400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe00102af9840, ret_val_ptr_out = 0x17fe9 |
| ObQueryNameString | Object_ptr = 0xffffe001004e9c00, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe000ffeff044, ReturnLength_ptr_out = 0xffffd000b6d97380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe001004e9c00, ret_val_ptr_out = 0x10001 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #4 (length: 13, count: 8, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 13 |
Processes
»
| Process | Count |
|---|---|
| Process 57 (3oobmnjy64.exe, PID: 2952) | 4 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 4 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0x938, Process_unk_out = 0xffffd000b6d973d8, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe00102c54440, PROCESS_unk_out = 0xffffe00102c54440, ApcState_unk_out = 0xffffd000b6d973f8 |
| ObReferenceObjectByHandle | Handle_unk = 0x154, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b6d973e0, Object_out = 0xffffe00102ca8b30, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe00102c54440, ret_val_ptr_out = 0x20015 |
| ZwQueryObject | Handle_unk = 0x154, ObjectInformationClass_unk = 0x2, ObjectInformationLength = 0x0, ObjectInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd000b6d973d4, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x88, Tag = 0x58637250, ret_val_ptr_out = 0xffffc0011284c610 |
| ZwQueryObject | Handle_unk = 0x154, ObjectInformationClass_unk = 0x2, ObjectInformationLength = 0x88, ObjectInformation_ptr_out = 0xffffc0011284c610, ReturnLength_ptr_out = 0x0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffc0011284c610, Tag = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00102ca8b30, ret_val_ptr_out = 0x7ffe |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b6d973f8 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #5 (length: 2, count: 16, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 57 (3oobmnjy64.exe, PID: 2952) | 8 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 8 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ZwOpenProcess | DesiredAccess_unk = 0x10000000, ObjectAttributes_ptr = 0xffffd000b6d974b8, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd000b6d974a8, ClientId_deref_UniqueProcess_unk = 0x7dc, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffe00102c55b00, ProcessHandle_out = 0x1a0, ret_val_out = 0x0 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #6 (length: 4, count: 10, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 4 |
Processes
»
| Process | Count |
|---|---|
| Process 57 (3oobmnjy64.exe, PID: 2952) | 5 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 5 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ZwOpenProcess | DesiredAccess_unk = 0x40, ObjectAttributes_ptr = 0xffffd000b6d97438, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x200, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd000b6d97428, ClientId_deref_UniqueProcess_unk = 0x4, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd000b6d97420, ProcessHandle_out = 0xffffffff80000c3c, ret_val_out = 0x0 |
| ZwDuplicateObject | SourceProcessHandle_unk = 0xffffffff80000c3c, SourceHandle_unk = 0xdbc, TargetProcessHandle_unk = 0xffffffffffffffff, DesiredAccess_unk = 0x10000000, HandleAttributes = 0x0, Options = 0x0, TargetHandle_ptr_out = 0xffffe00102c55b00, TargetHandle_out = 0x1a4, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000c3c, ret_val_out = 0x0 |
| IoCompleteRequest | ret_val_out = 0x0 |
Kernel Graph 3
Code Block #3 (EP #7)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x2620 |
| Start Address | 0xfffff8011b0d0384 |
Execution Path #7 (length: 1, count: 1616, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 57 (3oobmnjy64.exe, PID: 2952) | 904 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 712 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0x4, Process_unk_out = 0xffffd000b6d97388, ret_val_out = 0x0 |
Kernel Graph 4
Code Block #4 (EP #8)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x2641 |
| Start Address | 0xfffff8011b11e204 |
Execution Path #8 (length: 1, count: 1534, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 57 (3oobmnjy64.exe, PID: 2952) | 855 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 679 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
Kernel Graph 5
Code Block #5 (EP #9)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x2669 |
| Start Address | 0xfffff8011ac89dc0 |
Execution Path #9 (length: 1, count: 1534, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 57 (3oobmnjy64.exe, PID: 2952) | 855 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 679 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeStackAttachProcess | PROCESS_unk = 0xffffe000ff87e840, PROCESS_unk_out = 0xffffe000ff87e840, ApcState_unk_out = 0xffffd000b6d97400 |
Kernel Graph 6
Code Block #6 (EP #10)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x26a0 |
| Start Address | 0xfffff8011b034640 |
Execution Path #10 (length: 1, count: 1534, processes: 107)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 1 (e644b88e3ab8e153ad0fef9c511c1844f1652becd860ac90c3091e1b1113e4aa.exe, PID: 4016) | 15 |
| Process 2 (UNKNOWN, PID: UNKNOWN) | 8 |
| Process 5 (nwyhzjzl.exe, PID: 132) | 10 |
| Process 6 (UNKNOWN, PID: UNKNOWN) | 8 |
| Process 8 (cmd.exe, PID: 3764) | 4 |
| Process 10 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 13 (wscript.exe, PID: 836) | 12 |
| Process 15 (cmd.exe, PID: 636) | 4 |
| Process 16 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 17 (cmd.exe, PID: 1720) | 5 |
| Process 18 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 36 (cmd.exe, PID: 3732) | 9 |
| Process 37 (UNKNOWN, PID: UNKNOWN) | 7 |
| Process 38 (cmd.exe, PID: 2312) | 9 |
| Process 39 (UNKNOWN, PID: UNKNOWN) | 7 |
| Process 42 (cmd.exe, PID: 2708) | 8 |
| Process 43 (UNKNOWN, PID: UNKNOWN) | 7 |
| Process 45 (cmd.exe, PID: 3112) | 4 |
| Process 49 (cmd.exe, PID: 1856) | 8 |
| Process 50 (UNKNOWN, PID: UNKNOWN) | 7 |
| Process 51 (3oobmnjy.exe, PID: 3132) | 5 |
| Process 55 (cmd.exe, PID: 3096) | 8 |
| Process 56 (UNKNOWN, PID: UNKNOWN) | 7 |
| Process 57 (3oobmnjy64.exe, PID: 2952) | 4 |
| Process 59 (cmd.exe, PID: 524) | 8 |
| Process 60 (cmd.exe, PID: 704) | 2 |
| Process 61 (UNKNOWN, PID: UNKNOWN) | 7 |
| Process 63 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 67 (cmd.exe, PID: 2216) | 6 |
| Process 68 (UNKNOWN, PID: UNKNOWN) | 5 |
| Process 69 (System, PID: 4) | 231 |
| Process 70 (smss.exe, PID: 268) | 11 |
| Process 71 (csrss.exe, PID: 344) | 25 |
| Process 72 (wininit.exe, PID: 408) | 11 |
| Process 73 (csrss.exe, PID: 416) | 54 |
| Process 74 (winlogon.exe, PID: 464) | 7 |
| Process 75 (services.exe, PID: 488) | 15 |
| Process 76 (lsass.exe, PID: 496) | 23 |
| Process 77 (svchost.exe, PID: 584) | 39 |
| Process 78 (svchost.exe, PID: 616) | 19 |
| Process 79 (dwm.exe, PID: 712) | 15 |
| Process 80 (svchost.exe, PID: 816) | 86 |
| Process 81 (svchost.exe, PID: 824) | 107 |
| Process 82 (svchost.exe, PID: 864) | 15 |
| Process 83 (svchost.exe, PID: 872) | 34 |
| Process 84 (svchost.exe, PID: 928) | 20 |
| Process 85 (svchost.exe, PID: 672) | 28 |
| Process 86 (spoolsv.exe, PID: 560) | 35 |
| Process 87 (svchost.exe, PID: 1092) | 19 |
| Process 88 (officeclicktorun.exe, PID: 1256) | 19 |
| Process 89 (svchost.exe, PID: 1536) | 18 |
| Process 90 (sihost.exe, PID: 1912) | 8 |
| Process 91 (taskhostw.exe, PID: 1964) | 17 |
| Process 92 (explorer.exe, PID: 1288) | 161 |
| Process 93 (runtimebroker.exe, PID: 2068) | 14 |
| Process 94 (shellexperiencehost.exe, PID: 2464) | 22 |
| Process 95 (searchui.exe, PID: 2940) | 56 |
| Process 96 (backgroundtaskhost.exe, PID: 728) | 12 |
| Process 97 (uni.exe, PID: 2564) | 5 |
| Process 98 (deliver.exe, PID: 1704) | 5 |
| Process 99 (relating.exe, PID: 1276) | 5 |
| Process 100 (customerrecommendation.exe, PID: 2988) | 5 |
| Process 101 (victims_language_conversations.exe, PID: 3052) | 5 |
| Process 102 (gage_essentials_alive.exe, PID: 244) | 5 |
| Process 103 (visitor takes textbooks.exe, PID: 504) | 5 |
| Process 104 (plugins-animals.exe, PID: 740) | 5 |
| Process 105 (nursing.exe, PID: 2772) | 5 |
| Process 106 (numbers.exe, PID: 1284) | 5 |
| Process 107 (moviecubetn.exe, PID: 628) | 5 |
| Process 108 (naval groups instructions.exe, PID: 2088) | 5 |
| Process 109 (gravitysale.exe, PID: 1480) | 5 |
| Process 110 (thaicomboebook.exe, PID: 1472) | 5 |
| Process 111 (partition perspective touring.exe, PID: 1800) | 5 |
| Process 112 (sugar_cj_alpine.exe, PID: 1716) | 5 |
| Process 113 (eatbent.exe, PID: 2332) | 5 |
| Process 114 (fiscal.exe, PID: 64) | 5 |
| Process 115 (emerging.exe, PID: 2688) | 5 |
| Process 116 (want_dvds.exe, PID: 2256) | 5 |
| Process 117 (ir_gates.exe, PID: 936) | 5 |
| Process 118 (portfolio_highlighted_international.exe, PID: 1520) | 5 |
| Process 119 (priced.exe, PID: 2100) | 5 |
| Process 120 (backgroundtaskhost.exe, PID: 3172) | 5 |
| Process 121 (audiodg.exe, PID: 3748) | 9 |
| Process 122 (svchost.exe, PID: 4056) | 5 |
| Process 124 (sppsvc.exe, PID: 2012) | 4 |
| Process 126 (cmd.exe, PID: 3472) | 4 |
| Process 127 (UNKNOWN, PID: UNKNOWN) | 3 |
| Process 131 (cmd.exe, PID: 3424) | 4 |
| Process 132 (UNKNOWN, PID: UNKNOWN) | 3 |
| Process 137 (cmd.exe, PID: 2108) | 4 |
| Process 138 (UNKNOWN, PID: UNKNOWN) | 3 |
| Process 141 (cmd.exe, PID: 3992) | 4 |
| Process 142 (UNKNOWN, PID: UNKNOWN) | 3 |
| Process 144 (wmiadap.exe, PID: 3244) | 2 |
| Process 150 (cmd.exe, PID: 3784) | 4 |
| Process 151 (cacls.exe, PID: 2284) | 3 |
| Process 152 (UNKNOWN, PID: UNKNOWN) | 3 |
| Process 158 (cmd.exe, PID: 3080) | 7 |
| Process 160 (UNKNOWN, PID: UNKNOWN) | 3 |
| Process 162 (cmd.exe, PID: 3180) | 4 |
| Process 165 (3oobmnjy.exe, PID: 3388) | 5 |
| Process 166 (cmd.exe, PID: 3064) | 4 |
| Process 167 (UNKNOWN, PID: UNKNOWN) | 3 |
| Process 170 (wmiprvse.exe, PID: 1080) | 2 |
| Process 172 (cmd.exe, PID: 3668) | 2 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 4 |
| Process 174 (UNKNOWN, PID: UNKNOWN) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000bb8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd000b6d97378, Object_out = 0xffffe00101e2f070, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
Kernel Graph 7
Code Block #7 (EP #11)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x26d2 |
| Start Address | 0xfffff8011ac89eb0 |
Execution Path #11 (length: 1, count: 1534, processes: 107)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 1 (e644b88e3ab8e153ad0fef9c511c1844f1652becd860ac90c3091e1b1113e4aa.exe, PID: 4016) | 15 |
| Process 2 (UNKNOWN, PID: UNKNOWN) | 8 |
| Process 5 (nwyhzjzl.exe, PID: 132) | 10 |
| Process 6 (UNKNOWN, PID: UNKNOWN) | 8 |
| Process 8 (cmd.exe, PID: 3764) | 4 |
| Process 10 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 13 (wscript.exe, PID: 836) | 12 |
| Process 15 (cmd.exe, PID: 636) | 4 |
| Process 16 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 17 (cmd.exe, PID: 1720) | 5 |
| Process 18 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 36 (cmd.exe, PID: 3732) | 9 |
| Process 37 (UNKNOWN, PID: UNKNOWN) | 7 |
| Process 38 (cmd.exe, PID: 2312) | 9 |
| Process 39 (UNKNOWN, PID: UNKNOWN) | 7 |
| Process 42 (cmd.exe, PID: 2708) | 8 |
| Process 43 (UNKNOWN, PID: UNKNOWN) | 7 |
| Process 45 (cmd.exe, PID: 3112) | 4 |
| Process 49 (cmd.exe, PID: 1856) | 8 |
| Process 50 (UNKNOWN, PID: UNKNOWN) | 7 |
| Process 51 (3oobmnjy.exe, PID: 3132) | 5 |
| Process 55 (cmd.exe, PID: 3096) | 8 |
| Process 56 (UNKNOWN, PID: UNKNOWN) | 7 |
| Process 57 (3oobmnjy64.exe, PID: 2952) | 4 |
| Process 59 (cmd.exe, PID: 524) | 8 |
| Process 60 (cmd.exe, PID: 704) | 2 |
| Process 61 (UNKNOWN, PID: UNKNOWN) | 7 |
| Process 63 (UNKNOWN, PID: UNKNOWN) | 4 |
| Process 67 (cmd.exe, PID: 2216) | 6 |
| Process 68 (UNKNOWN, PID: UNKNOWN) | 5 |
| Process 69 (System, PID: 4) | 231 |
| Process 70 (smss.exe, PID: 268) | 11 |
| Process 71 (csrss.exe, PID: 344) | 25 |
| Process 72 (wininit.exe, PID: 408) | 11 |
| Process 73 (csrss.exe, PID: 416) | 54 |
| Process 74 (winlogon.exe, PID: 464) | 7 |
| Process 75 (services.exe, PID: 488) | 15 |
| Process 76 (lsass.exe, PID: 496) | 23 |
| Process 77 (svchost.exe, PID: 584) | 39 |
| Process 78 (svchost.exe, PID: 616) | 19 |
| Process 79 (dwm.exe, PID: 712) | 15 |
| Process 80 (svchost.exe, PID: 816) | 86 |
| Process 81 (svchost.exe, PID: 824) | 107 |
| Process 82 (svchost.exe, PID: 864) | 15 |
| Process 83 (svchost.exe, PID: 872) | 34 |
| Process 84 (svchost.exe, PID: 928) | 20 |
| Process 85 (svchost.exe, PID: 672) | 28 |
| Process 86 (spoolsv.exe, PID: 560) | 35 |
| Process 87 (svchost.exe, PID: 1092) | 19 |
| Process 88 (officeclicktorun.exe, PID: 1256) | 19 |
| Process 89 (svchost.exe, PID: 1536) | 18 |
| Process 90 (sihost.exe, PID: 1912) | 8 |
| Process 91 (taskhostw.exe, PID: 1964) | 17 |
| Process 92 (explorer.exe, PID: 1288) | 161 |
| Process 93 (runtimebroker.exe, PID: 2068) | 14 |
| Process 94 (shellexperiencehost.exe, PID: 2464) | 22 |
| Process 95 (searchui.exe, PID: 2940) | 56 |
| Process 96 (backgroundtaskhost.exe, PID: 728) | 12 |
| Process 97 (uni.exe, PID: 2564) | 5 |
| Process 98 (deliver.exe, PID: 1704) | 5 |
| Process 99 (relating.exe, PID: 1276) | 5 |
| Process 100 (customerrecommendation.exe, PID: 2988) | 5 |
| Process 101 (victims_language_conversations.exe, PID: 3052) | 5 |
| Process 102 (gage_essentials_alive.exe, PID: 244) | 5 |
| Process 103 (visitor takes textbooks.exe, PID: 504) | 5 |
| Process 104 (plugins-animals.exe, PID: 740) | 5 |
| Process 105 (nursing.exe, PID: 2772) | 5 |
| Process 106 (numbers.exe, PID: 1284) | 5 |
| Process 107 (moviecubetn.exe, PID: 628) | 5 |
| Process 108 (naval groups instructions.exe, PID: 2088) | 5 |
| Process 109 (gravitysale.exe, PID: 1480) | 5 |
| Process 110 (thaicomboebook.exe, PID: 1472) | 5 |
| Process 111 (partition perspective touring.exe, PID: 1800) | 5 |
| Process 112 (sugar_cj_alpine.exe, PID: 1716) | 5 |
| Process 113 (eatbent.exe, PID: 2332) | 5 |
| Process 114 (fiscal.exe, PID: 64) | 5 |
| Process 115 (emerging.exe, PID: 2688) | 5 |
| Process 116 (want_dvds.exe, PID: 2256) | 5 |
| Process 117 (ir_gates.exe, PID: 936) | 5 |
| Process 118 (portfolio_highlighted_international.exe, PID: 1520) | 5 |
| Process 119 (priced.exe, PID: 2100) | 5 |
| Process 120 (backgroundtaskhost.exe, PID: 3172) | 5 |
| Process 121 (audiodg.exe, PID: 3748) | 9 |
| Process 122 (svchost.exe, PID: 4056) | 5 |
| Process 124 (sppsvc.exe, PID: 2012) | 4 |
| Process 126 (cmd.exe, PID: 3472) | 4 |
| Process 127 (UNKNOWN, PID: UNKNOWN) | 3 |
| Process 131 (cmd.exe, PID: 3424) | 4 |
| Process 132 (UNKNOWN, PID: UNKNOWN) | 3 |
| Process 137 (cmd.exe, PID: 2108) | 4 |
| Process 138 (UNKNOWN, PID: UNKNOWN) | 3 |
| Process 141 (cmd.exe, PID: 3992) | 4 |
| Process 142 (UNKNOWN, PID: UNKNOWN) | 3 |
| Process 144 (wmiadap.exe, PID: 3244) | 2 |
| Process 150 (cmd.exe, PID: 3784) | 4 |
| Process 151 (cacls.exe, PID: 2284) | 3 |
| Process 152 (UNKNOWN, PID: UNKNOWN) | 3 |
| Process 158 (cmd.exe, PID: 3080) | 7 |
| Process 160 (UNKNOWN, PID: UNKNOWN) | 3 |
| Process 162 (cmd.exe, PID: 3180) | 4 |
| Process 165 (3oobmnjy.exe, PID: 3388) | 5 |
| Process 166 (cmd.exe, PID: 3064) | 4 |
| Process 167 (UNKNOWN, PID: UNKNOWN) | 3 |
| Process 170 (wmiprvse.exe, PID: 1080) | 2 |
| Process 172 (cmd.exe, PID: 3668) | 2 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 4 |
| Process 174 (UNKNOWN, PID: UNKNOWN) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b6d97400 |
Kernel Graph 8
Code Block #8 (EP #12)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x26ee |
| Start Address | 0xfffff8011b122ce0 |
Execution Path #12 (length: 1, count: 1533, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 57 (3oobmnjy64.exe, PID: 2952) | 855 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 678 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
Kernel Graph 9
Code Block #9 (EP #13)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x26f5 |
| Start Address | 0xfffff8011ac579b0 |
Execution Path #13 (length: 1, count: 3053, processes: 6)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 68 (UNKNOWN, PID: UNKNOWN) | 1 |
| Process 69 (System, PID: 4) | 10 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 1342 |
| Process 151 (cacls.exe, PID: 2284) | 3 |
| Process 57 (3oobmnjy64.exe, PID: 2952) | 1696 |
| Process 158 (cmd.exe, PID: 3080) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObfDereferenceObject | Object_ptr = 0xffffe000ff87e840, ret_val_ptr_out = 0x2fca1 |
Kernel Graph 10
Code Block #10 (EP #14)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x27c8 |
| Start Address | 0xfffff8011b13a118 |
Execution Path #14 (length: 1, count: 1505, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 57 (3oobmnjy64.exe, PID: 2952) | 841 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 664 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObQueryNameString | Object_ptr = 0xffffe00101e2f070, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe00102b3e7c4, ReturnLength_ptr_out = 0xffffd000b6d97380, ret_val_out = 0x0 |
Kernel Graph 11
Code Block #11 (EP #15)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x20f2 |
| Start Address | 0xfffff8011ac5b150 |
Execution Path #15 (length: 1, count: 1617, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 57 (3oobmnjy64.exe, PID: 2952) | 905 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 712 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoCompleteRequest | ret_val_out = 0x0 |
Kernel Graph 12
Code Block #12 (EP #16, #17, #19, #20)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x211a |
| Start Address | 0xfffff8011b03e17d |
Execution Path #16 (length: 9, count: 19, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 9 |
Processes
»
| Process | Count |
|---|---|
| Process 57 (3oobmnjy64.exe, PID: 2952) | 9 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 10 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0x4, Process_unk_out = 0xffffd000b6d97388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe000ff87e840, PROCESS_unk_out = 0xffffe000ff87e840, ApcState_unk_out = 0xffffd000b6d97400 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000e04, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd000b6d97378, Object_out = 0xffffe00101b4eb40, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe00101b4eb40, ret_val_ptr_out = 0x8000 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b6d97400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe000ff87e840, ret_val_ptr_out = 0x2fc70 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #17 (length: 8, count: 12, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 8 |
Processes
»
| Process | Count |
|---|---|
| Process 57 (3oobmnjy64.exe, PID: 2952) | 8 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 4 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0x4, Process_unk_out = 0xffffd000b6d97388, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffe000ff87e840, PROCESS_unk_out = 0xffffe000ff87e840, ApcState_unk_out = 0xffffd000b6d97400 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000f08, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd000b6d97378, Object_out = 0x0, HandleInformation_unk_out = 0x0, ret_val_out = 0xc0000008 |
| KeUnstackDetachProcess | ApcState_unk = 0xffffd000b6d97400 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffe000ff87e840, ret_val_ptr_out = 0x2fc52 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #19 (length: 6, count: 165, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 6 |
Processes
»
| Process | Count |
|---|---|
| Process 57 (3oobmnjy64.exe, PID: 2952) | 79 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 86 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObReferenceObjectByHandle | Handle_unk = 0x1a4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffffd000b6d97498, Object_out = 0xffffe000ff8b7080, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe000ff8b7080, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x10000000, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Handle_ptr_out = 0xffffd000b6d974a0, Handle_out = 0xffffffff80000d30, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe000ff8b7080, ret_val_ptr_out = 0x67ff8 |
| ZwOpenProcessToken | ProcessHandle_unk = 0xffffffff80000d30, DesiredAccess_unk = 0x8, TokenHandle_ptr_out = 0xffffe000fff61880, TokenHandle_out = 0x19c, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000d30, ret_val_out = 0x0 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #20 (length: 2, count: 79, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 57 (3oobmnjy64.exe, PID: 2952) | 46 |
| Process 173 (3oobmnjy64.exe, PID: 2704) | 33 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0xdd4, Process_unk_out = 0xffffd000b6d97388, ret_val_out = 0xc000000b |
| IoCompleteRequest | ret_val_out = 0x0 |
Kernel Graph 13
Code Block #13 (EP #18)
»
| Information | Value |
|---|---|
| Trigger | KeWaitForMutexObject+0x1fa |
| Start Address | 0xffffe00100802982 |
Execution Path #18 (length: 427, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 427 |
Processes
»
| Process | Count |
|---|---|
| Process 69 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| CmpEnumerateCallback | ret_val_out = 0xfffff800e3bfcc90 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e3bee000 |
| CmpEnumerateCallback | ret_val_out = 0x0 |
| DbgEnumerateCallback | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe000ffbf5ee0 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e3bf9da0 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e3bee000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe000ffbf5eee |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe00101289a40 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e3dd1200 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e3dd8000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe00101289a4e |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe000ff868ca0 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff8011ad0d778 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff8011af87000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe000ff868cae |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe000ff8d7c40 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e30e7750 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e3169000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe000ff8d7c4e |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe000ffbf3e90 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e3bfa290 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e3bee000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe000ffbf3e9e |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe001005fd130 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e2eea040 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e2ee6000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe001005fd13e |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe001009634c0 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e4dd3b30 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e4f9b000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe001009634ce |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe00101e51150 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e379cf90 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e3777000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe00101e5115e |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe00105747390 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e5f4aba0 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e5f43000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe0010574739e |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe000ffbf7940 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e3bf3f10 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e3bee000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe000ffbf794e |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0xffffe001135ff600 |
| ExGetCallBackBlockRoutine | ret_val_out = 0xfffff800e467bf90 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800e466c000 |
| ExDereferenceCallBackBlock | ret_val_out = 0xffffe001135ff60e |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x1 |
| ExReferenceCallBackBlock | ret_val_out = 0x0 |
| PspEnumerateCallback | ret_val_out = 0x0 |
| ExFreePool | P_ptr = 0xffffe001004fe010 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x68c73, Tag = 0x63426343, ret_val_ptr_out = 0xffffe00102cd7000 |
| KeInsertQueueApc | Apc_unk = 0xffffe000ff8a91f0, SystemArgument1_ptr = 0xffffe000ffb3560b, SystemArgument2_ptr = 0x0, PriorityBoost_unk = 0x0, ret_val_out = 1 |
Kernel Graph 14
Code Block #14 (EP #22)
»
| Information | Value |
|---|---|
| Trigger | KiDispatchCallout+0x18a |
| Start Address | 0xffffe00102cd749c |
Execution Path #22 (length: 2, count: 2, processes: 2 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 73 (csrss.exe, PID: 416) | 1 |
| Process 69 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe00102cd7a04, SpinLock_unk_out = 0xffffe00102cd7a04, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe00102cd7a04, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe00102cd7a04 |
Kernel Graph 15
Code Block #15 (EP #23)
»
| Information | Value |
|---|---|
| Trigger | ExpWorkerThread+0xe7 |
| Start Address | 0xffffe00102ce919d |
Execution Path #23 (length: 1, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 69 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeWaitForMutexObject | - |
Kernel Graph 16
Code Block #16 (EP #24)
»
| Information | Value |
|---|---|
| Trigger | KiMarkBugCheckRegions+0x3f6 |
| Start Address | 0xffffd000b8bffe5b |
Execution Path #24 (length: 5, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 5 |
Processes
»
| Process | Count |
|---|---|
| Process 69 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmAllocateIndependentPages | ret_val_out = 0xffffd000bb9d2000 |
| MmSetPageProtection | ret_val_out = 0x1 |
| MmAllocateIndependentPages | ret_val_out = 0xffffd000b7be2000 |
| MmSetPageProtection | ret_val_out = 0x1 |
| KeSetCoalescableTimer | Timer_unk = 0xffffe000ff85fda4, DueTime_unk = 0xffffffffb2d18b33, Period = 0x0, TolerableDelay = 0x107d, Dpc_unk = 0xffffe000ff85fac1, Timer_unk_out = 0xffffe000ff85fda4, ret_val_out = 0 |
Kernel Graph 17
Code Block #17 (EP #21)
»
| Information | Value |
|---|---|
| Trigger | PsReleaseProcessExitSynchronization+0x1c |
| Start Address | 0xfffff800e56126f0 |
Execution Path #21 (length: 3, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 3 |
Processes
»
| Process | Count |
|---|---|
| Process 173 (3oobmnjy64.exe, PID: 2704) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObfDereferenceObject | Object_ptr = 0xffffe001010ae840, ret_val_ptr_out = 0x4000d |
| ObQueryNameString | Object_ptr = 0xffffe001010ce090, Length = 0x800, ObjectNameInfo_unk_out = 0xffffe0010057a7c4, ReturnLength_ptr_out = 0xffffd000b8fd8380, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe001010ce090, ret_val_ptr_out = 0x7ffd |
