ZeroCleare Wiper Malware | Kernel
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Dropper
Trojan
Pua
Threat Names:
RawDisk
Trojan.GenericKD.32949123
Trojan.Agent.EJCG
...

ClientUpdate.exe

Windows Exe (x86-64)

Created at 2020-01-17T20:49:00

...

Kernel Graph 1

Kernel Graph

Kernel Graph Legend
Code Block #1 (EP #1)
»
Information Value
Trigger IopLoadDriver+0xa04
Start Address 0xfffff88004ab4d40
Execution Path #1 (length: 211, count: 1, processes: 1)
»
Information Value
Sequence Length 211
Processes
»
Process Count
Process 4 (System, PID: 4) 1
Sequence
»
Symbol Parameters
RtlInitUnicodeString SourceString = \Device\VBoxDrv, DestinationString_out = \Device\VBoxDrv
IoCreateDevice DriverObject_unk = 0xfffffa8001f455d0, DeviceExtensionSize = 0x1108, DeviceName = \Device\VBoxDrv, DeviceType_unk = 0x22, DeviceCharacteristics = 0x0, Exclusive = 0, DeviceObject_unk_out = 0xfffff88002f9d870, ret_val_out = 0x0
RtlInitUnicodeString SourceString = \DosDevices\VBoxDrv, DestinationString_out = \DosDevices\VBoxDrv
IoCreateSymbolicLink SymbolicLinkName = \DosDevices\VBoxDrv, DeviceName = \Device\VBoxDrv, ret_val_out = 0x0
ExAllocatePoolWithTag PoolType_unk = 0x0, NumberOfBytes_ptr = 0x20, Tag = 0x54525049, ret_val_ptr_out = 0xfffffa800fc47650
ExAllocatePoolWithTag PoolType_unk = 0x0, NumberOfBytes_ptr = 0x50, Tag = 0x54525049, ret_val_ptr_out = 0xfffffa80021991f0
KeInitializeEvent Type_unk = 0x1, State = 0, Event_unk_out = 0xfffffa8002199220
ExAllocatePoolWithTag PoolType_unk = 0x0, NumberOfBytes_ptr = 0x50, Tag = 0x54525049, ret_val_ptr_out = 0xfffffa80019e6770
KeInitializeEvent Type_unk = 0x1, State = 0, Event_unk_out = 0xfffffa80019e67a0
KeQueryActiveProcessors ret_val_unk_out = 0x1
MmAllocateContiguousMemory NumberOfBytes_ptr = 0x1000, HighestAcceptableAddress_unk = 0xffffffff, ret_val_ptr_out = 0xfffffa8001fd8000
IoAllocateMdl VirtualAddress_ptr = 0xfffffa8001fd8000, Length = 0x1000, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xfffffa800216d300
MmBuildMdlForNonPagedPool MemoryDescriptorList_unk = 0xfffffa800216d300, MemoryDescriptorList_unk_out = 0xfffffa800216d300
ExSetTimerResolution DesiredTime = 0x2625a, SetResolution = 1, ret_val_out = 0x26160
ExSetTimerResolution DesiredTime = 0x0, SetResolution = 0, ret_val_out = 0x26160
KeQueryActiveProcessors ret_val_unk_out = 0x1
MmGetPhysicalAddress BaseAddress_ptr = 0xfffffa8001fd8000, ret_val_unk_out = 0x7f9d8000
KeInitializeTimerEx Type_unk = 0x1, Timer_unk_out = 0xfffffa8001ee0210
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab45b0, DeferredContext_ptr = 0xfffffa8001ee01a0, Dpc_unk_out = 0xfffffa8001ee0250
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0290
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0290, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0290
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0290, Number = 0, Dpc_unk_out = 0xfffffa8001ee0290
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee02d0
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee02d0, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee02d0
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee02d0, Number = 1, Dpc_unk_out = 0xfffffa8001ee02d0
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0310
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0310, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0310
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0310, Number = 2, Dpc_unk_out = 0xfffffa8001ee0310
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0350
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0350, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0350
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0350, Number = 3, Dpc_unk_out = 0xfffffa8001ee0350
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0390
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0390, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0390
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0390, Number = 4, Dpc_unk_out = 0xfffffa8001ee0390
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee03d0
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee03d0, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee03d0
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee03d0, Number = 5, Dpc_unk_out = 0xfffffa8001ee03d0
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0410
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0410, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0410
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0410, Number = 6, Dpc_unk_out = 0xfffffa8001ee0410
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0450
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0450, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0450
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0450, Number = 7, Dpc_unk_out = 0xfffffa8001ee0450
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0490
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0490, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0490
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0490, Number = 8, Dpc_unk_out = 0xfffffa8001ee0490
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee04d0
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee04d0, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee04d0
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee04d0, Number = 9, Dpc_unk_out = 0xfffffa8001ee04d0
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0510
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0510, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0510
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0510, Number = 10, Dpc_unk_out = 0xfffffa8001ee0510
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0550
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0550, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0550
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0550, Number = 11, Dpc_unk_out = 0xfffffa8001ee0550
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0590
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0590, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0590
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0590, Number = 12, Dpc_unk_out = 0xfffffa8001ee0590
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee05d0
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee05d0, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee05d0
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee05d0, Number = 13, Dpc_unk_out = 0xfffffa8001ee05d0
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0610
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0610, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0610
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0610, Number = 14, Dpc_unk_out = 0xfffffa8001ee0610
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0650
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0650, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0650
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0650, Number = 15, Dpc_unk_out = 0xfffffa8001ee0650
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0690
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0690, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0690
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0690, Number = 16, Dpc_unk_out = 0xfffffa8001ee0690
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee06d0
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee06d0, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee06d0
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee06d0, Number = 17, Dpc_unk_out = 0xfffffa8001ee06d0
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0710
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0710, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0710
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0710, Number = 18, Dpc_unk_out = 0xfffffa8001ee0710
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0750
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0750, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0750
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0750, Number = 19, Dpc_unk_out = 0xfffffa8001ee0750
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0790
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0790, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0790
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0790, Number = 20, Dpc_unk_out = 0xfffffa8001ee0790
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee07d0
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee07d0, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee07d0
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee07d0, Number = 21, Dpc_unk_out = 0xfffffa8001ee07d0
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0810
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0810, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0810
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0810, Number = 22, Dpc_unk_out = 0xfffffa8001ee0810
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0850
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0850, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0850
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0850, Number = 23, Dpc_unk_out = 0xfffffa8001ee0850
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0890
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0890, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0890
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0890, Number = 24, Dpc_unk_out = 0xfffffa8001ee0890
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee08d0
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee08d0, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee08d0
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee08d0, Number = 25, Dpc_unk_out = 0xfffffa8001ee08d0
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0910
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0910, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0910
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0910, Number = 26, Dpc_unk_out = 0xfffffa8001ee0910
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0950
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0950, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0950
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0950, Number = 27, Dpc_unk_out = 0xfffffa8001ee0950
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0990
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0990, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0990
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0990, Number = 28, Dpc_unk_out = 0xfffffa8001ee0990
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee09d0
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee09d0, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee09d0
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee09d0, Number = 29, Dpc_unk_out = 0xfffffa8001ee09d0
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0a10
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0a10, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0a10
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0a10, Number = 30, Dpc_unk_out = 0xfffffa8001ee0a10
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0a50
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0a50, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0a50
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0a50, Number = 31, Dpc_unk_out = 0xfffffa8001ee0a50
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0a90
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0a90, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0a90
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0a90, Number = 32, Dpc_unk_out = 0xfffffa8001ee0a90
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0ad0
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0ad0, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0ad0
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0ad0, Number = 33, Dpc_unk_out = 0xfffffa8001ee0ad0
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0b10
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0b10, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0b10
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0b10, Number = 34, Dpc_unk_out = 0xfffffa8001ee0b10
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0b50
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0b50, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0b50
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0b50, Number = 35, Dpc_unk_out = 0xfffffa8001ee0b50
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0b90
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0b90, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0b90
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0b90, Number = 36, Dpc_unk_out = 0xfffffa8001ee0b90
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0bd0
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0bd0, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0bd0
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0bd0, Number = 37, Dpc_unk_out = 0xfffffa8001ee0bd0
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0c10
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0c10, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0c10
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0c10, Number = 38, Dpc_unk_out = 0xfffffa8001ee0c10
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0c50
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0c50, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0c50
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0c50, Number = 39, Dpc_unk_out = 0xfffffa8001ee0c50
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0c90
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0c90, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0c90
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0c90, Number = 40, Dpc_unk_out = 0xfffffa8001ee0c90
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0cd0
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0cd0, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0cd0
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0cd0, Number = 41, Dpc_unk_out = 0xfffffa8001ee0cd0
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0d10
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0d10, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0d10
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0d10, Number = 42, Dpc_unk_out = 0xfffffa8001ee0d10
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0d50
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0d50, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0d50
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0d50, Number = 43, Dpc_unk_out = 0xfffffa8001ee0d50
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0d90
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0d90, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0d90
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0d90, Number = 44, Dpc_unk_out = 0xfffffa8001ee0d90
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0dd0
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0dd0, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0dd0
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0dd0, Number = 45, Dpc_unk_out = 0xfffffa8001ee0dd0
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0e10
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0e10, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0e10
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0e10, Number = 46, Dpc_unk_out = 0xfffffa8001ee0e10
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0e50
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0e50, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0e50
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0e50, Number = 47, Dpc_unk_out = 0xfffffa8001ee0e50
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0e90
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0e90, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0e90
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0e90, Number = 48, Dpc_unk_out = 0xfffffa8001ee0e90
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0ed0
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0ed0, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0ed0
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0ed0, Number = 49, Dpc_unk_out = 0xfffffa8001ee0ed0
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0f10
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0f10, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0f10
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0f10, Number = 50, Dpc_unk_out = 0xfffffa8001ee0f10
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0f50
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0f50, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0f50
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0f50, Number = 51, Dpc_unk_out = 0xfffffa8001ee0f50
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0f90
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0f90, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0f90
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0f90, Number = 52, Dpc_unk_out = 0xfffffa8001ee0f90
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee0fd0
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee0fd0, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee0fd0
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee0fd0, Number = 53, Dpc_unk_out = 0xfffffa8001ee0fd0
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee1010
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee1010, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee1010
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee1010, Number = 54, Dpc_unk_out = 0xfffffa8001ee1010
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee1050
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee1050, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee1050
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee1050, Number = 55, Dpc_unk_out = 0xfffffa8001ee1050
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee1090
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee1090, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee1090
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee1090, Number = 56, Dpc_unk_out = 0xfffffa8001ee1090
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee10d0
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee10d0, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee10d0
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee10d0, Number = 57, Dpc_unk_out = 0xfffffa8001ee10d0
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee1110
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee1110, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee1110
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee1110, Number = 58, Dpc_unk_out = 0xfffffa8001ee1110
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee1150
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee1150, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee1150
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee1150, Number = 59, Dpc_unk_out = 0xfffffa8001ee1150
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee1190
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee1190, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee1190
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee1190, Number = 60, Dpc_unk_out = 0xfffffa8001ee1190
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee11d0
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee11d0, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee11d0
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee11d0, Number = 61, Dpc_unk_out = 0xfffffa8001ee11d0
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee1210
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee1210, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee1210
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee1210, Number = 62, Dpc_unk_out = 0xfffffa8001ee1210
KeInitializeDpc DeferredRoutine_unk = 0xfffff88004ab4690, DeferredContext_ptr = 0xfffffa8001fd8000, Dpc_unk_out = 0xfffffa8001ee1250
KeSetImportanceDpc Dpc_unk = 0xfffffa8001ee1250, Importance_unk = 0x2, Dpc_unk_out = 0xfffffa8001ee1250
KeSetTargetProcessorDpc Dpc_unk = 0xfffffa8001ee1250, Number = 63, Dpc_unk_out = 0xfffffa8001ee1250

Kernel Graph 2

Kernel Graph

Kernel Graph Legend
Code Block #2 (EP #2)
»
Information Value
Trigger IofCallDriver+0x50
Start Address 0xfffff88004ab4980
Execution Path #2 (length: 5, count: 1, processes: 1)
»
Information Value
Sequence Length 5
Processes
»
Process Count
Process 3 (soy.exe, PID: 2156) 1
Sequence
»
Symbol Parameters
ExAllocatePoolWithTag PoolType_unk = 0x0, NumberOfBytes_ptr = 0x678, Tag = 0x54525049, ret_val_ptr_out = 0xfffffa80022ae980
ExAllocatePoolWithTag PoolType_unk = 0x0, NumberOfBytes_ptr = 0x20, Tag = 0x54525049, ret_val_ptr_out = 0xfffffa8003319f10
PsGetCurrentProcessId ret_val_unk_out = 0x86c
IoGetCurrentProcess ret_val_unk_out = 0xfffffa80020fa060
IofCompleteRequest Irp_unk = 0xfffffa800205d9e0, PriorityBoost = 0

Kernel Graph 3

Kernel Graph

Kernel Graph Legend
Code Block #3 (EP #3, #4, #5, #6, #7, #8)
»
Information Value
Trigger IofCallDriver+0x50
Start Address 0xfffff88004ab4af0
Execution Path #3 (length: 3, count: 1, processes: 1)
»
Information Value
Sequence Length 3
Processes
»
Process Count
Process 3 (soy.exe, PID: 2156) 1
Sequence
»
Symbol Parameters
IoIs32bitProcess Irp_unk = 0xfffffa800205d9e0, ret_val_out = 0
strncmp _Str1 = The Magic Word!, _Str2 = The Magic Word!, _MaxCount_ptr = 0x10, ret_val_out = 0
IofCompleteRequest Irp_unk = 0xfffffa800205d9e0, PriorityBoost = 0
Execution Path #4 (length: 7, count: 1, processes: 1)
»
Information Value
Sequence Length 7
Processes
»
Process Count
Process 3 (soy.exe, PID: 2156) 1
Sequence
»
Symbol Parameters
IoIs32bitProcess Irp_unk = 0xfffffa800205d9e0, ret_val_out = 0
memchr _Buf_ptr = 0xfffffa80021472dc, _Val = 0, _MaxCount_ptr = 0x20, ret_val_ptr_out = 0xfffffa80021472df
ExAcquireFastMutex FastMutex_unk = 0xfffffa8002199208, FastMutex_unk_out = 0xfffffa8002199208
ExAllocatePoolWithTag PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd08f, Tag = 0x54525049, ret_val_ptr_out = 0xfffffa8002437000
ExAllocatePoolWithTag PoolType_unk = 0x0, NumberOfBytes_ptr = 0x28, Tag = 0x54525049, ret_val_ptr_out = 0xfffffa8003209220
ExReleaseFastMutex FastMutex_unk = 0xfffffa8002199208, FastMutex_unk_out = 0xfffffa8002199208
IofCompleteRequest Irp_unk = 0xfffffa800205d9e0, PriorityBoost = 0
Execution Path #5 (length: 4, count: 1, processes: 1)
»
Information Value
Sequence Length 4
Processes
»
Process Count
Process 3 (soy.exe, PID: 2156) 1
Sequence
»
Symbol Parameters
IoIs32bitProcess Irp_unk = 0xfffffa800205d9e0, ret_val_out = 0
ExAcquireFastMutex FastMutex_unk = 0xfffffa8002199208, FastMutex_unk_out = 0xfffffa8002199208
ExReleaseFastMutex FastMutex_unk = 0xfffffa8002199208, FastMutex_unk_out = 0xfffffa8002199208
IofCompleteRequest Irp_unk = 0xfffffa800205d9e0, PriorityBoost = 0
Execution Path #6 (length: 2, count: 1, processes: 1)
»
Information Value
Sequence Length 2
Processes
»
Process Count
Process 3 (soy.exe, PID: 2156) 1
Sequence
»
Symbol Parameters
IoIs32bitProcess Irp_unk = 0xfffffa800205d9e0, ret_val_out = 0
IofCompleteRequest Irp_unk = 0xfffffa800205d9e0, PriorityBoost = 0
Execution Path #7 (length: 12, count: 1, processes: 1)
»
Information Value
Sequence Length 12
Processes
»
Process Count
Process 3 (soy.exe, PID: 2156) 1
Sequence
»
Symbol Parameters
ExAllocatePoolWithTag PoolType_unk = 0x0, NumberOfBytes_ptr = 0xd000, Tag = 0x536c6454, ret_val_ptr_out = 0xfffffa8002445000
IoCreateDriver DriverName = \Driver\elRawDsk, InitializationFunction_unk = 0xfffffa800244f1c0, ret_val_out = 0x0
RtlInitUnicodeString SourceString = \Device\ElRawDisk, DestinationString_out = \Device\ElRawDisk
IoCreateDevice DriverObject_unk = 0xfffffa8001f38960, DeviceExtensionSize = 0x0, DeviceName = \Device\ElRawDisk, DeviceType_unk = 0x22, DeviceCharacteristics = 0x100, Exclusive = 0, DeviceObject_unk_out = 0xfffffa8002449350, ret_val_out = 0x0
RtlInitUnicodeString SourceString = \DosDevices\ElRawDisk, DestinationString_out = \DosDevices\ElRawDisk
IoCreateSymbolicLink SymbolicLinkName = \DosDevices\ElRawDisk, DeviceName = \Device\ElRawDisk, ret_val_out = 0x0
RtlInitUnicodeString SourceString = IoGetLowerDeviceObject, DestinationString_out = IoGetLowerDeviceObject
MmGetSystemRoutineAddress SystemRoutineName = IoGetLowerDeviceObject, ret_val_ptr_out = 0xfffff80002833c50
RtlInitUnicodeString SourceString = IoGetDiskDeviceObject, DestinationString_out = IoGetDiskDeviceObject
MmGetSystemRoutineAddress SystemRoutineName = IoGetDiskDeviceObject, ret_val_ptr_out = 0xfffff80002957810
PsGetVersion MajorVersion_ptr_out = 0xfffffa8002449348, MinorVersion_ptr_out = 0xfffffa800244934c, BuildNumber_ptr_out = 0x0, CSDVersion_ptr_out = 0x0, ret_val_out = 0
IofCompleteRequest Irp_unk = 0xfffffa800205d9e0, PriorityBoost = 0
Execution Path #8 (length: 8, count: 1, processes: 1)
»
Information Value
Sequence Length 8
Processes
»
Process Count
Process 3 (soy.exe, PID: 2156) 1
Sequence
»
Symbol Parameters
IoIs32bitProcess Irp_unk = 0xfffffa800205d9e0, ret_val_out = 0
ExAcquireFastMutex FastMutex_unk = 0xfffffa8002199208, FastMutex_unk_out = 0xfffffa8002199208
KeAcquireSpinLockRaiseToDpc SpinLock_unk = 0xfffffa800fc47668, SpinLock_unk_out = 0xfffffa800fc47668, ret_val_unk_out = 0x1
KeReleaseSpinLock SpinLock_unk = 0xfffffa800fc47668, NewIrql_unk = 0x1, SpinLock_unk_out = 0xfffffa800fc47668
ExFreePoolWithTag P_ptr = 0xfffffa8003209220, Tag = 0x0
ExFreePoolWithTag P_ptr = 0xfffffa8002437000, Tag = 0x0
ExReleaseFastMutex FastMutex_unk = 0xfffffa8002199208, FastMutex_unk_out = 0xfffffa8002199208
IofCompleteRequest Irp_unk = 0xfffffa800205d9e0, PriorityBoost = 0

Kernel Graph 4

Kernel Graph

Kernel Graph Legend
Code Block #4 (EP #9)
»
Information Value
Trigger IofCallDriver+0x50
Start Address 0xfffff88004ab4390
Execution Path #9 (length: 5, count: 1, processes: 1)
»
Information Value
Sequence Length 5
Processes
»
Process Count
Process 3 (soy.exe, PID: 2156) 1
Sequence
»
Symbol Parameters
ExAcquireFastMutex FastMutex_unk = 0xfffffa8002199208, FastMutex_unk_out = 0xfffffa8002199208
ExReleaseFastMutex FastMutex_unk = 0xfffffa8002199208, FastMutex_unk_out = 0xfffffa8002199208
ExFreePoolWithTag P_ptr = 0xfffffa8003319f10, Tag = 0x0
ExFreePoolWithTag P_ptr = 0xfffffa80022ae980, Tag = 0x0
IofCompleteRequest Irp_unk = 0xfffffa800205d9e0, PriorityBoost = 0

Kernel Graph 5

Kernel Graph

Kernel Graph Legend
Code Block #5 (EP #10)
»
Information Value
Trigger IopLoadUnloadDriver+0x19
Start Address 0xfffff88004ab48b0
Execution Path #10 (length: 9, count: 1, processes: 1)
»
Information Value
Sequence Length 9
Processes
»
Process Count
Process 4 (System, PID: 4) 1
Sequence
»
Symbol Parameters
RtlInitUnicodeString SourceString = \DosDevices\VBoxDrv, DestinationString_out = \DosDevices\VBoxDrv
IoDeleteSymbolicLink SymbolicLinkName = \DosDevices\VBoxDrv, ret_val_out = 0x0
KeCancelTimer param_1_unk = 0xfffffa8001ee0210, param_1_unk_out = 0xfffffa8001ee0210, ret_val_out = 0
IoFreeMdl Mdl_unk = 0xfffffa800216d300
MmFreeContiguousMemory BaseAddress_ptr = 0xfffffa8001fd8000
ExFreePoolWithTag P_ptr = 0xfffffa80019e6770, Tag = 0x0
ExFreePoolWithTag P_ptr = 0xfffffa80021991f0, Tag = 0x0
ExFreePoolWithTag P_ptr = 0xfffffa800fc47650, Tag = 0x0
IoDeleteDevice DeviceObject_unk = 0xfffffa8001ee0050

Kernel Graph 6

Kernel Graph

Kernel Graph Legend
Code Block #6 (EP #11)
»
Information Value
Trigger IofCallDriver+0x50
Start Address 0xfffffa800244b280
Execution Path #11 (length: 29, count: 3, processes: 1)
»
Information Value
Sequence Length 29
Processes
»
Process Count
Process 1 (clientupdate.exe, PID: 1456) 3
Sequence
»
Symbol Parameters
RtlPrefixUnicodeString String1 = \#{8A6DB7D2-FECF-41ff-9A92-6EDA696613DE}#, String2 = \??\c:#b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf3c911e2287a4b906d47d, CaseInSensitive = 0, ret_val_out = 0
RtlPrefixUnicodeString String1 = \#{9A6DB7D2-FECF-41ff-9A92-6EDA696613DF}#, String2 = \??\c:#b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf3c911e2287a4b906d47d, CaseInSensitive = 0, ret_val_out = 0
RtlUnicodeStringToAnsiString SourceString = b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf3c911e2287a4b906d47d, AllocateDestinationString = 1, DestinationString_out = b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf3c911e2287a4b906d47d, ret_val_out = 0x0
RtlFreeAnsiString AnsiString = b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf3c911e2287a4b906d47d
RtlUnicodeStringToAnsiString SourceString = b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf3c911e2287a4b906d47d, AllocateDestinationString = 1, DestinationString_out = b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf3c911e2287a4b906d47d, ret_val_out = 0x0
RtlFreeAnsiString AnsiString = b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf3c911e2287a4b906d47d
ExAllocatePoolWithTag PoolType_unk = 0x0, NumberOfBytes_ptr = 0x68, Tag = 0x6b734444, ret_val_ptr_out = 0xfffffa8003c3a5c0
KeInitializeEvent Type_unk = 0x1, State = 0, Event_unk_out = 0xfffffa8003c3a608
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0xe, Tag = 0x6b734444, ret_val_ptr_out = 0xfffff8a001230730
ZwOpenFile DesiredAccess_unk = 0x0, ObjectAttributes_ptr = 0xfffff88005246540, ObjectAttributes_deref_Length = 0x30, ObjectAttributes_deref_RootDirectory_unk = 0x0, ObjectAttributes_deref_ObjectName = \??\c:, ObjectAttributes_deref_Attributes = 0x240, ObjectAttributes_deref_SecurityDescriptor_ptr = 0x0, ObjectAttributes_deref_SecurityQualityOfService_ptr = 0x0, ShareAccess = 0x3, OpenOptions = 0x0, FileHandle_ptr_out = 0xfffff880052465a8, FileHandle_out = 0xffffffff800007a8, IoStatusBlock_unk_out = 0xfffff88005246530, ret_val_out = 0x0
ObReferenceObjectByHandle Handle_unk = 0xffffffff800007a8, DesiredAccess_unk = 0x0, ObjectType_unk = 0x0, AccessMode_unk = 0x0, Object_ptr_out = 0xfffff880052465b0, Object_out = 0xfffffa8001f06e50, HandleInformation_unk_out = 0x0, ret_val_out = 0x0
IoGetAttachedDevice DeviceObject_unk = 0xfffffa800282fcd0, ret_val_unk_out = 0xfffffa8002831040
ObfReferenceObject Object_ptr = 0xfffffa8002831040, ret_val_ptr_out = 0xd
ObfDereferenceObject Object_ptr = 0xfffffa8001f06e50, ret_val_ptr_out = 0x1
ExAllocatePoolWithTag PoolType_unk = 0x1, NumberOfBytes_ptr = 0x1000, Tag = 0x6b734444, ret_val_ptr_out = 0xfffff8a001d6e000
ZwDeviceIoControlFile DeviceHandle_unk = 0xffffffff800007a8, Event_unk = 0x0, UserApcRoutine_unk = 0x0, UserApcContext_ptr = 0x0, IoControlCode = 0x700a0, InputBuffer_ptr = 0x0, InputBufferSize = 0x0, OutputBufferSize = 0x1000, IoStatusBlock_unk_out = 0xfffff880052464e0, OutputBuffer_ptr_out = 0xfffff8a001d6e000, OutputBuffer_deref_data_out = BINARY(offset=1908982,skipped=0,size=4096), ret_val_out = 0x0
ExFreePoolWithTag P_ptr = 0xfffff8a001d6e000, Tag = 0x0
ZwClose Handle_unk = 0xffffffff800007a8, ret_val_out = 0x0
IoGetAttachedDevice DeviceObject_unk = 0xfffffa8002831040, ret_val_unk_out = 0xfffffa8002831040
ObfReferenceObject Object_ptr = 0xfffffa8002831040, ret_val_ptr_out = 0xe
IoGetLowerDeviceObject DeviceObject_unk = 0xfffffa8002831040, ret_val_unk_out = 0xfffffa800282a670
ObfDereferenceObject Object_ptr = 0xfffffa8002831040, ret_val_ptr_out = 0xd
IoGetLowerDeviceObject DeviceObject_unk = 0xfffffa800282a670, ret_val_unk_out = 0xfffffa800282f040
ObfDereferenceObject Object_ptr = 0xfffffa800282a670, ret_val_ptr_out = 0x1
IoGetLowerDeviceObject DeviceObject_unk = 0xfffffa800282f040, ret_val_unk_out = 0xfffffa800282fcd0
ObfDereferenceObject Object_ptr = 0xfffffa800282f040, ret_val_ptr_out = 0x1
IoGetLowerDeviceObject DeviceObject_unk = 0xfffffa800282fcd0, ret_val_unk_out = 0x0
ObfDereferenceObject Object_ptr = 0xfffffa800282fcd0, ret_val_ptr_out = 0x9
IofCompleteRequest Irp_unk = 0xfffffa800205d9e0, PriorityBoost = 0

Kernel Graph 7

Kernel Graph

Kernel Graph Legend
Code Block #7 (EP #12, #13, #14, #16)
»
Information Value
Trigger IofCallDriver+0x50
Start Address 0xfffffa8002447008
Execution Path #12 (length: 4, count: 9, processes: 1)
»
Information Value
Sequence Length 4
Processes
»
Process Count
Process 1 (clientupdate.exe, PID: 1456) 9
Sequence
»
Symbol Parameters
KeInitializeEvent Type_unk = 0x0, State = 0, Event_unk_out = 0xfffff880052467b0
IoBuildDeviceIoControlRequest IoControlCode = 0x700a0, DeviceObject_unk = 0xfffffa8002831040, InputBuffer_ptr = 0xfffffa800343ac80, InputBufferLength = 0x0, OutputBufferLength = 0x28, InternalDeviceIoControl = 0, Event_unk = 0xfffff880052467b0, OutputBuffer_ptr_out = 0xfffffa800343ac80, IoStatusBlock_unk_out = 0xfffff88005246838, ret_val_unk_out = 0xfffffa8001ef5160
IofCallDriver DeviceObject_unk = 0xfffffa8002831040, Irp_unk = 0xfffffa8001ef5160, Irp_unk_out = 0xfffffa8001ef5160, ret_val_out = 0x0
IofCompleteRequest Irp_unk = 0xfffffa800205d9e0, PriorityBoost = 0
Execution Path #13 (length: 11, count: 1248, processes: 1)
»
Information Value
Sequence Length 11
Processes
»
Process Count
Process 1 (clientupdate.exe, PID: 1456) 1248
Sequence
»
Symbol Parameters
IoIs32bitProcess Irp_unk = 0xfffffa800205d9e0, ret_val_out = 0
IoAllocateMdl VirtualAddress_ptr = 0x13f0ebf20, Length = 0xa00000, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xfffffa80023d9000
MmProbeAndLockPages MemoryDescriptorList_unk = 0xfffffa80023d9000, AccessMode_unk = 0x1, Operation_unk = 0x0, MemoryDescriptorList_unk_out = 0xfffffa80023d9000
MmMapLockedPagesSpecifyCache MemoryDescriptorList_unk = 0xfffffa80023d9000, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0xfffff88000000010, ret_val_ptr_out = 0xfffff88005400f20
KeInitializeEvent Type_unk = 0x0, State = 0, Event_unk_out = 0xfffff880052467d0
IoBuildSynchronousFsdRequest MajorFunction = 0x4, DeviceObject_unk = 0xfffffa8002831040, Buffer_ptr = 0xfffff88005400f20, Length = 0xa00000, StartingOffset_ptr = 0xfffffa8003bab2c0, Event_unk = 0xfffff880052467d0, Buffer_ptr_out = 0xfffff88005400f20, IoStatusBlock_unk_out = 0xfffff880052467c0, ret_val_unk_out = 0xfffffa8001ef5160
IofCallDriver DeviceObject_unk = 0xfffffa8002831040, Irp_unk = 0xfffffa8001ef5160, Irp_unk_out = 0xfffffa8001ef5160, ret_val_out = 0x103
KeWaitForMutexObject ret_val_out = 0x0
MmUnlockPages MemoryDescriptorList_unk = 0xfffffa80023d9000, MemoryDescriptorList_unk_out = 0xfffffa80023d9000
IoFreeMdl Mdl_unk = 0xfffffa80023d9000
IofCompleteRequest Irp_unk = 0xfffffa800205d9e0, PriorityBoost = 0
Execution Path #14 (length: 10, count: 1, processes: 1)
»
Information Value
Sequence Length 10
Processes
»
Process Count
Process 1 (clientupdate.exe, PID: 1456) 1
Sequence
»
Symbol Parameters
IoAllocateMdl VirtualAddress_ptr = 0x13f0ebf20, Length = 0xa00000, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xfffffa8002006000
MmProbeAndLockPages MemoryDescriptorList_unk = 0xfffffa8002006000, AccessMode_unk = 0x1, Operation_unk = 0x0, MemoryDescriptorList_unk_out = 0xfffffa8002006000
MmMapLockedPagesSpecifyCache MemoryDescriptorList_unk = 0xfffffa8002006000, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0xfffff88000000010, ret_val_ptr_out = 0xfffff88005400f20
KeInitializeEvent Type_unk = 0x0, State = 0, Event_unk_out = 0xfffff880052467d0
IoBuildSynchronousFsdRequest MajorFunction = 0x4, DeviceObject_unk = 0xfffffa8002831040, Buffer_ptr = 0xfffff88005400f20, Length = 0xa00000, StartingOffset_ptr = 0xfffffa80022ad480, Event_unk = 0xfffff880052467d0, Buffer_ptr_out = 0xfffff88005400f20, IoStatusBlock_unk_out = 0xfffff880052467c0, ret_val_unk_out = 0xfffffa800231b880
IofCallDriver DeviceObject_unk = 0xfffffa8002831040, Irp_unk = 0xfffffa800231b880, Irp_unk_out = 0xfffffa800231b880, ret_val_out = 0x103
KeWaitForMutexObject ret_val_out = 0x0
MmUnlockPages MemoryDescriptorList_unk = 0xfffffa8002006000, MemoryDescriptorList_unk_out = 0xfffffa8002006000
IoFreeMdl Mdl_unk = 0xfffffa8002006000
IofCompleteRequest Irp_unk = 0xfffffa800205d9e0, PriorityBoost = 0
Execution Path #16 (length: 7, count: 1, processes: 1 incomplete)
»
Information Value
Sequence Length 7
Processes
»
Process Count
Process 1 (clientupdate.exe, PID: 1456) 1
Sequence
»
Symbol Parameters
IoIs32bitProcess Irp_unk = 0xfffffa800289e920, ret_val_out = 0
IoAllocateMdl VirtualAddress_ptr = 0x13f0ebf20, Length = 0xa00000, SecondaryBuffer = 0, ChargeQuota = 0, Irp_unk = 0x0, Irp_unk_out = 0x0, ret_val_unk_out = 0xfffffa80019f3000
MmProbeAndLockPages MemoryDescriptorList_unk = 0xfffffa80019f3000, AccessMode_unk = 0x1, Operation_unk = 0x0, MemoryDescriptorList_unk_out = 0xfffffa80019f3000
MmMapLockedPagesSpecifyCache MemoryDescriptorList_unk = 0xfffffa80019f3000, AccessMode_unk = 0x0, CacheType_unk = 0x1, BaseAddress_ptr = 0x0, BugCheckOnFailure = 0x0, Priority_unk = 0xfffff88000000010, ret_val_ptr_out = 0xfffff88005400f20
KeInitializeEvent Type_unk = 0x0, State = 0, Event_unk_out = 0xfffff880052467d0
IoBuildSynchronousFsdRequest MajorFunction = 0x4, DeviceObject_unk = 0xfffffa8002831040, Buffer_ptr = 0xfffff88005400f20, Length = 0xa00000, StartingOffset_ptr = 0xfffffa80018f9340, Event_unk = 0xfffff880052467d0, Buffer_ptr_out = 0xfffff88005400f20, IoStatusBlock_unk_out = 0xfffff880052467c0, ret_val_unk_out = 0xfffffa800231b880
IofCallDriver DeviceObject_unk = 0xfffffa8002831040, Irp_unk = 0xfffffa800231b880, Irp_unk_out = 0xfffffa800231b880, ret_val_out = 0x103

Kernel Graph 8

Kernel Graph

Kernel Graph Legend
Code Block #8 (EP #15)
»
Information Value
Trigger ExpWorkerThread+0x10f
Start Address 0xfffffa80019f8378
Execution Path #15 (length: 1, count: 1, processes: 1 incomplete)
»
Information Value
Sequence Length 1
Processes
»
Process Count
Process 4 (System, PID: 4) 1
Sequence
»
Symbol Parameters
ExAllocatePoolWithTag PoolType_unk = 0x0, NumberOfBytes_ptr = 0x1cbbb, Tag = 0x655a6343, ret_val_ptr_out = 0xfffffa8002452000
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image