VTI SCORE: 100/100
| Dynamic Analysis Report |
| Classification: Ransomware, Trojan, Dropper |
m.exe
Windows Exe (x86-32)
Created at 2019-04-17T10:38:00
Remarks (1/1)
(0x200003a): A task was rescheduled ahead of time to reveal dormant functionality.
Kernel Graph 1
Code Block #1 (EP #1)
»
| Information | Value |
|---|---|
| Trigger | _guard_dispatch_icall+0x2d |
| Start Address | 0xfffff800b8049058 |
Execution Path #1 (length: 58, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 58 |
Processes
»
| Process | Count |
|---|---|
| Process 42 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| RtlInitUnicodeString | SourceString = PsAcquireProcessExitSynchronization, DestinationString_out = PsAcquireProcessExitSynchronization |
| MmGetSystemRoutineAddress | SystemRoutineName = PsAcquireProcessExitSynchronization, ret_val_ptr_out = 0xfffff803f245f480 |
| RtlInitUnicodeString | SourceString = PsReleaseProcessExitSynchronization, DestinationString_out = PsReleaseProcessExitSynchronization |
| MmGetSystemRoutineAddress | SystemRoutineName = PsReleaseProcessExitSynchronization, ret_val_ptr_out = 0xfffff803f254aac0 |
| RtlInitUnicodeString | SourceString = ObGetObjectType, DestinationString_out = ObGetObjectType |
| MmGetSystemRoutineAddress | SystemRoutineName = ObGetObjectType, ret_val_ptr_out = 0xfffff803f2554fc0 |
| ObGetObjectType | ret_val_out = 0xffffb78a96254670 |
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x26, Tag = 0x544f4550, ret_val_ptr_out = 0xffffd207ddcc4b40 |
| ObOpenObjectByName | ObjectAttributes_unk = 0xffff9801934a4720, ObjectType_unk = 0xffffb78a96254670, AccessMode_unk = 0x0, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0xffff9801000f0001, ParseContext_ptr = 0x0, ParseContext_ptr_out = 0x0, Handle_ptr_out = 0xffff9801934a4778, Handle_out = 0xffffffff80001fe8, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffd207ddcc4b40, Tag = 0x0 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80001fe8, DesiredAccess_unk = 0xf0001, ObjectType_unk = 0xffffb78a96254670, AccessMode_unk = 0x0, Object_ptr_out = 0xffff9801934a4780, Object_out = 0xffffb78a96261620, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80001fe8, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffb78a96261620, ret_val_ptr_out = 0x2 |
| RtlInitUnicodeString | SourceString = \Device\PROCEXP152, DestinationString_out = \Device\PROCEXP152 |
| RtlInitUnicodeString | SourceString = D:P(A;;GA;;;SY)(A;;GA;;;BA), DestinationString_out = D:P(A;;GA;;;SY)(A;;GA;;;BA) |
| RtlInitUnicodeString | SourceString = IoCreateDeviceSecure, DestinationString_out = IoCreateDeviceSecure |
| MmGetSystemRoutineAddress | SystemRoutineName = IoCreateDeviceSecure, ret_val_ptr_out = 0x0 |
| RtlInitUnicodeString | SourceString = IoValidateDeviceIoControlAccess, DestinationString_out = IoValidateDeviceIoControlAccess |
| MmGetSystemRoutineAddress | SystemRoutineName = IoValidateDeviceIoControlAccess, ret_val_ptr_out = 0xfffff803f2129c40 |
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x68, Tag = 0x6c416553, ret_val_ptr_out = 0xffffd207dcbc3870 |
| _wcsnicmp | _String1 = A, _String2 = A, _MaxCount_ptr = 0x1, ret_val_out = 0 |
| _wcsnicmp | _String1 = GA, _String2 = RC, _MaxCount_ptr = 0x2, ret_val_out = -11 |
| _wcsnicmp | _String1 = GA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -16 |
| _wcsnicmp | _String1 = GA, _String2 = WO, _MaxCount_ptr = 0x2, ret_val_out = -16 |
| _wcsnicmp | _String1 = GA, _String2 = SD, _MaxCount_ptr = 0x2, ret_val_out = -12 |
| _wcsnicmp | _String1 = GA, _String2 = GA, _MaxCount_ptr = 0x2, ret_val_out = 0 |
| _wcsnicmp | _String1 = SY, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -4 |
| _wcsnicmp | _String1 = SY, _String2 = BA, _MaxCount_ptr = 0x2, ret_val_out = 17 |
| _wcsnicmp | _String1 = SY, _String2 = SY, _MaxCount_ptr = 0x2, ret_val_out = 0 |
| RtlLengthSid | Sid_ptr = 0xffffb78a96252b80, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x1, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority = 0x12, ret_val_out = 0xc |
| RtlAddAccessAllowedAce | Acl_unk = 0xffffd207dcbc3870, AceRevision = 0x2, AccessMask_unk = 0x10000000, Sid_ptr = 0xffffb78a96252b80, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x1, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority = 0x12, Acl_unk_out = 0xffffd207dcbc3870, ret_val_out = 0x0 |
| _wcsnicmp | _String1 = A, _String2 = A, _MaxCount_ptr = 0x1, ret_val_out = 0 |
| _wcsnicmp | _String1 = GA, _String2 = RC, _MaxCount_ptr = 0x2, ret_val_out = -11 |
| _wcsnicmp | _String1 = GA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -16 |
| _wcsnicmp | _String1 = GA, _String2 = WO, _MaxCount_ptr = 0x2, ret_val_out = -16 |
| _wcsnicmp | _String1 = GA, _String2 = SD, _MaxCount_ptr = 0x2, ret_val_out = -12 |
| _wcsnicmp | _String1 = GA, _String2 = GA, _MaxCount_ptr = 0x2, ret_val_out = 0 |
| _wcsnicmp | _String1 = BA, _String2 = WD, _MaxCount_ptr = 0x2, ret_val_out = -21 |
| _wcsnicmp | _String1 = BA, _String2 = BA, _MaxCount_ptr = 0x2, ret_val_out = 0 |
| RtlLengthSid | Sid_ptr = 0xffffd207d3202840, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x2, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority_[0]_0 = 0x20, Sid_deref_SubAuthority_[1]_1 = 0x0, ret_val_out = 0x10 |
| RtlAddAccessAllowedAce | Acl_unk = 0xffffd207dcbc3870, AceRevision = 0x2, AccessMask_unk = 0x10000000, Sid_ptr = 0xffffd207d3202840, Sid_deref_Revision = 0x1, Sid_deref_SubAuthorityCount = 0x2, Sid_deref_IdentifierAuthority.Value_[0]_0 = 0x0, Sid_deref_IdentifierAuthority.Value_[1]_1 = 0x0, Sid_deref_IdentifierAuthority.Value_[2]_2 = 0x0, Sid_deref_IdentifierAuthority.Value_[3]_3 = 0x0, Sid_deref_IdentifierAuthority.Value_[4]_4 = 0x0, Sid_deref_IdentifierAuthority.Value_[5]_5 = 0x5, Sid_deref_SubAuthority_[0]_0 = 0x20, Sid_deref_SubAuthority_[1]_1 = 0x0, Acl_unk_out = 0xffffd207dcbc3870, ret_val_out = 0x0 |
| RtlCreateSecurityDescriptor | Revision = 0x1, SecurityDescriptor_unk_out = 0xffff9801934a4608, ret_val_out = 0x0 |
| RtlSetDaclSecurityDescriptor | SecurityDescriptor_unk = 0xffff9801934a4608, DaclPresent = 1, Dacl_unk = 0xffffd207dcbc3870, DaclDefaulted = 0, SecurityDescriptor_unk_out = 0xffff9801934a4608, ret_val_out = 0x0 |
| RtlAbsoluteToSelfRelativeSD | AbsoluteSecurityDescriptor_unk = 0xffff9801934a4608, BufferLength_ptr = 0xffff9801934a4650, SelfRelativeSecurityDescriptor_unk_out = 0x0, BufferLength_ptr_out = 0xffff9801934a4650, ret_val_out = 0xc0000023 |
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x48, Tag = 0x64536553, ret_val_ptr_out = 0xffffd207dc718c50 |
| RtlAbsoluteToSelfRelativeSD | AbsoluteSecurityDescriptor_unk = 0xffff9801934a4608, BufferLength_ptr = 0xffff9801934a4650, SelfRelativeSecurityDescriptor_unk_out = 0xffffd207dc718c50, BufferLength_ptr_out = 0xffff9801934a4650, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffd207dcbc3870, Tag = 0x0 |
| IoCreateDevice | DriverObject_unk = 0xffffb78a98c55e60, DeviceExtensionSize = 0x0, DeviceName = \Device\PROCEXP152, DeviceType_unk = 0x8335, DeviceCharacteristics = 0x0, Exclusive = 0, DeviceObject_unk_out = 0xffff9801934a4750, ret_val_out = 0x0 |
| RtlGetOwnerSecurityDescriptor | SecurityDescriptor_unk = 0xffffd207dc718c50, Owner_ptr_out = 0xffff9801934a45e0, Owner_out = 0x0, OwnerDefaulted_ptr_out = 0xffff9801934a4618, ret_val_out = 0x0 |
| RtlGetGroupSecurityDescriptor | SecurityDescriptor_unk = 0xffffd207dc718c50, Group_ptr_out = 0xffff9801934a45e0, Group_out = 0x0, GroupDefaulted_ptr_out = 0xffff9801934a4618, ret_val_out = 0x0 |
| RtlGetSaclSecurityDescriptor | SecurityDescriptor_unk = 0xffffd207dc718c50, SaclPresent_ptr_out = 0xffff9801934a4628, Sacl_unk_out = 0xffff9801934a45e8, SaclDefaulted_ptr_out = 0xffff9801934a4618, ret_val_out = 0x0 |
| RtlGetDaclSecurityDescriptor | SecurityDescriptor_unk = 0xffffd207dc718c50, DaclPresent_ptr_out = 0xffff9801934a4628, Dacl_unk_out = 0xffff9801934a45e8, DaclDefaulted_ptr_out = 0xffff9801934a4618, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffb78a98f8d060, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x40000, ObjectType_unk = 0xffffb78a9625eeb0, AccessMode_unk = 0xffffb78a98c55e00, Handle_ptr_out = 0xffff9801934a4650, Handle_out = 0xffffffff80001fe8, ret_val_out = 0x0 |
| ZwSetSecurityObject | Handle_unk = 0xffffffff80001fe8, SecurityInformation_unk = 0x4, SecurityDescriptor_unk = 0xffffd207dc718c50, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80001fe8, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffd207dc718c50, Tag = 0x0 |
| RtlInitUnicodeString | SourceString = \DosDevices\PROCEXP152, DestinationString_out = \DosDevices\PROCEXP152 |
| IoCreateSymbolicLink | SymbolicLinkName = \DosDevices\PROCEXP152, DeviceName = \Device\PROCEXP152, ret_val_out = 0x0 |
Kernel Graph 2
Code Block #2 (EP #2, #3, #4, #5, #6, #7, #8, #9, #10, #23)
»
| Information | Value |
|---|---|
| Trigger | _guard_dispatch_icall+0x2d |
| Start Address | 0xfffff800b8042000 |
Execution Path #2 (length: 5, count: 2, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 5 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 1 |
| Process 178 (mxkefu6a64.exe, PID: 5088) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| SeCaptureSubjectContext | SubjectContext_unk_out = 0xffff9801953d0398 |
| ExGetPreviousMode | ret_val_unk_out = 0x1 |
| SePrivilegeCheck | RequiredPrivileges_unk = 0xffff9801953d03b8, SubjectSecurityContext_unk = 0xffff9801953d0398, AccessMode_unk = 0x1, RequiredPrivileges_unk_out = 0xffff9801953d03b8, ret_val_out = 1 |
| SeReleaseSubjectContext | SubjectContext_unk = 0xffff9801953d0398, SubjectContext_unk_out = 0xffff9801953d0398 |
| IofCompleteRequest | Irp_unk = 0xffffb78a98d6e4a0, PriorityBoost = 0 |
Execution Path #3 (length: 10, count: 4287, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 10 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 2024 |
| Process 178 (mxkefu6a64.exe, PID: 5088) | 2263 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0xb08, Process_unk_out = 0xffff9801953d0428, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffb78a968547c0, PROCESS_unk_out = 0xffffb78a968547c0, ApcState_unk_out = 0xffff9801953d04a0 |
| ObReferenceObjectByHandle | Handle_unk = 0x1f4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffff9801953d0418, Object_out = 0xffffb78a98b27600, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffff9801953d04a0 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffb78a968547c0, ret_val_ptr_out = 0x20046 |
| ObQueryNameString | Object_ptr = 0xffffb78a98b27600, Length = 0x800, ObjectNameInfo_unk_out = 0xffffb78a969b2044, ReturnLength_ptr_out = 0xffff9801953d0420, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffb78a98b27600, ret_val_ptr_out = 0x17fff |
| IofCompleteRequest | Irp_unk = 0xffffb78a98ca2dc0, PriorityBoost = 0 |
Execution Path #4 (length: 13, count: 8, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 13 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 4 |
| Process 178 (mxkefu6a64.exe, PID: 5088) | 4 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0xb08, Process_unk_out = 0xffff9801953d0478, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffb78a968547c0, PROCESS_unk_out = 0xffffb78a968547c0, ApcState_unk_out = 0xffff9801953d0498 |
| ObReferenceObjectByHandle | Handle_unk = 0x1e8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffff9801953d0480, Object_out = 0xffffb78a98a732f0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffb78a968547c0, ret_val_ptr_out = 0x20040 |
| ZwQueryObject | Handle_unk = 0x1e8, ObjectInformationClass_unk = 0x2, ObjectInformationLength = 0x0, ObjectInformation_ptr_out = 0x0, ReturnLength_ptr_out = 0xffff9801953d0474, ret_val_out = 0xc0000004 |
| ExAllocatePoolWithTag | PoolType_unk = 0x1, NumberOfBytes_ptr = 0x88, Tag = 0x58637250, ret_val_ptr_out = 0xffffd207de54e290 |
| ZwQueryObject | Handle_unk = 0x1e8, ObjectInformationClass_unk = 0x2, ObjectInformationLength = 0x88, ObjectInformation_ptr_out = 0xffffd207de54e290, ReturnLength_ptr_out = 0x0, ret_val_out = 0x0 |
| ExFreePoolWithTag | P_ptr = 0xffffd207de54e290, Tag = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffb78a98a732f0, ret_val_ptr_out = 0x7ffe |
| KeUnstackDetachProcess | ApcState_unk = 0xffff9801953d0498 |
| IofCompleteRequest | Irp_unk = 0xffffb78a98ca2dc0, PriorityBoost = 0 |
Execution Path #5 (length: 2, count: 14, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 8 |
| Process 178 (mxkefu6a64.exe, PID: 5088) | 6 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ZwOpenProcess | DesiredAccess_unk = 0x10000000, ObjectAttributes_ptr = 0xffff9801953d0558, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x0, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffff9801953d0548, ClientId_deref_UniqueProcess_unk = 0x11c4, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffffb78a98777c80, ProcessHandle_out = 0x1dc, ret_val_out = 0x0 |
| IofCompleteRequest | Irp_unk = 0xffffb78aa59ffc50, PriorityBoost = 0 |
Execution Path #6 (length: 4, count: 10, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 4 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 5 |
| Process 178 (mxkefu6a64.exe, PID: 5088) | 5 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ZwOpenProcess | DesiredAccess_unk = 0x40, ObjectAttributes_ptr = 0xffff9801953d04d8, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName_ptr = 0x0, ObjectAttributes_deref_Attributes = 0x200, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ClientId_ptr = 0xffff9801953d04c8, ClientId_deref_UniqueProcess_unk = 0x4, ClientId_deref_UniqueThread_unk = 0x0, ProcessHandle_ptr_out = 0xffff9801953d04c0, ProcessHandle_out = 0xffffffff80002014, ret_val_out = 0x0 |
| ZwDuplicateObject | SourceProcessHandle_unk = 0xffffffff80002014, SourceHandle_unk = 0x1b54, TargetProcessHandle_unk = 0xffffffffffffffff, DesiredAccess_unk = 0xffffb78a10000000, HandleAttributes = 0x0, Options = 0x0, TargetHandle_ptr_out = 0xffffb78a98ed54c0, TargetHandle_out = 0x1e0, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80002014, ret_val_out = 0x0 |
| IofCompleteRequest | Irp_unk = 0xffffb78a98961620, PriorityBoost = 0 |
Execution Path #7 (length: 8, count: 70, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 8 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 58 |
| Process 178 (mxkefu6a64.exe, PID: 5088) | 12 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0x4, Process_unk_out = 0xffff9801953d0428, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffb78a96257040, PROCESS_unk_out = 0xffffb78a96257040, ApcState_unk_out = 0xffff9801953d04a0 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000b88, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffff9801953d0418, Object_out = 0x0, HandleInformation_unk_out = 0x0, ret_val_out = 0xc0000008 |
| KeUnstackDetachProcess | ApcState_unk = 0xffff9801953d04a0 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffb78a96257040, ret_val_ptr_out = 0x2fd60 |
| IofCompleteRequest | Irp_unk = 0xffffb78a97b20850, PriorityBoost = 0 |
Execution Path #8 (length: 9, count: 30, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 9 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 19 |
| Process 178 (mxkefu6a64.exe, PID: 5088) | 11 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0x4, Process_unk_out = 0xffff9801953d0428, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffb78a96257040, PROCESS_unk_out = 0xffffb78a96257040, ApcState_unk_out = 0xffff9801953d04a0 |
| ObReferenceObjectByHandle | Handle_unk = 0xffffffff80000bc0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xffff9801953d0418, Object_out = 0xffffb78a98cd47c0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffb78a98cd47c0, ret_val_ptr_out = 0x1fffe |
| KeUnstackDetachProcess | ApcState_unk = 0xffff9801953d04a0 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffb78a96257040, ret_val_ptr_out = 0x2fd59 |
| IofCompleteRequest | Irp_unk = 0xffffb78a97b20850, PriorityBoost = 0 |
Execution Path #9 (length: 6, count: 167, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 6 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 72 |
| Process 178 (mxkefu6a64.exe, PID: 5088) | 95 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObReferenceObjectByHandle | Handle_unk = 0x1e0, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffff9801953d0538, Object_out = 0xffffb78a97d997c0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| ObOpenObjectByPointer | Object_ptr = 0xffffb78a97d997c0, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x10000000, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Handle_ptr_out = 0xffff9801953d0540, Handle_out = 0xffffffff80001e64, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffb78a97d997c0, ret_val_ptr_out = 0x68047 |
| ZwOpenProcessToken | ProcessHandle_unk = 0xffffffff80001e64, DesiredAccess_unk = 0x8, TokenHandle_ptr_out = 0xffffb78a98d5d680, TokenHandle_out = 0x1d8, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff80001e64, ret_val_out = 0x0 |
| IofCompleteRequest | Irp_unk = 0xffffb78aa5bc9ee0, PriorityBoost = 0 |
Execution Path #10 (length: 4, count: 11, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 4 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 11 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0xe04, Process_unk_out = 0xffff9801953d0428, ret_val_out = 0x0 |
| PsAcquireProcessExitSynchronization | ret_val_out = 0xc000010a |
| ObfDereferenceObject | Object_ptr = 0xffffb78a984407c0, ret_val_ptr_out = 0x3 |
| IofCompleteRequest | Irp_unk = 0xffffb78a99005460, PriorityBoost = 0 |
Execution Path #23 (length: 2, count: 72, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 40 |
| Process 178 (mxkefu6a64.exe, PID: 5088) | 32 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0x1194, Process_unk_out = 0xffff9801953d0428, ret_val_out = 0xc000000b |
| IofCompleteRequest | Irp_unk = 0xffffb78a98d60ee0, PriorityBoost = 0 |
Kernel Graph 3
Code Block #3 (EP #11)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x2620 |
| Start Address | 0xfffff803f24ce380 |
Execution Path #11 (length: 1, count: 6, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 6 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsLookupProcessByProcessId | ProcessId_unk = 0xdb4, Process_unk_out = 0xffff9801953d0428, ret_val_out = 0x0 |
Kernel Graph 4
Code Block #4 (EP #12)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x2641 |
| Start Address | 0xfffff803f245f480 |
Execution Path #12 (length: 1, count: 12, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 6 |
| Process 178 (mxkefu6a64.exe, PID: 5088) | 6 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
Kernel Graph 5
Code Block #5 (EP #13)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x2669 |
| Start Address | 0xfffff803f210c540 |
Execution Path #13 (length: 1, count: 12, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 6 |
| Process 178 (mxkefu6a64.exe, PID: 5088) | 6 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeStackAttachProcess | PROCESS_unk = 0xffffb78a98a70080, PROCESS_unk_out = 0xffffb78a98a70080, ApcState_unk_out = 0xffff9801953d04a0 |
Kernel Graph 6
Code Block #6 (EP #14)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x26a0 |
| Start Address | 0xfffff803f24b3b00 |
Execution Path #14 (length: 1, count: 12, processes: 4)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 101 (telephony_assumption_pharmacies.exe, PID: 3508) | 2 |
| Process 26 (cmd.exe, PID: 4932) | 4 |
| Process 61 (svchost.exe, PID: 1276) | 5 |
| Process 130 (cmd.exe, PID: 3428) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObReferenceObjectByHandle | Handle_unk = 0xf4, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffff9801953d0418, Object_out = 0xffffb78a983f7ef0, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
Kernel Graph 7
Code Block #7 (EP #15)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x26d2 |
| Start Address | 0xfffff803f21119d0 |
Execution Path #15 (length: 1, count: 12, processes: 4)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 101 (telephony_assumption_pharmacies.exe, PID: 3508) | 2 |
| Process 26 (cmd.exe, PID: 4932) | 4 |
| Process 61 (svchost.exe, PID: 1276) | 5 |
| Process 130 (cmd.exe, PID: 3428) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeUnstackDetachProcess | ApcState_unk = 0xffff9801953d04a0 |
Kernel Graph 8
Code Block #8 (EP #16)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x26ee |
| Start Address | 0xfffff803f254aac0 |
Execution Path #16 (length: 1, count: 12, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 6 |
| Process 178 (mxkefu6a64.exe, PID: 5088) | 6 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
Kernel Graph 9
Code Block #9 (EP #17)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x26f5 |
| Start Address | 0xfffff803f2075c00 |
Execution Path #17 (length: 1, count: 26, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 14 |
| Process 178 (mxkefu6a64.exe, PID: 5088) | 12 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObfDereferenceObject | Object_ptr = 0xffffb78a98a70080, ret_val_ptr_out = 0x27ffe |
Kernel Graph 10
Code Block #10 (EP #18)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x2195 |
| Start Address | 0xfffff803f2555fe0 |
Execution Path #18 (length: 1, count: 12, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 6 |
| Process 178 (mxkefu6a64.exe, PID: 5088) | 6 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObQueryNameString | Object_ptr = 0xffffb78a96234e40, Length = 0x800, ObjectNameInfo_unk_out = 0xffffb78a968e8044, ReturnLength_ptr_out = 0xffff9801953d03d8, ret_val_out = 0x0 |
Kernel Graph 11
Code Block #11 (EP #19)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x20f2 |
| Start Address | 0xfffff803f207dfc0 |
Execution Path #19 (length: 1, count: 18, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 9 |
| Process 178 (mxkefu6a64.exe, PID: 5088) | 9 |
Sequence
»
| Symbol | Parameters |
|---|---|
| IofCompleteRequest | Irp_unk = 0xffffb78a98a0b2e0, PriorityBoost = 0 |
Kernel Graph 12
Code Block #12 (EP #20)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x3108 |
| Start Address | 0xfffff803f24cea40 |
Execution Path #20 (length: 1, count: 2, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ObOpenObjectByPointer | Object_ptr = 0xffffb78a98b2e7c0, HandleAttributes = 0x200, PassedAccessState_unk = 0x0, DesiredAccess_unk = 0x10000000, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Handle_ptr_out = 0xffff9801953d0540, Handle_out = 0xffffffff80000c50, ret_val_out = 0x0 |
Kernel Graph 13
Code Block #13 (EP #21)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x1c93 |
| Start Address | 0xfffff803f217cfd0 |
Execution Path #21 (length: 1, count: 4, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 2 |
| Process 178 (mxkefu6a64.exe, PID: 5088) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ZwOpenProcessToken | ProcessHandle_unk = 0xffffffff80000c50, DesiredAccess_unk = 0x8, TokenHandle_ptr_out = 0xffffb78a98cedd40, TokenHandle_out = 0x1d8, ret_val_out = 0x0 |
Kernel Graph 14
Code Block #14 (EP #22)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x1ca0 |
| Start Address | 0xfffff803f217ae10 |
Execution Path #22 (length: 1, count: 4, processes: 2)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 37 (mxkefu6a64.exe, PID: 4204) | 2 |
| Process 178 (mxkefu6a64.exe, PID: 5088) | 2 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ZwClose | Handle_unk = 0xffffffff80000c50, ret_val_out = 0x0 |
Kernel Graph 15
Code Block #15 (EP #24)
»
| Information | Value |
|---|---|
| Trigger | KeDelayExecutionThread+0x70 |
| Start Address | 0xffffb78a98e02816 |
Execution Path #24 (length: 2, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 42 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ExAllocatePoolWithTag | PoolType_unk = 0x0, NumberOfBytes_ptr = 0x79ed9, Tag = 0x5746744e, ret_val_ptr_out = 0xffffb78a99b0d000 |
| KeInsertQueueApc | Apc_unk = 0xffffb78a965b5ee3, SystemArgument1_ptr = 0xffffb78a96234257, SystemArgument2_ptr = 0x0, PriorityBoost_unk = 0x0, ret_val_out = 1 |
Kernel Graph 16
Code Block #16 (EP #27)
»
| Information | Value |
|---|---|
| Trigger | _guard_dispatch_icall+0x2d |
| Start Address | 0xffffb78a99b0d005 |
Execution Path #27 (length: 2, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 2 |
Processes
»
| Process | Count |
|---|---|
| Process 42 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeAcquireSpinLockRaiseToDpc | SpinLock_unk = 0xffffb78a99b0d605, SpinLock_unk_out = 0xffffb78a99b0d605, ret_val_unk_out = 0x2 |
| KeReleaseSpinLock | SpinLock_unk = 0xffffb78a99b0d605, NewIrql_unk = 0x206eb6c346a21502, SpinLock_unk_out = 0xffffb78a99b0d605 |
Kernel Graph 17
Code Block #17 (EP #28)
»
| Information | Value |
|---|---|
| Trigger | _guard_dispatch_icall+0x2d |
| Start Address | 0xffffb78a99b242ef |
Execution Path #28 (length: 1, count: 1, processes: 1 incomplete)
»
| Information | Value |
|---|---|
| Sequence Length | 1 |
Processes
»
| Process | Count |
|---|---|
| Process 42 (System, PID: 4) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| KeDelayExecutionThread | WaitMode_unk = 0x0, Alertable = 0, Interval_ptr = 0xffff980193594f80, Interval = -1223977218 |
Kernel Graph 18
Code Block #18 (EP #25, #26)
»
| Information | Value |
|---|---|
| Trigger | PROCEXP152.SYS+0x211a |
| Start Address | 0xfffff803f24a86ef |
Execution Path #25 (length: 9, count: 6, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 9 |
Processes
»
| Process | Count |
|---|---|
| Process 178 (mxkefu6a64.exe, PID: 5088) | 6 |
Sequence
»
| Symbol | Parameters |
|---|---|
| PsAcquireProcessExitSynchronization | ret_val_out = 0x0 |
| KeStackAttachProcess | PROCESS_unk = 0xffffb78a982655c0, PROCESS_unk_out = 0xffffb78a982655c0, ApcState_unk_out = 0xffff98019573c4a0 |
| ObReferenceObjectByHandle | Handle_unk = 0x264, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x1, Object_ptr_out = 0xffff98019573c418, Object_out = 0xffffb78a982a6080, HandleInformation_unk_out = 0x0, ret_val_out = 0x0 |
| KeUnstackDetachProcess | ApcState_unk = 0xffff98019573c4a0 |
| PsReleaseProcessExitSynchronization | ret_val_out = 0x2 |
| ObfDereferenceObject | Object_ptr = 0xffffb78a982655c0, ret_val_ptr_out = 0x3803a |
| ObQueryNameString | Object_ptr = 0xffffb78a982a6080, Length = 0x800, ObjectNameInfo_unk_out = 0xffffb78a9a156044, ReturnLength_ptr_out = 0xffff98019573c420, ret_val_out = 0x0 |
| ObfDereferenceObject | Object_ptr = 0xffffb78a982a6080, ret_val_ptr_out = 0x7ffe |
| IofCompleteRequest | Irp_unk = 0xffffb78aa5bc94a0, PriorityBoost = 0 |
Execution Path #26 (length: 3, count: 1, processes: 1)
»
| Information | Value |
|---|---|
| Sequence Length | 3 |
Processes
»
| Process | Count |
|---|---|
| Process 178 (mxkefu6a64.exe, PID: 5088) | 1 |
Sequence
»
| Symbol | Parameters |
|---|---|
| ZwOpenProcessToken | ProcessHandle_unk = 0xffffffff800023ec, DesiredAccess_unk = 0x8, TokenHandle_ptr_out = 0xffffb78a997de240, TokenHandle_out = 0x1c8, ret_val_out = 0x0 |
| ZwClose | Handle_unk = 0xffffffff800023ec, ret_val_out = 0x0 |
| IofCompleteRequest | Irp_unk = 0xffffb78aa5bc94a0, PriorityBoost = 0 |
