ef03ec99...1f4a | Kernel
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Ransomware
Dropper
Trojan
...
Threat Names:
Generic.Ransom.Matrix.D7248D5E
Trojan.GenericKD.40672878
Generic.Ransom.Matrix.0D6A71DB
...

bwng.exe

Windows Exe (x86-32)

Created at 2020-01-21T14:54:00

...

Remarks (2/2)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "6 minutes" to "1 minute" to reveal dormant functionality.

(0x0200003A): A task was rescheduled ahead of time to reveal dormant functionality.

Kernel Graph 1

Kernel Graph

Kernel Graph Legend
Code Block #1 (EP #1)
»
Information Value
Trigger IopLoadDriver+0xa04
Start Address 0xfffff88004abd058
Execution Path #1 (length: 58, count: 1, processes: 1)
»
Information Value
Sequence Length 58
Processes
»
Process Count
Process 28 (System, PID: 4) 1
Sequence
»
Symbol Parameters
RtlInitUnicodeString SourceString = PsAcquireProcessExitSynchronization, DestinationString_out = PsAcquireProcessExitSynchronization
MmGetSystemRoutineAddress SystemRoutineName = PsAcquireProcessExitSynchronization, ret_val_ptr_out = 0xfffff80002c0dd90
RtlInitUnicodeString SourceString = PsReleaseProcessExitSynchronization, DestinationString_out = PsReleaseProcessExitSynchronization
MmGetSystemRoutineAddress SystemRoutineName = PsReleaseProcessExitSynchronization, ret_val_ptr_out = 0xfffff80002c1c770
RtlInitUnicodeString SourceString = ObGetObjectType, DestinationString_out = ObGetObjectType
MmGetSystemRoutineAddress SystemRoutineName = ObGetObjectType, ret_val_ptr_out = 0xfffff80002b46b54
ObGetObjectType ret_val_out = 0xfffffa800184acd0
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0x26, Tag = 0x544f4550, ret_val_ptr_out = 0xfffff8a003dfb1b0
ObOpenObjectByName ObjectAttributes_unk = 0xfffff88002f9d6a0, ObjectType_unk = 0xfffffa800184acd0, AccessMode_unk = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0xfffff880000f0001, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Handle_ptr_out = 0xfffff88002f9d6f8, Handle_out = 0xffffffff80000a78, ret_val_out = 0x0
ExFreePoolWithTag P_ptr = 0xfffff8a003dfb1b0, Tag = 0x0
ObReferenceObjectByHandle Handle_unk = 0xffffffff80000a78, DesiredAccess_unk = 0xf0001, ObjectType_unk = 0xfffffa800184acd0, AccessMode_unk = 0x0, Object_ptr_out = 0xfffff88002f9d700, Object_out = 0xfffffa80018be570, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff80000a78, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xfffffa80018be570, ret_val_ptr_out = 0x2
RtlInitUnicodeString SourceString = \Device\PROCEXP152, DestinationString_out = \Device\PROCEXP152
RtlInitUnicodeString SourceString = D:P(A;;GA;;;SY)(A;;GA;;;BA), DestinationString_out = D:P(A;;GA;;;SY)(A;;GA;;;BA)
RtlInitUnicodeString SourceString = IoCreateDeviceSecure, DestinationString_out = IoCreateDeviceSecure
MmGetSystemRoutineAddress SystemRoutineName = IoCreateDeviceSecure, ret_val_ptr_out = 0x0
RtlInitUnicodeString SourceString = IoValidateDeviceIoControlAccess, DestinationString_out = IoValidateDeviceIoControlAccess
MmGetSystemRoutineAddress SystemRoutineName = IoValidateDeviceIoControlAccess, ret_val_ptr_out = 0xfffff8000292a4c0
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0x68, Tag = 0x6c416553, ret_val_ptr_out = 0xfffff8a002bce480
_wcsnicmp _String1 = A, _String2 = A, _MaxCount_ptr = 0x1, ret_val_out = 0
_wcsnicmp _String1 = GA, _String2 = RC, _MaxCount_ptr = 0x2, ret_val_out = -11
_wcsnicmp _String1 = GA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -16
_wcsnicmp _String1 = GA, _String2 = WO, _MaxCount_ptr = 0x2, ret_val_out = -16
_wcsnicmp _String1 = GA, _String2 = SD, _MaxCount_ptr = 0x2, ret_val_out = -12
_wcsnicmp _String1 = GA, _String2 = GA, _MaxCount_ptr = 0x2, ret_val_out = 0
_wcsnicmp _String1 = SY, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -4
_wcsnicmp _String1 = SY, _String2 = BA, _MaxCount_ptr = 0x2, ret_val_out = 17
_wcsnicmp _String1 = SY, _String2 = SY, _MaxCount_ptr = 0x2, ret_val_out = 0
RtlLengthSid Sid_ptr = 0xfffffa800184a8a0, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x1, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority = 0x12, ret_val_out = 0xc
RtlAddAccessAllowedAce Acl_unk = 0xfffff8a002bce480, AceRevision = 0x2, AccessMask_unk = 0x10000000, Sid_ptr = 0xfffffa800184a8a0, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x1, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority = 0x12, Acl_unk_out = 0xfffff8a002bce480, ret_val_out = 0x0
_wcsnicmp _String1 = A, _String2 = A, _MaxCount_ptr = 0x1, ret_val_out = 0
_wcsnicmp _String1 = GA, _String2 = RC, _MaxCount_ptr = 0x2, ret_val_out = -11
_wcsnicmp _String1 = GA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -16
_wcsnicmp _String1 = GA, _String2 = WO, _MaxCount_ptr = 0x2, ret_val_out = -16
_wcsnicmp _String1 = GA, _String2 = SD, _MaxCount_ptr = 0x2, ret_val_out = -12
_wcsnicmp _String1 = GA, _String2 = GA, _MaxCount_ptr = 0x2, ret_val_out = 0
_wcsnicmp _String1 = BA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -21
_wcsnicmp _String1 = BA, _String2 = BA, _MaxCount_ptr = 0x2, ret_val_out = 0
RtlLengthSid Sid_ptr = 0xfffff8a000001840, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x2, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority_[0]_0 = 0x20, Sid_deref_SubAuthority_[1]_1 = 0x0, ret_val_out = 0x10
RtlAddAccessAllowedAce Acl_unk = 0xfffff8a002bce480, AceRevision = 0x2, AccessMask_unk = 0x10000000, Sid_ptr = 0xfffff8a000001840, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x2, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority_[0]_0 = 0x20, Sid_deref_SubAuthority_[1]_1 = 0x0, Acl_unk_out = 0xfffff8a002bce480, ret_val_out = 0x0
RtlCreateSecurityDescriptor Revision = 0x1, SecurityDescriptor_unk_out = 0xfffff88002f9d588, ret_val_out = 0x0
RtlSetDaclSecurityDescriptor SecurityDescriptor_unk = 0xfffff88002f9d588, DaclPresent = 1, Dacl_unk = 0xfffff8a002bce480, DaclDefaulted = 0, SecurityDescriptor_unk_out = 0xfffff88002f9d588, ret_val_out = 0x0
RtlAbsoluteToSelfRelativeSD AbsoluteSecurityDescriptor_unk = 0xfffff88002f9d588, BufferLength_ptr = 0xfffff88002f9d5d0, SelfRelativeSecurityDescriptor_unk_out = 0x0, BufferLength_ptr_out = 0xfffff88002f9d5d0, ret_val_out = 0xc0000023
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0x48, Tag = 0x64536553, ret_val_ptr_out = 0xfffff8a001d9c610
RtlAbsoluteToSelfRelativeSD AbsoluteSecurityDescriptor_unk = 0xfffff88002f9d588, BufferLength_ptr = 0xfffff88002f9d5d0, SelfRelativeSecurityDescriptor_unk_out = 0xfffff8a001d9c610, BufferLength_ptr_out = 0xfffff88002f9d5d0, ret_val_out = 0x0
ExFreePoolWithTag P_ptr = 0xfffff8a002bce480, Tag = 0x0
IoCreateDevice DriverObject_unk = 0xfffffa8003b25a50, DeviceExtensionSize = 0x0, DeviceName = \Device\PROCEXP152, DeviceType_unk = 0x8335, DeviceCharacteristics = 0x0, Exclusive = 0, DeviceObject_unk_out = 0xfffff88002f9d6d0, ret_val_out = 0x0
RtlGetOwnerSecurityDescriptor SecurityDescriptor_unk = 0xfffff8a001d9c610, Owner_ptr_out = 0xfffff88002f9d560, Owner_out = 0x0, OwnerDefaulted_ptr_out = 0xfffff88002f9d598, ret_val_out = 0x0
RtlGetGroupSecurityDescriptor SecurityDescriptor_unk = 0xfffff8a001d9c610, Group_ptr_out = 0xfffff88002f9d560, Group_out = 0x0, GroupDefaulted_ptr_out = 0xfffff88002f9d598, ret_val_out = 0x0
RtlGetSaclSecurityDescriptor SecurityDescriptor_unk = 0xfffff8a001d9c610, SaclPresent_ptr_out = 0xfffff88002f9d5a8, Sacl_unk_out = 0xfffff88002f9d568, SaclDefaulted_ptr_out = 0xfffff88002f9d598, ret_val_out = 0x0
RtlGetDaclSecurityDescriptor SecurityDescriptor_unk = 0xfffff8a001d9c610, DaclPresent_ptr_out = 0xfffff88002f9d5a8, Dacl_unk_out = 0xfffff88002f9d568, DaclDefaulted_ptr_out = 0xfffff88002f9d598, ret_val_out = 0x0
ObOpenObjectByPointer Object_ptr = 0xfffffa80038b5900, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x40000, ObjectType_unk = 0xfffffa8001933900, AccessMode_unk = 0xfffffa8003b25a00, Handle_ptr_out = 0xfffff88002f9d5d0, Handle_out = 0xffffffff80000a78, ret_val_out = 0x0
ZwSetSecurityObject Handle_unk = 0xffffffff80000a78, SecurityInformation_unk = 0x4, SecurityDescriptor_unk = 0xfffff8a001d9c610, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff80000a78, ret_val_out = 0x0
ExFreePoolWithTag P_ptr = 0xfffff8a001d9c610, Tag = 0x0
RtlInitUnicodeString SourceString = \DosDevices\PROCEXP152, DestinationString_out = \DosDevices\PROCEXP152
IoCreateSymbolicLink SymbolicLinkName = \DosDevices\PROCEXP152, DeviceName = \Device\PROCEXP152, ret_val_out = 0x0

Kernel Graph 2

Kernel Graph

Kernel Graph Legend
Code Block #2 (EP #2, #3, #4, #5, #6, #7, #8, #9, #10, #11, #12, #13, #23)
»
Information Value
Trigger IofCallDriver+0x50
Start Address 0xfffff88004ab6000
Execution Path #2 (length: 5, count: 8, processes: 8)
»
Information Value
Sequence Length 5
Processes
»
Process Count
Process 23 (bv6nck8c64.exe, PID: 2928) 1
Process 148 (bv6nck8c64.exe, PID: 3220) 1
Process 162 (bv6nck8c64.exe, PID: 3356) 1
Process 187 (bv6nck8c64.exe, PID: 3644) 1
Process 205 (bv6nck8c64.exe, PID: 3844) 1
Process 218 (bv6nck8c64.exe, PID: 3976) 1
Process 235 (bv6nck8c64.exe, PID: 3100) 1
Process 244 (bv6nck8c64.exe, PID: 3160) 1
Sequence
»
Symbol Parameters
SeCaptureSubjectContext SubjectContext_unk_out = 0xfffff880054f8598
ExGetPreviousMode ret_val_unk_out = 0xfffffa80036a0b01
SePrivilegeCheck RequiredPrivileges_unk = 0xfffff880054f85b8, SubjectSecurityContext_unk = 0xfffff880054f8598, AccessMode_unk = 0x1, RequiredPrivileges_unk_out = 0xfffff880054f85b8, ret_val_out = 1
SeReleaseSubjectContext SubjectContext_unk = 0xfffff880054f8598, SubjectContext_unk_out = 0xfffff880054f8598
IofCompleteRequest Irp_unk = 0xfffffa800d08d010, PriorityBoost = 0
Execution Path #3 (length: 10, count: 9141, processes: 8)
»
Information Value
Sequence Length 10
Processes
»
Process Count
Process 23 (bv6nck8c64.exe, PID: 2928) 1325
Process 148 (bv6nck8c64.exe, PID: 3220) 101
Process 162 (bv6nck8c64.exe, PID: 3356) 1325
Process 187 (bv6nck8c64.exe, PID: 3644) 1255
Process 205 (bv6nck8c64.exe, PID: 3844) 1266
Process 218 (bv6nck8c64.exe, PID: 3976) 1304
Process 235 (bv6nck8c64.exe, PID: 3100) 1247
Process 244 (bv6nck8c64.exe, PID: 3160) 1318
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x6c8, Process_unk_out = 0xfffff880054f8558, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xfffffa800387fb30, PROCESS_unk_out = 0xfffffa800387fb30, ApcState_unk_out = 0xfffff880054f85d0
ObReferenceObjectByHandle Handle_unk = 0x80, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffffa800378d401, Object_ptr_out = 0xfffff880054f8548, Object_out = 0xfffffa80038366d0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xfffff880054f85d0
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xfffffa800387fb30, ret_val_ptr_out = 0xe
ObQueryNameString Object_ptr = 0xfffffa8003168830, Length = 0x800, ObjectNameInfo_unk_out = 0xfffffa80038c27c4, ReturnLength_ptr_out = 0xfffff880054f8508, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xfffffa80038366d0, ret_val_ptr_out = 0x3
IofCompleteRequest Irp_unk = 0xfffffa800d08d010, PriorityBoost = 0
Execution Path #4 (length: 13, count: 32, processes: 8)
»
Information Value
Sequence Length 13
Processes
»
Process Count
Process 23 (bv6nck8c64.exe, PID: 2928) 4
Process 148 (bv6nck8c64.exe, PID: 3220) 4
Process 162 (bv6nck8c64.exe, PID: 3356) 4
Process 187 (bv6nck8c64.exe, PID: 3644) 4
Process 205 (bv6nck8c64.exe, PID: 3844) 4
Process 218 (bv6nck8c64.exe, PID: 3976) 4
Process 235 (bv6nck8c64.exe, PID: 3100) 4
Process 244 (bv6nck8c64.exe, PID: 3160) 4
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x88c, Process_unk_out = 0xfffff880054f85a8, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xfffffa80037bcb30, PROCESS_unk_out = 0xfffffa80037bcb30, ApcState_unk_out = 0xfffff880054f85c8
ObReferenceObjectByHandle Handle_unk = 0x48, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffffa800378d401, Object_ptr_out = 0xfffff880054f85b0, Object_out = 0xfffffa8003881b30, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xfffffa80037bcb30, ret_val_ptr_out = 0xe
ZwQueryObject Handle_unk = 0x48, ObjectInformationClass_unk = 0x2, ObjectInformationLength = 0x0, ObjectInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xfffff880054f85a4, ret_val_out = 0xc0000004
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0x88, Tag = 0x58637250, ret_val_ptr_out = 0xfffff8a0025628c0
ZwQueryObject Handle_unk = 0x48, ObjectInformationClass_unk = 0x2, ObjectInformationLength = 0x88, ObjectInformation_ptr_out = 0xfffff8a0025628c0, ReturnLength_ptr_out = 0x0, ret_val_out = 0x0
ExFreePoolWithTag P_ptr = 0xfffff8a0025628c0, Tag = 0x0
ObfDereferenceObject Object_ptr = 0xfffffa8003881b30, ret_val_ptr_out = 0x1
KeUnstackDetachProcess ApcState_unk = 0xfffff880054f85c8
IofCompleteRequest Irp_unk = 0xfffffa800d08d010, PriorityBoost = 0
Execution Path #5 (length: 2, count: 16, processes: 8)
»
Information Value
Sequence Length 2
Processes
»
Process Count
Process 23 (bv6nck8c64.exe, PID: 2928) 2
Process 148 (bv6nck8c64.exe, PID: 3220) 2
Process 162 (bv6nck8c64.exe, PID: 3356) 2
Process 187 (bv6nck8c64.exe, PID: 3644) 2
Process 205 (bv6nck8c64.exe, PID: 3844) 2
Process 218 (bv6nck8c64.exe, PID: 3976) 2
Process 235 (bv6nck8c64.exe, PID: 3100) 2
Process 244 (bv6nck8c64.exe, PID: 3160) 2
Sequence
»
Symbol Parameters
ZwOpenProcess DesiredAccess_unk = 0x10000000, ObjectAttributes_ptr = 0xfffff880054f8688, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xfffff880054f8678, ClientId_deref_UniqueProcess_unk = 0x4, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xfffffa8002007ac0, ProcessHandle_out = 0xc0, ret_val_out = 0x0
IofCompleteRequest Irp_unk = 0xfffffa800eb5b010, PriorityBoost = 0
Execution Path #6 (length: 4, count: 16, processes: 8)
»
Information Value
Sequence Length 4
Processes
»
Process Count
Process 23 (bv6nck8c64.exe, PID: 2928) 2
Process 148 (bv6nck8c64.exe, PID: 3220) 2
Process 162 (bv6nck8c64.exe, PID: 3356) 2
Process 187 (bv6nck8c64.exe, PID: 3644) 2
Process 205 (bv6nck8c64.exe, PID: 3844) 2
Process 218 (bv6nck8c64.exe, PID: 3976) 2
Process 235 (bv6nck8c64.exe, PID: 3100) 2
Process 244 (bv6nck8c64.exe, PID: 3160) 2
Sequence
»
Symbol Parameters
ZwOpenProcess DesiredAccess_unk = 0x40, ObjectAttributes_ptr = 0xfffff880054f8608, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x200, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xfffff880054f85f8, ClientId_deref_UniqueProcess_unk = 0x4, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xfffff880054f85f0, ProcessHandle_out = 0xffffffff80000954, ret_val_out = 0x0
ZwDuplicateObject SourceProcessHandle_unk = 0xffffffff80000954, SourceHandle_unk = 0x424, TargetProcessHandle_unk = 0xffffffffffffffff, DesiredAccess_unk = 0xfffff88010000000, HandleAttributes = 0x0, Options = 0x0, TargetHandle_ptr_out = 0xfffffa8002007ac0, TargetHandle_out = 0xc8, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff80000954, ret_val_out = 0x0
IofCompleteRequest Irp_unk = 0xfffffa800eb5b010, PriorityBoost = 0
Execution Path #7 (length: 8, count: 64, processes: 7)
»
Information Value
Sequence Length 8
Processes
»
Process Count
Process 23 (bv6nck8c64.exe, PID: 2928) 10
Process 162 (bv6nck8c64.exe, PID: 3356) 38
Process 187 (bv6nck8c64.exe, PID: 3644) 1
Process 205 (bv6nck8c64.exe, PID: 3844) 6
Process 218 (bv6nck8c64.exe, PID: 3976) 7
Process 235 (bv6nck8c64.exe, PID: 3100) 1
Process 244 (bv6nck8c64.exe, PID: 3160) 1
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x4, Process_unk_out = 0xfffff880054f8558, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xfffffa8001850990, PROCESS_unk_out = 0xfffffa8001850990, ApcState_unk_out = 0xfffff880054f85d0
ObReferenceObjectByHandle Handle_unk = 0xffffffff80000908, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffffa800378d400, Object_ptr_out = 0xfffff880054f8548, Object_out = 0x0, HandleInformation_unk_out = 0x0, ret_val_out = 0xc0000008
KeUnstackDetachProcess ApcState_unk = 0xfffff880054f85d0
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xfffffa8001850990, ret_val_ptr_out = 0x105
IofCompleteRequest Irp_unk = 0xfffffa800eb5b010, PriorityBoost = 0
Execution Path #8 (length: 6, count: 754, processes: 8)
»
Information Value
Sequence Length 6
Processes
»
Process Count
Process 23 (bv6nck8c64.exe, PID: 2928) 108
Process 148 (bv6nck8c64.exe, PID: 3220) 22
Process 162 (bv6nck8c64.exe, PID: 3356) 110
Process 187 (bv6nck8c64.exe, PID: 3644) 106
Process 205 (bv6nck8c64.exe, PID: 3844) 102
Process 218 (bv6nck8c64.exe, PID: 3976) 102
Process 235 (bv6nck8c64.exe, PID: 3100) 101
Process 244 (bv6nck8c64.exe, PID: 3160) 103
Sequence
»
Symbol Parameters
ObReferenceObjectByHandle Handle_unk = 0xc0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xfffff880054f8668, Object_out = 0xfffffa8002b79b30, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
ObOpenObjectByPointer Object_ptr = 0xfffffa8002b79b30, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x10000000, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Handle_ptr_out = 0xfffff880054f8670, Handle_out = 0xffffffff80000954, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xfffffa8002b79b30, ret_val_ptr_out = 0x18
ZwOpenProcessToken ProcessHandle_unk = 0xffffffff80000954, DesiredAccess_unk = 0x8, TokenHandle_ptr_out = 0xfffffa800289c440, TokenHandle_out = 0xc8, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff80000954, ret_val_out = 0x0
IofCompleteRequest Irp_unk = 0xfffffa800eb5b010, PriorityBoost = 0
Execution Path #9 (length: 9, count: 19, processes: 6)
»
Information Value
Sequence Length 9
Processes
»
Process Count
Process 23 (bv6nck8c64.exe, PID: 2928) 7
Process 162 (bv6nck8c64.exe, PID: 3356) 5
Process 187 (bv6nck8c64.exe, PID: 3644) 1
Process 205 (bv6nck8c64.exe, PID: 3844) 3
Process 235 (bv6nck8c64.exe, PID: 3100) 1
Process 244 (bv6nck8c64.exe, PID: 3160) 2
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x328, Process_unk_out = 0xfffff880054f8558, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xfffffa8001fdf060, PROCESS_unk_out = 0xfffffa8001fdf060, ApcState_unk_out = 0xfffff880054f85d0
ObReferenceObjectByHandle Handle_unk = 0x168, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffffa800378d401, Object_ptr_out = 0xfffff880054f8548, Object_out = 0xfffffa80038654a0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xfffffa80038654a0, ret_val_ptr_out = 0x3
KeUnstackDetachProcess ApcState_unk = 0xfffff880054f85d0
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xfffffa8001fdf060, ret_val_ptr_out = 0x39
IofCompleteRequest Irp_unk = 0xfffffa800fcdd790, PriorityBoost = 0
Execution Path #10 (length: 2, count: 47, processes: 4)
»
Information Value
Sequence Length 2
Processes
»
Process Count
Process 23 (bv6nck8c64.exe, PID: 2928) 14
Process 162 (bv6nck8c64.exe, PID: 3356) 11
Process 187 (bv6nck8c64.exe, PID: 3644) 10
Process 205 (bv6nck8c64.exe, PID: 3844) 12
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0xadc, Process_unk_out = 0xfffff880054f8558, ret_val_out = 0xc000000b
IofCompleteRequest Irp_unk = 0xfffffa800fcdd790, PriorityBoost = 0
Execution Path #11 (length: 1, count: 45, processes: 8)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 23 (bv6nck8c64.exe, PID: 2928) 1
Process 148 (bv6nck8c64.exe, PID: 3220) 1
Process 162 (bv6nck8c64.exe, PID: 3356) 1
Process 187 (bv6nck8c64.exe, PID: 3644) 1
Process 205 (bv6nck8c64.exe, PID: 3844) 1
Process 218 (bv6nck8c64.exe, PID: 3976) 1
Process 235 (bv6nck8c64.exe, PID: 3100) 38
Process 244 (bv6nck8c64.exe, PID: 3160) 1
Sequence
»
Symbol Parameters
IofCompleteRequest Irp_unk = 0xfffffa800fcdd790, PriorityBoost = 0
Execution Path #12 (length: 8, count: 1, processes: 1)
»
Information Value
Sequence Length 8
Processes
»
Process Count
Process 148 (bv6nck8c64.exe, PID: 3220) 1
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x720, Process_unk_out = 0xfffff880054525f0, ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xfffffa8002251300, PROCESS_unk_out = 0xfffffa8002251300, ApcState_unk_out = 0xfffff88005452608
ObReferenceObjectByHandle Handle_unk = 0x14c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffffa800394e601, Object_ptr_out = 0xfffff880054525f8, Object_out = 0xfffff8a0019ff7c0, HandleInformation_unk_out = 0xfffff88005452600, ret_val_out = 0x0
ObCloseHandle Handle_unk = 0x14c, AccessMode_unk = 0x1, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xfffff8a0019ff7c0, ret_val_ptr_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xfffff88005452608
ObfDereferenceObject Object_ptr = 0xfffffa8002251300, ret_val_ptr_out = 0x4a
IofCompleteRequest Irp_unk = 0xfffffa80019d8780, PriorityBoost = 0
Execution Path #13 (length: 9, count: 1, processes: 1)
»
Information Value
Sequence Length 9
Processes
»
Process Count
Process 205 (bv6nck8c64.exe, PID: 3844) 1
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x4, Process_unk_out = 0xfffff88005590558, ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xfffffa8001850990, PROCESS_unk_out = 0xfffffa8001850990, ApcState_unk_out = 0xfffff880055905d0
ObReferenceObjectByHandle Handle_unk = 0xffffffff80000b00, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffffa80038d3700, Object_ptr_out = 0xfffff88005590548, Object_out = 0xfffffa80036033c0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xfffff880055905d0
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xfffffa8001850990, ret_val_ptr_out = 0x14a
ObQueryNameString Object_ptr = 0xfffffa80036033c0, Length = 0x800, ObjectNameInfo_unk_out = 0xfffffa800254c044, ReturnLength_ptr_out = 0xfffff88005590550, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xfffffa80036033c0, ret_val_ptr_out = 0x2
IofCompleteRequest Irp_unk = 0xfffffa800211c1b0, PriorityBoost = 0
Execution Path #23 (length: 9, count: 1, processes: 1)
»
Information Value
Sequence Length 9
Processes
»
Process Count
Process 235 (bv6nck8c64.exe, PID: 3100) 1
Sequence
»
Symbol Parameters
PsLookupProcessByProcessId ProcessId_unk = 0x2c8, Process_unk_out = 0xfffff88005000558, ret_val_out = 0x0
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xfffffa80030fdb30, PROCESS_unk_out = 0xfffffa80030fdb30, ApcState_unk_out = 0xfffff880050005d0
ObReferenceObjectByHandle Handle_unk = 0x258, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffffa80039a2001, Object_ptr_out = 0xfffff88005000548, Object_out = 0xfffffa8002f2c220, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xfffff880050005d0
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xfffffa80030fdb30, ret_val_ptr_out = 0xff
ObQueryNameString Object_ptr = 0xfffffa800282fcd0, Length = 0x800, ObjectNameInfo_unk_out = 0xfffffa800231d7c4, ReturnLength_ptr_out = 0xfffff88005000508, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xfffffa8002f2c220, ret_val_ptr_out = 0x12

Kernel Graph 3

Kernel Graph

Kernel Graph Legend
Code Block #3 (EP #24)
»
Information Value
Trigger ExpWorkerThread+0x10f
Start Address 0xfffffa80019f8378
Execution Path #24 (length: 1, count: 1, processes: 1 incomplete)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 28 (System, PID: 4) 1
Sequence
»
Symbol Parameters
ExAllocatePoolWithTag PoolType_unk = 0x0, NumberOfBytes_ptr = 0x1d054, Tag = 0x655a6343, ret_val_ptr_out = 0xfffffa8003a2a000

Kernel Graph 4

Kernel Graph

Kernel Graph Legend
Code Block #4 (EP #14)
»
Information Value
Trigger PROCEXP152.SYS+0x2641
Start Address 0xfffff80002c0dd90
Execution Path #14 (length: 1, count: 37, processes: 1)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 235 (bv6nck8c64.exe, PID: 3100) 37
Sequence
»
Symbol Parameters
PsAcquireProcessExitSynchronization ret_val_out = 0x0

Kernel Graph 5

Kernel Graph

Kernel Graph Legend
Code Block #5 (EP #15)
»
Information Value
Trigger PROCEXP152.SYS+0x2669
Start Address 0xfffff800028c7410
Execution Path #15 (length: 1, count: 37, processes: 1)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 235 (bv6nck8c64.exe, PID: 3100) 37
Sequence
»
Symbol Parameters
KeStackAttachProcess PROCESS_unk = 0xfffffa8003055910, PROCESS_unk_out = 0xfffffa8003055910, ApcState_unk_out = 0xfffff880050005d0

Kernel Graph 6

Kernel Graph

Kernel Graph Legend
Code Block #6 (EP #16)
»
Information Value
Trigger PROCEXP152.SYS+0x26a0
Start Address 0xfffff80002b708e0
Execution Path #16 (length: 1, count: 37, processes: 3)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 35 (lsass.exe, PID: 480) 3
Process 46 (explorer.exe, PID: 1092) 33
Process 94 (skype.exe, PID: 2496) 1
Sequence
»
Symbol Parameters
ObReferenceObjectByHandle Handle_unk = 0x738, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffffa80039a2001, Object_ptr_out = 0xfffff88005000548, Object_out = 0xfffffa800352e5a0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0

Kernel Graph 7

Kernel Graph

Kernel Graph Legend
Code Block #7 (EP #17)
»
Information Value
Trigger PROCEXP152.SYS+0x26d2
Start Address 0xfffff800028c7120
Execution Path #17 (length: 1, count: 37, processes: 3)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 35 (lsass.exe, PID: 480) 3
Process 46 (explorer.exe, PID: 1092) 33
Process 94 (skype.exe, PID: 2496) 1
Sequence
»
Symbol Parameters
KeUnstackDetachProcess ApcState_unk = 0xfffff880050005d0

Kernel Graph 8

Kernel Graph

Kernel Graph Legend
Code Block #8 (EP #18)
»
Information Value
Trigger PROCEXP152.SYS+0x26ee
Start Address 0xfffff80002c1c770
Execution Path #18 (length: 1, count: 37, processes: 1)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 235 (bv6nck8c64.exe, PID: 3100) 37
Sequence
»
Symbol Parameters
PsReleaseProcessExitSynchronization ret_val_out = 0x2

Kernel Graph 9

Kernel Graph

Kernel Graph Legend
Code Block #9 (EP #19)
»
Information Value
Trigger PROCEXP152.SYS+0x26f5
Start Address 0xfffff800028a0440
Execution Path #19 (length: 1, count: 74, processes: 1)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 235 (bv6nck8c64.exe, PID: 3100) 74
Sequence
»
Symbol Parameters
ObfDereferenceObject Object_ptr = 0xfffffa8003055910, ret_val_ptr_out = 0xd9

Kernel Graph 10

Kernel Graph

Kernel Graph Legend
Code Block #10 (EP #20)
»
Information Value
Trigger PROCEXP152.SYS+0x27c8
Start Address 0xfffff80002b75e80
Execution Path #20 (length: 1, count: 37, processes: 1)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 235 (bv6nck8c64.exe, PID: 3100) 37
Sequence
»
Symbol Parameters
ObQueryNameString Object_ptr = 0xfffffa800352e5a0, Length = 0x800, ObjectNameInfo_unk_out = 0xfffffa8001a08044, ReturnLength_ptr_out = 0xfffff88005000550, ret_val_out = 0x0

Kernel Graph 11

Kernel Graph

Kernel Graph Legend
Code Block #11 (EP #21, #22)
»
Information Value
Trigger PROCEXP152.SYS+0x211a
Start Address 0xfffff80002bb0f97
Execution Path #21 (length: 9, count: 34, processes: 1)
»
Information Value
Sequence Length 9
Processes
»
Process Count
Process 235 (bv6nck8c64.exe, PID: 3100) 34
Sequence
»
Symbol Parameters
PsAcquireProcessExitSynchronization ret_val_out = 0x0
KeStackAttachProcess PROCESS_unk = 0xfffffa8003055910, PROCESS_unk_out = 0xfffffa8003055910, ApcState_unk_out = 0xfffff880050005d0
ObReferenceObjectByHandle Handle_unk = 0x74c, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0xfffffa80039a2001, Object_ptr_out = 0xfffff88005000548, Object_out = 0xfffffa80023916f0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
KeUnstackDetachProcess ApcState_unk = 0xfffff880050005d0
PsReleaseProcessExitSynchronization ret_val_out = 0x2
ObfDereferenceObject Object_ptr = 0xfffffa8003055910, ret_val_ptr_out = 0xd9
ObQueryNameString Object_ptr = 0xfffffa80023916f0, Length = 0x800, ObjectNameInfo_unk_out = 0xfffffa8001a02044, ReturnLength_ptr_out = 0xfffff88005000550, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xfffffa80023916f0, ret_val_ptr_out = 0x2
IofCompleteRequest Irp_unk = 0xfffffa800c9fb010, PriorityBoost = 0
Execution Path #22 (length: 5, count: 3, processes: 1)
»
Information Value
Sequence Length 5
Processes
»
Process Count
Process 235 (bv6nck8c64.exe, PID: 3100) 3
Sequence
»
Symbol Parameters
ObOpenObjectByPointer Object_ptr = 0xfffffa8003058b30, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x10000000, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Handle_ptr_out = 0xfffff88005000670, Handle_out = 0xffffffff800006d4, ret_val_out = 0x0
ObfDereferenceObject Object_ptr = 0xfffffa8003058b30, ret_val_ptr_out = 0x3f
ZwOpenProcessToken ProcessHandle_unk = 0xffffffff800006d4, DesiredAccess_unk = 0x8, TokenHandle_ptr_out = 0xfffffa800289e880, TokenHandle_out = 0xc8, ret_val_out = 0x0
ZwClose Handle_unk = 0xffffffff800006d4, ret_val_out = 0x0
IofCompleteRequest Irp_unk = 0xfffffa800c9fb010, PriorityBoost = 0
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image