struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc08355db5540 PVOID caller = 0xfffff8068510b837 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0 TID tid = 0x22c4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a56f60000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x20000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0x1 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc08355db5540 PVOID caller = 0xfffff806850800e6 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x22c4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessThreadStackAllocation PVOID ProcessInformation = 0xffff8883e0b8e990 ULONG ProcessInformationSize = 0x28 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc08355db5540 PVOID caller = 0xfffff80685080152 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x22c4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23ac34000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0xfc000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc08355db5540 PVOID caller = 0xfffff806850801a8 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x22c4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23ac31000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x3000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0x1 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff80003388 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80003388 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff80003388 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11b09b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80003388 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d00 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadTokenEx csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0x1 ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtOpenProcessTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d29 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcessTokenEx csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0x1 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0xffffffff80003388 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114dc9 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0x80003388 STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenSessionId PVOID TokenInformation = 0xffffc08300000001 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114e0b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80003388 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff80003388 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80003388 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff80003388 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11b09b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80003388 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d00 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadTokenEx csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0x1 ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtOpenProcessTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d29 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcessTokenEx csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0x1 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0xffffffff80003388 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114dc9 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0x80003388 STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenSessionId PVOID TokenInformation = 0x1 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114e0b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80003388 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d00 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadTokenEx csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0x1 ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtOpenProcessTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d29 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcessTokenEx csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0x1 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0xffffffff80003388 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114dc9 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0x80003388 STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenSessionId PVOID TokenInformation = 0x1 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114e0b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80003388 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff806851b068f struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0xffffffff80002bb4 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0x1 BIT3 CREATE_SUB_KEY = 0x1 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0x1 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0x1 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x80000088 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x4c USHORT MaximumLength = 0x4e STR Buffer = { char [256] chars = [ "{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff806851b068f struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x80002bb4 STR name = { char [256] chars = [ "{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x14 USHORT MaximumLength = 0x16 STR Buffer = { char [256] chars = [ "Properties" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = -1073741772 } }struct NtPlugPlayControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff80685099b1e struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtPlugPlayControl csyscall = { PLUGPLAY_CONTROL_CLASS PnPControlClass = PlugPlayControlGetDeviceInterfaceEnabled PVOID PnPControlData = 0xffff8883dd366ec0 ULONG PnPControlDataLength = 0x18 NTSTATUS result = STATUS_SUCCESS } }struct NtPlugPlayControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff80685099b1e struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtPlugPlayControl csyscall = { PLUGPLAY_CONTROL_CLASS PnPControlClass = PlugPlayControlGetDeviceInterfaceEnabled PVOID PnPControlData = 0xffff8883dd366ec0 ULONG PnPControlDataLength = 0x18 NTSTATUS result = STATUS_SUCCESS } }struct NtPlugPlayControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff80685099b1e struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtPlugPlayControl csyscall = { PLUGPLAY_CONTROL_CLASS PnPControlClass = PlugPlayControlGetDeviceInterfaceEnabled PVOID PnPControlData = 0xffff8883dd366ec0 ULONG PnPControlDataLength = 0x18 NTSTATUS result = STATUS_SUCCESS } }struct NtPlugPlayControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff80685099b1e struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtPlugPlayControl csyscall = { PLUGPLAY_CONTROL_CLASS PnPControlClass = PlugPlayControlGetDeviceInterfaceEnabled PVOID PnPControlData = 0xffff8883dd366ec0 ULONG PnPControlDataLength = 0x18 NTSTATUS result = STATUS_SUCCESS } }struct NtPlugPlayControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff80685099b1e struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtPlugPlayControl csyscall = { PLUGPLAY_CONTROL_CLASS PnPControlClass = PlugPlayControlGetDeviceInterfaceEnabled PVOID PnPControlData = 0xffff8883dd366ec0 ULONG PnPControlDataLength = 0x18 NTSTATUS result = STATUS_SUCCESS } }struct NtPlugPlayControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff80685099b1e struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtPlugPlayControl csyscall = { PLUGPLAY_CONTROL_CLASS PnPControlClass = PlugPlayControlGetDeviceInterfaceEnabled PVOID PnPControlData = 0xffff8883dd366ec0 ULONG PnPControlDataLength = 0x18 NTSTATUS result = STATUS_SUCCESS } }struct NtPlugPlayControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff80685099b1e struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtPlugPlayControl csyscall = { PLUGPLAY_CONTROL_CLASS PnPControlClass = PlugPlayControlGetDeviceInterfaceEnabled PVOID PnPControlData = 0xffff8883dd366ec0 ULONG PnPControlDataLength = 0x18 NTSTATUS result = STATUS_SUCCESS } }struct NtPlugPlayControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff80685099b1e struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtPlugPlayControl csyscall = { PLUGPLAY_CONTROL_CLASS PnPControlClass = PlugPlayControlGetDeviceInterfaceEnabled PVOID PnPControlData = 0xffff8883dd366ec0 ULONG PnPControlDataLength = 0x18 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff806851b8118 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80002bb4 STR name = { char [256] chars = [ "{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x8000304c STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0xff, 0xff, 0xff, 0xff, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtResetEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff806850b42e9 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtResetEvent csyscall = { HANDLE EventHandle = { void *h = 0x80004014 STR name = { char [256] chars = [ "" ] } } LONG PreviousState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtDeviceIoControlFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff806850b432b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtDeviceIoControlFile csyscall = { HANDLE FileHandle = { void *h = 0x80002bb4 STR name = { char [256] chars = [ "{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}" ] } } HANDLE Event = { void *h = 0x80004014 STR name = { char [256] chars = [ "" ] } } PIO_APC_ROUTINE ApcRoutine = 0 PVOID ApcContext = 0 IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0xc } IO_CTRL_CODE IoControlCode = IOCTL_STORAGE_QUERY_PROPERTY INBUF InputBuffer = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN InputBufferLength = 0xc OUTBUF outBuffer = { byte [128] buf = [ 0xc, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } OUTLEN outBufferLength = 0xc NTSTATUS result = STATUS_SUCCESS } }struct NtResetEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff806850b780c struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtResetEvent csyscall = { HANDLE EventHandle = { void *h = 0x80004014 STR name = { char [256] chars = [ "" ] } } LONG PreviousState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtDeviceIoControlFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff806850b7853 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtDeviceIoControlFile csyscall = { HANDLE FileHandle = { void *h = 0x80002bb4 STR name = { char [256] chars = [ "{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}" ] } } HANDLE Event = { void *h = 0x80004014 STR name = { char [256] chars = [ "" ] } } PIO_APC_ROUTINE ApcRoutine = 0 PVOID ApcContext = 0 IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0x20 } IO_CTRL_CODE IoControlCode = IOCTL_STORAGE_QUERY_PROPERTY INBUF InputBuffer = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN InputBufferLength = 0xc OUTBUF outBuffer = { byte [128] buf = [ 0x20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } OUTLEN outBufferLength = 0x20 NTSTATUS result = STATUS_PENDING } }struct NtWaitForSingleObjectCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff80685285f41 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtWaitForSingleObject csyscall = { HANDLE Handle = { void *h = 0x80004014 STR name = { char [256] chars = [ "" ] } } BOOLEAN Alertable = 0 LARGE_INTEGER Timeout = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff806808843b0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80005a80 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff806808843b0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80002078 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff806808843b0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80004578 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0841d718540 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1e1c BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x80005870 STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc08386e04580 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x5bd8 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0 STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc08422739540 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x6de0 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x80005388 STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0839b6c9540 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x4108 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x80001974 STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc08329f17040 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x4690 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x80004aac STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083b5b6b540 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x5170 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x80004aac STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083c8469540 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1d94 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x80003110 STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083cccd1540 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x6f40 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x80005148 STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083b1ba7540 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1dac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x80004578 STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc08422739540 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x6de0 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x80004578 STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc08332e9d540 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x5274 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x80004578 STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0841d718540 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1e1c BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x800056ec STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083e13de540 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x20d0 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x8000442c STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0839b6c9540 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x4108 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x800028a8 STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc08386e04580 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x5bd8 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x800054ac STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083e9a462c0 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x2360 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x800044d4 STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0838950c540 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x60c BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x80004f0c STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc08357fc5540 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0xd90 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x800042f8 STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083da259540 PVOID caller = 0xfffff80686c4eaee struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0xed4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x80005f98 STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } INBUF FileInformation = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN Length = 0x28 FILE_INFORMATION_CLASS FileInformationClass = FileBasicInformation NTSTATUS result = STATUS_SUCCESS } }struct NtQueryPerformanceCounterCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryPerformanceCounter csyscall = { LARGE_INTEGER PerformanceCounter = 0 LARGE_INTEGER PerformanceFrequency = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff806808843b0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x8000304c STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3d0510 SIZE_T RegionSize = 0x8 ULONG NewProtect = 0x4 ULONG OldProtect = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083524bf040 PVOID caller = 0xfffff806808843b0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x78d4 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80002bb4 STR name = { char [256] chars = [ "{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3d0000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x8 ULONG OldProtect = 0x8 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd2e72e0 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2f890 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateEvent csyscall = { PHANDLE EventHandle = 0x4 ACCESS_MASK_EVENT DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } EVENT_TYPE EventType = NotificationEvent BOOLEAN InitialState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtManageHotPatchCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtManageHotPatch csyscall = { HOT_PATCH_INFORMATION_CLASS arg1 = ManageHotPatchCheckEnabled PVOID arg2 = 0xf23ad2f728 ULONG arg3 = 0x8 ULONG arg4 = 0 NTSTATUS result = -1073741637 } }struct NtSetEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetEvent csyscall = { HANDLE EventHandle = { void *h = 0x4 STR name = { char [256] chars = [ "" ] } } LONG PreviousState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateEvent csyscall = { PHANDLE EventHandle = 0x8 ACCESS_MASK_EVENT DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } EVENT_TYPE EventType = NotificationEvent BOOLEAN InitialState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQuerySystemInformationCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySystemInformation csyscall = { SYSTEM_INFORMATION_CLASS SystemInformationClass = SystemBasicInformation PVOID SystemInformation = 0xf23ad2f640 ULONG SystemInformationLength = 0x40 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessCookie PVOID ProcessInformation = 0x9e542be ULONG ProcessInformationLength = 0 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xc ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x7e USHORT MaximumLength = 0x80 STR Buffer = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\CodePage" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xc STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\CodePage" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x6 USHORT MaximumLength = 0x8 STR Buffer = { char [256] chars = [ "ACP" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x100000000 ULONG Length = 0x24 ULONG ResultLength = 0x16 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xc STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\CodePage" ] } } UNICODE_STRING ValueName = { USHORT Length = 0xa USHORT MaximumLength = 0xc STR Buffer = { char [256] chars = [ "OEMCP" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x100000000 ULONG Length = 0x24 ULONG ResultLength = 0x14 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xc STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\CodePage" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff806851b526a struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSection csyscall = { PHANDLE SectionHandle = 0xc ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0 BIT4 MAP_EXECUTE = 0 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0x50 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0x72 BIT30 GENERIC_EXECUTE = 0x65 BIT32 GENERIC_READ = 0x6e BIT31 GENERIC_WRITE = 0x74 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x746e6f43 HANDLE RootDirectory = { void *h = 0x72746e6f435c7465 STR name = { char [256] chars = [ "ol\Nls\CodePage" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff806851b52b8 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044d4 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff806851b526a struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSection csyscall = { PHANDLE SectionHandle = 0xc ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0 BIT4 MAP_EXECUTE = 0 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff806851b52b8 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044d4 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff806851b526a struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSection csyscall = { PHANDLE SectionHandle = 0xc ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0 BIT4 MAP_EXECUTE = 0 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff806851b52b8 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044d4 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQuerySystemInformationCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySystemInformation csyscall = { SYSTEM_INFORMATION_CLASS SystemInformationClass = SystemFlushInformation PVOID SystemInformation = 0xf23ad2f2a0 ULONG SystemInformationLength = 0x20 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd240000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2f230 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryWorkingSetExInformation PVOID MemoryInformation = 0xf23ad2f270 SIZE_T MemoryInformationLength = 0x50 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xc ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x84 USHORT MaximumLength = 0x86 STR Buffer = { char [256] chars = [ "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xc STR name = { char [256] chars = [ "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x40 USHORT MaximumLength = 0x42 STR Buffer = { char [256] chars = [ "RaiseExceptionOnPossibleDeadlock" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0 ULONG Length = 0x50 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xc STR name = { char [256] chars = [ "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x9e USHORT MaximumLength = 0xa0 STR Buffer = { char [256] chars = [ "\Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtQueryInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessCookie PVOID ProcessInformation = 0x9e542be ULONG ProcessInformationLength = 0 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessCookie PVOID ProcessInformation = 0x7ffb09e542be ULONG ProcessInformationLength = 0 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQuerySecurityAttributesTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySecurityAttributesToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffc STR name = { char [256] chars = [ "NtCurrentProcessToken" ] } } UNICODE_STRING Attributes = { USHORT Length = 0x1c USHORT MaximumLength = 0x1e STR Buffer = { char [256] chars = [ "WIN://SYSAPPID" ] } } ULONG NumberOfAttributes = 0 PVOID Buffer = 0xf23ad2ebf0 ULONG Length = 0x330 ULONG ReturnLength = 0 NTSTATUS result = -1073741275 } }struct NtQuerySecurityAttributesTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySecurityAttributesToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffc STR name = { char [256] chars = [ "NtCurrentProcessToken" ] } } UNICODE_STRING Attributes = { USHORT Length = 0x1c USHORT MaximumLength = 0x1e STR Buffer = { char [256] chars = [ "WIN://SYSAPPID" ] } } ULONG NumberOfAttributes = 0 PVOID Buffer = 0xf23ad2ebf0 ULONG Length = 0x330 ULONG ReturnLength = 0 NTSTATUS result = -1073741275 } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xc ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x84 USHORT MaximumLength = 0x86 STR Buffer = { char [256] chars = [ "\Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xc STR name = { char [256] chars = [ "\Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x20 USHORT MaximumLength = 0x22 STR Buffer = { char [256] chars = [ "ResourcePolicies" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0 ULONG Length = 0x18 ULONG ResultLength = 0xbd2400d8 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xc STR name = { char [256] chars = [ "\Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessCookie PVOID ProcessInformation = 0xf209e542be ULONG ProcessInformationLength = 0 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQuerySystemInformationCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySystemInformation csyscall = { SYSTEM_INFORMATION_CLASS SystemInformationClass = SystemBasicInformation PVOID SystemInformation = 0xf23ad2f250 ULONG SystemInformationLength = 0x40 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQuerySystemInformationCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySystemInformation csyscall = { SYSTEM_INFORMATION_CLASS SystemInformationClass = SystemEmulationBasicInformation PVOID SystemInformation = 0xf23ad2f280 ULONG SystemInformationLength = 0x40 ULONG ReturnedResultLength = 0x6e006f NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemoryEx csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7df5b6fb0000 SIZE_T RegionSize = 0x2001000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0 BIT14 MEM_RESERVE = 0x1 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0x1 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT PageProtection = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } MEM_EXTENDED_PARAMETER ExtendedParameters = { struct DUMMYSTRUCTNAME = { DWORD64 Type = 0x1 uint64_t Reserved :56 = 0xf23ad2f140 } union DUMMYUNIONNAME = { DWORD64 ULong64 = 0xc5 PVOID Pointer = 0x7ffbbd2c31c5 SIZE_T Size = 0x7ffbbd2c31c5 HANDLE Handle = { void *h = 0x7ffbbd2c31c5 STR name = { char [256] chars = [ "" ] } } DWORD ULong = 0xbd2c31c5 } } ULONG ExtendedParameterCount = 0x1 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemoryEx csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7df5b8fb0000 SIZE_T RegionSize = 0x1000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT PageProtection = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } MEM_EXTENDED_PARAMETER ExtendedParameters = { struct DUMMYSTRUCTNAME = { DWORD64 Type = 0 uint64_t Reserved :56 = 0 } union DUMMYUNIONNAME = { DWORD64 ULong64 = 0 PVOID Pointer = 0 SIZE_T Size = 0 HANDLE Handle = { void *h = 0 STR name = { char [256] chars = [ "" ] } } DWORD ULong = 0 } } ULONG ExtendedParameterCount = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemoryEx csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7df4b6f90000 SIZE_T RegionSize = 0x100020000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0 BIT14 MEM_RESERVE = 0x1 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0x1 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT PageProtection = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } MEM_EXTENDED_PARAMETER ExtendedParameters = { struct DUMMYSTRUCTNAME = { DWORD64 Type = 0x1 uint64_t Reserved :56 = 0xf23ad2f0f0 } union DUMMYUNIONNAME = { DWORD64 ULong64 = 0x80 PVOID Pointer = 0x7ffbbd387680 SIZE_T Size = 0x7ffbbd387680 HANDLE Handle = { void *h = 0x7ffbbd387680 STR name = { char [256] chars = [ '\004', '\0', '\0', '\0', '\37777777773', '\177', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\37777777773', '\177', '\0', '\0', '\37777777624', '\37777777757', 'Q', '\37777777672', '\37777777762', '\37777777651', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '[', '\011', '6', '\37777777675', '\37777777773', '\177', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\001', '\0', '\0', '\0', '\0', '\0', '\0', '\0', 'H', '\37777777647', ';', '\37777777675', '\37777777773', '\177', '\0', '\0', '\37777777705', '1', ',', '\37777777675', '\37777777773', '\177', '\0', '\0', '\004', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\001', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\37777777641', '\011', '6', '\37777777675', '\37777777773', '\177', '\0', '\0', '(', '\37777777647', ';', '\37777777675', '\37777777773', '\177', '\0', '\0', '\37777777666', '\016', '/', '\37777777675', '\37777777773', '\177', '\0', '\0', '\0', '\0', '\002', '\0', '\001', '\0', '\0', '\0', '\0', '\0', '\002', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\37777777777', '\37777777777', '\37777777777', '\177', '\0', '\0', '\0', 'P', '\37777777740', ':', '\37777777762', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', 'R', '\001', ')', '\37777777675', '\37777777773', '\177', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\37777777736', '\37777777762', '5', '\37777777675', '\37777777773', '\177', '\0', '\0', '\0', '\0', '\37777777777', '\37777777777', '\37777777777', '\177', '\0', '\0', '\0', '\020', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\37777777777', '\37777777777', '\37777777777', '\177', '\0', '\0', '\0', 'P', '\37777777740', ':', '\37777777762', '\0', '\0', '\0' ] } } DWORD ULong = 0xbd387680 } } ULONG ExtendedParameterCount = 0x1 NTSTATUS result = STATUS_SUCCESS } }struct NtQuerySystemInformationCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySystemInformation csyscall = { SYSTEM_INFORMATION_CLASS SystemInformationClass = SystemBasicInformation PVOID SystemInformation = 0xf23ad2f0f0 ULONG SystemInformationLength = 0x40 ULONG ReturnedResultLength = 0x1 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57020000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x2e0000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0 BIT14 MEM_RESERVE = 0x1 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtFreeVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtFreeVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23ad2efb0 SIZE_T RegionSize = 0x1e0000 ULONG FreeType = 0x8000 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57200000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x2000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQuerySystemInformationCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySystemInformation csyscall = { SYSTEM_INFORMATION_CLASS SystemInformationClass = SystemHypervisorSharedPageInformation PVOID SystemInformation = 0xf23ad2f448 ULONG SystemInformationLength = 0x8 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQuerySystemInformationCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySystemInformation csyscall = { SYSTEM_INFORMATION_CLASS SystemInformationClass = SystemNumaProcessorMap PVOID SystemInformation = 0xf23ad2eec0 ULONG SystemInformationLength = 0x408 ULONG ReturnedResultLength = 0x18 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateEvent csyscall = { PHANDLE EventHandle = 0xc ACCESS_MASK_EVENT DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } EVENT_TYPE EventType = SynchronizationEvent BOOLEAN InitialState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateWaitCompletionPacketCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateWaitCompletionPacket csyscall = { PHANDLE WaitCompletionPacketHandle = 0x10 ACCESS_MASK DesiredAccess = { BIT1 BIT1 = 0x1 BIT2 BIT2 = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQuerySystemInformationExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySystemInformationEx csyscall = { SYSTEM_INFORMATION_CLASS SystemInformationClass = SystemLogicalProcessorAndGroupInformation PVOID InputBuffer = 0xf23ad2ee60 ULONG InputBufferLength = 0x4 PVOID SystemInformation = 0 ULONG SystemInformationLength = 0 ULONG ReturnedResultLength = 0x30 NTSTATUS result = -1073741820 } }struct NtQuerySystemInformationExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySystemInformationEx csyscall = { SYSTEM_INFORMATION_CLASS SystemInformationClass = SystemLogicalProcessorAndGroupInformation PVOID InputBuffer = 0xf23ad2ee60 ULONG InputBufferLength = 0x4 PVOID SystemInformation = 0x25a57200dc0 ULONG SystemInformationLength = 0x30 ULONG ReturnedResultLength = 0x30 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateIoCompletionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateIoCompletion csyscall = { PHANDLE IoCompletionHandle = 0x14 ACCESS_MASK_IOCOMPLETION DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG Count = 0xd NTSTATUS result = STATUS_SUCCESS } }struct NtCreateWorkerFactoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateWorkerFactory csyscall = { PHANDLE WorkerFactoryHandleReturn = 0 ACCESS_MASK DesiredAccess = { BIT1 BIT1 = 0x1 BIT2 BIT2 = 0x1 BIT3 BIT3 = 0x1 BIT4 BIT4 = 0x1 BIT5 BIT5 = 0x1 BIT6 BIT6 = 0x1 BIT7 BIT7 = 0x1 BIT8 BIT8 = 0x1 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } HANDLE CompletionPortHandle = { void *h = 0x14 STR name = { char [256] chars = [ "" ] } } HANDLE WorkerProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PTPP_START_ROUTINE StartParameter = 0x7ffbbd256870 PVOID MaxThreadCount = 0x25a57200b50 ULONG StackReserve = 0x200 SIZE_T StackCommit = 0x100000 SIZE_T arg1 = 0xfc000 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateTimer2CALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateTimer2 csyscall = { PHANDLE TimerHandle = 0x1c PVOID ReservedA = 0 PVOID ReservedB = 0 ULONG Attributes = 0x8 ACCESS_MASK_TIMER DesiredAccess = { BIT1 QUERY_STATE = 0 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCreateWaitCompletionPacketCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateWaitCompletionPacket csyscall = { PHANDLE WaitCompletionPacketHandle = 0x20 ACCESS_MASK DesiredAccess = { BIT1 BIT1 = 0x1 BIT2 BIT2 = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtAssociateWaitCompletionPacketCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAssociateWaitCompletionPacket csyscall = { HANDLE WaitCompletionPacketHandle = { void *h = 0x20 STR name = { char [256] chars = [ "" ] } } HANDLE IoCompletionHandle = { void *h = 0x14 STR name = { char [256] chars = [ "" ] } } HANDLE TargetObjectHandle = { void *h = 0x1c STR name = { char [256] chars = [ "" ] } } PVOID KeyContext = 0x25a57200bf0 PVOID ApcContext = 0x25a57200bc0 NTSTATUS IoStatus = STATUS_SUCCESS ULONG IoStatusInformation = 0 BOOLEAN AlreadySignaled = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateTimer2CALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateTimer2 csyscall = { PHANDLE TimerHandle = 0x24 PVOID ReservedA = 0 PVOID ReservedB = 0 ULONG Attributes = 0x8 ACCESS_MASK_TIMER DesiredAccess = { BIT1 QUERY_STATE = 0 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCreateWaitCompletionPacketCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateWaitCompletionPacket csyscall = { PHANDLE WaitCompletionPacketHandle = 0x28 ACCESS_MASK DesiredAccess = { BIT1 BIT1 = 0x1 BIT2 BIT2 = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtAssociateWaitCompletionPacketCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAssociateWaitCompletionPacket csyscall = { HANDLE WaitCompletionPacketHandle = { void *h = 0x28 STR name = { char [256] chars = [ "" ] } } HANDLE IoCompletionHandle = { void *h = 0x14 STR name = { char [256] chars = [ "" ] } } HANDLE TargetObjectHandle = { void *h = 0x24 STR name = { char [256] chars = [ "" ] } } PVOID KeyContext = 0x25a57200c68 PVOID ApcContext = 0x25a57200bc0 NTSTATUS IoStatus = STATUS_SUCCESS ULONG IoStatusInformation = 0 BOOLEAN AlreadySignaled = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationWorkerFactoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationWorkerFactory csyscall = { HANDLE WorkerFactoryHandle = { void *h = 0x18 STR name = { char [256] chars = [ "" ] } } WORKERFACTORYINFOCLASS WorkerFactoryInformationClass = WorkerFactoryThreadMaximum PVOID WorkerFactoryInformation = 0xf23ad2ef08 ULONG WorkerFactoryInformationLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationWorkerFactoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationWorkerFactory csyscall = { HANDLE WorkerFactoryHandle = { void *h = 0x18 STR name = { char [256] chars = [ "" ] } } WORKERFACTORYINFOCLASS WorkerFactoryInformationClass = WorkerFactoryThreadSoftMaximum PVOID WorkerFactoryInformation = 0xf23ad2ef08 ULONG WorkerFactoryInformationLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationWorkerFactoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationWorkerFactory csyscall = { HANDLE WorkerFactoryHandle = { void *h = 0x18 STR name = { char [256] chars = [ "" ] } } WORKERFACTORYINFOCLASS WorkerFactoryInformationClass = WorkerFactoryBindingCount PVOID WorkerFactoryInformation = 0xf23ad2f028 ULONG WorkerFactoryInformationLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtAssociateWaitCompletionPacketCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAssociateWaitCompletionPacket csyscall = { HANDLE WaitCompletionPacketHandle = { void *h = 0x10 STR name = { char [256] chars = [ "" ] } } HANDLE IoCompletionHandle = { void *h = 0x14 STR name = { char [256] chars = [ "" ] } } HANDLE TargetObjectHandle = { void *h = 0xc STR name = { char [256] chars = [ "\Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager" ] } } PVOID KeyContext = 0x25a57200af8 PVOID ApcContext = 0x25a57200970 NTSTATUS IoStatus = STATUS_SUCCESS ULONG IoStatusInformation = 0 BOOLEAN AlreadySignaled = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0x1b PVOID InBuffer = 0xf23ad2f128 ULONG InBufferLen = 0x4 PVOID OutBuffer = 0 ULONG OutBufferLen = 0 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2f188 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2f188 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2f188 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2f188 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2f138 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2f138 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff80685101e15 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x1e STR name = { char [256] chars = [ '\37777777610', '\37777777761', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', '\030', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\37777777640', '\37777777761', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', 'x', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0' ] } } UNICODE_STRING ValueName = { USHORT Length = 0x14 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueBasicInformation PVOID KeyValueInformation = 0x7ffb00000018 ULONG Length = 0x6765525c ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2f188 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2f188 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57202000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x1000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57203000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x2000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0x3c ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x84 USHORT MaximumLength = 0x86 STR Buffer = { char [256] chars = [ "\Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x3c STR name = { char [256] chars = [ "\Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x20 USHORT MaximumLength = 0x22 STR Buffer = { char [256] chars = [ "ResourcePolicies" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0 ULONG Length = 0x18 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x3c STR name = { char [256] chars = [ "\Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57020000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x62000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0 BIT14 MEM_RESERVE = 0x1 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57020000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x1000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57021000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x1000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57205000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x1000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57206000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x2000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtFreeVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtFreeVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23ad2f2e0 SIZE_T RegionSize = 0 ULONG FreeType = 0x8000 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenDirectoryObjectCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenDirectoryObject csyscall = { PHANDLE DirectoryHandle = 0x3c ACCESS_MASK_DIRECTORY DesiredAccess = { BIT1 QUERY = 0x1 BIT2 TRAVERSE = 0x1 BIT3 CREATE_OBJECT = 0 BIT4 CREATE_SUBDIRECTORY = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x14 USHORT MaximumLength = 0x16 STR Buffer = { char [256] chars = [ "\KnownDlls" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSymbolicLinkObjectCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSymbolicLinkObject csyscall = { PHANDLE LinkHandle = 0x40 ACCESS_MASK_LINK DesiredAccess = { BIT1 QUERY = 0x1 BIT2 BIT2 = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x3c STR name = { char [256] chars = [ "\KnownDlls" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x18 USHORT MaximumLength = 0x1a STR Buffer = { char [256] chars = [ "KnownDllPath" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQuerySymbolicLinkObjectCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySymbolicLinkObject csyscall = { HANDLE LinkHandle = { void *h = 0x40 STR name = { char [256] chars = [ "\KnownDlls\KnownDllPath" ] } } UNICODE_STRING LinkTarget = { USHORT Length = 0x26 USHORT MaximumLength = 0x30 STR Buffer = { char [256] chars = [ "C:\Windows\System32" ] } } ULONG ReturnedLength = 0x28 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x40 STR name = { char [256] chars = [ "\KnownDlls\KnownDllPath" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd1e0 SIZE_T RegionSize = 0x8 ULONG NewProtect = 0x4 ULONG OldProtect = 0xbd240000 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3d1000 SIZE_T RegionSize = 0x8 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3d1000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateEvent csyscall = { PHANDLE EventHandle = 0x44 ACCESS_MASK_EVENT DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } EVENT_TYPE EventType = SynchronizationEvent BOOLEAN InitialState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateEvent csyscall = { PHANDLE EventHandle = 0x48 ACCESS_MASK_EVENT DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } EVENT_TYPE EventType = SynchronizationEvent BOOLEAN InitialState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryPerformanceCounterCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryPerformanceCounter csyscall = { LARGE_INTEGER PerformanceCounter = 0x25a572020e0 LARGE_INTEGER PerformanceFrequency = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ff7a7c91000 SIZE_T RegionSize = 0x90 ULONG NewProtect = 0x2 ULONG OldProtect = 0xa7c30000 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ff7a7c68f20 SIZE_T RegionSize = 0x8 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ff7a7c68000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenFile csyscall = { PHANDLE FileHandle = 0x4c ACCESS_MASK_FILE DesiredAccess = { BIT1 READ_DATA :1 = 0 BIT2 ADD_FILE :1 = 0 BIT3 APPEND_DATA :1 = 0 BIT4 READ_EA :1 = 0 BIT5 WRITE_EA :1 = 0 BIT6 EXECUTE :1 = 0x1 BIT7 DELETE_CHILD :1 = 0 BIT8 READ_ATTRIBUTES :1 = 0 BIT9 WRITE_ATTRIBUTES :1 = 0 BIT10 unused1 :1 = 0 BIT11 unused2 :1 = 0 BIT12 unused3 :1 = 0 BIT13 unused4 :1 = 0 BIT14 unused5 :1 = 0 BIT15 unused6 :1 = 0 BIT16 unused9 :1 = 0 BIT17 DELETE :1 = 0 BIT18 READ_CONTROL :1 = 0 BIT19 WRITE_DAC :1 = 0 BIT20 WRITE_OWNER :1 = 0 BIT21 SYNCHRONIZE :1 = 0x1 BIT22 unused10 :1 = 0 BIT23 unused11 :1 = 0 BIT24 unused12 :1 = 0 BIT25 ACCESS_SYSTEM_SECURITY :1 = 0 BIT26 MAXIUM :1 = 0 BIT27 unused13 :1 = 0 BIT28 unused14 :1 = 0 BIT29 GENERIC_ALL :1 = 0 BIT30 GENERIC_EXECUTE :1 = 0 BIT31 GENERIC_WRITE :1 = 0 BIT32 GENERIC_READ :1 = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x26 USHORT MaximumLength = 0x28 STR Buffer = { char [256] chars = [ "\??\C:\Users\Jonas\" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0x7ffb00000000 UInt64 Information = 0x1 } FILE_SHARE_ACCESS ShareAccess = { BIT1 FILE_SHARE_READ :1 = 0x1 BIT2 FILE_SHARE_WRITE :1 = 0x1 BIT3 FILE_SHARE_DELETE :1 = 0 } FILE_OPTIONS OpenOptions = { BIT1 DIRECTORY_FILE = 0x1 BIT2 WRITE_THROUGH = 0 BIT3 SEQUENTIAL_ONLY = 0 BIT4 NO_INTERMEDIATE_BUFFERING = 0 BIT5 SYNCHRONOUS_IO_ALERT = 0 BIT6 SYNCHRONOUS_IO_NONALERT = 0x1 BIT7 NON_DIRECTORY_FILE = 0 BIT8 CREATE_TREE_CONNECTION = 0 BIT9 COMPLETE_IF_OPLOCKED = 0 BIT10 NO_EA_KNOWLEDGE = 0 BIT11 OPEN_REMOTE_INSTANCE = 0 BIT12 RANDOM_ACCESS = 0 BIT13 DELETE_ON_CLOSE = 0 BIT14 OPEN_BY_FILE_ID = 0 BIT15 OPEN_FOR_BACKUP_INTENT = 0 BIT16 NO_COMPRESSION = 0 BIT17 OPEN_REQUIRING_OPLOCK = 0 BIT18 DISALLOW_EXCLUSIVE = 0 BIT19 SESSION_AWARE = 0 BIT20 RESERVE_OPFILTER = 0 BIT21 OPEN_REPARSE_POINT = 0 BIT22 OPEN_NO_RECALL = 0 BIT23 OPEN_FOR_FREE_SPACE_QUERY = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x4c STR name = { char [256] chars = [ "\??\C:\Users\Jonas\" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0x7ffb00000000 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2f220 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtSetEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetEvent csyscall = { HANDLE EventHandle = { void *h = 0x44 STR name = { char [256] chars = [ "" ] } } LONG PreviousState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadToken csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0x1 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0x1 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtQueryInformationThreadCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationThread csyscall = { HANDLE ThreadHandle = { void *h = 0xfffffffffffffffe STR name = { char [256] chars = [ "NtCurrentThread" ] } } THREADINFOCLASS ThreadInformationClass = ThreadDynamicCodePolicyInfo PVOID ThreadInformation = 0 ULONG ThreadInformationLength = 0x4 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSection csyscall = { PHANDLE SectionHandle = 0x50 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0x1 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x3c STR name = { char [256] chars = [ "\KnownDlls" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x18 USHORT MaximumLength = 0x1a STR Buffer = { char [256] chars = [ "KERNEL32.DLL" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0x50 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0x5c BIT2 CREATE_THREAD = 0x4b BIT3 SET_SESSIONID = 0x6e BIT4 VM_OPERATION = 0x6f BIT5 VM_READ = 0x77 BIT6 VM_WRITE = 0x6e BIT7 DUP_HANDLE = 0x44 BIT8 CREATE_PROCESS = 0x6c BIT9 SET_QUOTA = 0x6c BIT10 SET_INFORMATION = 0x73 BIT11 QUERY_INFORMATION = 0x5c BIT12 SUSPEND_RESUME = 0x4b BIT13 QUERY_LIMITED_INFORMATION = 0x45 BIT14 BIT14 = 0x52 BIT15 BIT15 = 0x4e BIT16 BIT16 = 0x45 BIT17 DELETE = 0x4c BIT18 READ_CONTROL = 0x33 BIT19 WRITE_DAC = 0x32 BIT20 WRITE_OWNER = 0x2e BIT21 SYNCHRONIZE = 0x44 BIT22 BIT22 = 0x4c BIT23 BIT23 = 0x4c BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0x10000 void *Group = 0 void *Sacl = 0x10000 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x7ffb00000000 void *UniqueThread = 0x1 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80005e14 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff80005e14 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11b09b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80005e14 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d00 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadTokenEx csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0x1 ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtOpenProcessTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d29 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcessTokenEx csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0x1 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0xffffffff80005e14 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114dc9 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0x80005e14 STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenSessionId PVOID TokenInformation = 0xffff888300000001 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114e0b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80005e14 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryPerformanceCounterCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryPerformanceCounter csyscall = { LARGE_INTEGER PerformanceCounter = 0x25a57206dd0 LARGE_INTEGER PerformanceFrequency = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb5da000 SIZE_T RegionSize = 0xa8 ULONG NewProtect = 0x2 ULONG OldProtect = 0xbb520000 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb5a23b0 SIZE_T RegionSize = 0x8 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb5a2000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb59f950 SIZE_T RegionSize = 0x2a60 ULONG NewProtect = 0x4 ULONG OldProtect = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSection csyscall = { PHANDLE SectionHandle = 0x54 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0x1 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x3c STR name = { char [256] chars = [ "\KnownDlls" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x1c USHORT MaximumLength = 0x1e STR Buffer = { char [256] chars = [ "KERNELBASE.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0x54 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0x5c BIT2 CREATE_THREAD = 0x4b BIT3 SET_SESSIONID = 0x6e BIT4 VM_OPERATION = 0x6f BIT5 VM_READ = 0x77 BIT6 VM_WRITE = 0x6e BIT7 DUP_HANDLE = 0x44 BIT8 CREATE_PROCESS = 0x6c BIT9 SET_QUOTA = 0x6c BIT10 SET_INFORMATION = 0x73 BIT11 QUERY_INFORMATION = 0x5c BIT12 SUSPEND_RESUME = 0x4b BIT13 QUERY_LIMITED_INFORMATION = 0x45 BIT14 BIT14 = 0x52 BIT15 BIT15 = 0x4e BIT16 BIT16 = 0x45 BIT17 DELETE = 0x4c BIT18 READ_CONTROL = 0x42 BIT19 WRITE_DAC = 0x41 BIT20 WRITE_OWNER = 0x53 BIT21 SYNCHRONIZE = 0x45 BIT22 BIT22 = 0x2e BIT23 BIT23 = 0x64 BIT24 BIT24 = 0x6c BIT25 BIT25 = 0x6c BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0x10000 void *Group = 0 void *Sacl = 0x10000 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80005e14 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff80005e14 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11b09b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80005e14 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d00 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadTokenEx csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0x1 ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtOpenProcessTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d29 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcessTokenEx csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0x1 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0xffffffff80005e14 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114dc9 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0x80005e14 STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenSessionId PVOID TokenInformation = 0xffff888300000001 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114e0b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80005e14 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryPerformanceCounterCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryPerformanceCounter csyscall = { LARGE_INTEGER PerformanceCounter = 0x25a572073c0 LARGE_INTEGER PerformanceFrequency = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44000 SIZE_T RegionSize = 0x800 ULONG NewProtect = 0x2 ULONG OldProtect = 0xba900000 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbab3d948 SIZE_T RegionSize = 0x8 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbab3d000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbab3c278 SIZE_T RegionSize = 0x16d0 ULONG NewProtect = 0x4 ULONG OldProtect = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x54 STR name = { char [256] chars = [ "\KnownDlls\KERNELBASE.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2ebe0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb59f950 SIZE_T RegionSize = 0x2a60 ULONG NewProtect = 0x2 ULONG OldProtect = 0x1 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x50 STR name = { char [256] chars = [ "\KnownDlls\KERNEL32.DLL" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2ed00 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbab3c278 SIZE_T RegionSize = 0x16d0 ULONG NewProtect = 0x2 ULONG OldProtect = 0x1 NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessTlsInformation PVOID ProcessInformation = 0xf23ad2ed10 ULONG ProcessInformationSize = 0x28 NTSTATUS result = STATUS_SUCCESS } }struct NtSetEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetEvent csyscall = { HANDLE EventHandle = { void *h = 0x48 STR name = { char [256] chars = [ "" ] } } LONG PreviousState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQuerySystemInformationCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySystemInformation csyscall = { SYSTEM_INFORMATION_CLASS SystemInformationClass = SystemRangeStartInformation PVOID SystemInformation = 0xf23ad2ea80 ULONG SystemInformationLength = 0x8 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQuerySystemInformationCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySystemInformation csyscall = { SYSTEM_INFORMATION_CLASS SystemInformationClass = SystemBasicInformation PVOID SystemInformation = 0x7ffbbac28f80 ULONG SystemInformationLength = 0x40 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSection csyscall = { PHANDLE SectionHandle = 0x50 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x42 USHORT MaximumLength = 0x42 STR Buffer = { char [256] chars = [ "\Sessions\1\Windows\SharedSection" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtCreateSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateSection csyscall = { PHANDLE SectionHandle = 0x54 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0x1 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0x1 BIT5 EXTEND_SIZE = 0x1 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } LARGE_INTEGER MaximumSize = 0x10000 ULONG SectionPageProtection = 0x4 ULONG AllocationAttributes = 0x8000000 HANDLE FileHandle = { void *h = 0 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtConnectPortCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtConnectPort csyscall = { PHANDLE PortHandle = 0 UNICODE_STRING PortName = { USHORT Length = 0x36 USHORT MaximumLength = 0x42 STR Buffer = { char [256] chars = [ "\Sessions\1\Windows\ApiPortection" ] } } SECURITY_QUALITY_OF_SERVICE SecurityQos = { ULONG Length = 0x572075f0 enum ImpersonationLevel = Impersonation UCHAR ContextTrackingMode = 0x1 UCHAR EffectiveOnly = 0x1 } PORT_VIEW ClientView = { ULONG Length = 0x30 PVOID SectionHandle = 0x54 ULONG SectionOffset = 0 ULONG64 ViewSize = 0x10000 PVOID ViewBase = 0 PVOID ViewRemoteBase = 0 } REMOTE_PORT_VIEW ServerView = { ULONG Length = 0x18 ULONG64 ViewSize = 0 PVOID ViewBase = 0 } ULONG MaxMessageLength = 0x95 PVOID ConnectionInformation = 0xf23ad2e8f0 ULONG ConnectionInformationLength = 0x30 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x54 STR name = { char [256] chars = [ "\KnownDlls\KERNELBASE.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtMapViewOfSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtMapViewOfSection csyscall = { HANDLE SectionHandle = { void *h = 0x50 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection" ] } } HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7df4b6e90000 ULONG ZeroBits = 0 SIZE_T CommitSize = 0 LARGE_INTEGER SectionOffset = 0 SIZE_T ViewSize = 0x100000 SECTION_INHERIT InheritDisposition = ViewUnmap ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0x1 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0x1 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT WinProtect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0x1 BIT3 PAGE_READWRITE = 0 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x50 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff806851b526a struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSection csyscall = { PHANDLE SectionHandle = 0x90000090 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0 BIT4 MAP_EXECUTE = 0 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0x1f BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0x63 BIT30 GENERIC_EXECUTE = 0x74 BIT32 GENERIC_READ = 0x69 BIT31 GENERIC_WRITE = 0x6f } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x6e HANDLE RootDirectory = { void *h = 0x5a2050005a2050 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0x100 void *Group = 0x100000000 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff806851b52b8 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80004ebc STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryDefaultLocaleCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8068509d023 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryDefaultLocale csyscall = { BOOLEAN UserProfile = 0x80 LCID DefaultLocaleId = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57208000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x1000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff806851b526a struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSection csyscall = { PHANDLE SectionHandle = 0x25a57200000 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0 BIT4 MAP_EXECUTE = 0 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0x45 BIT19 WRITE_DAC = 0x92 BIT20 WRITE_OWNER = 0xba BIT21 SYNCHRONIZE = 0xfb BIT22 BIT22 = 0x7f BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0x100 void *Group = 0x100000000 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff806851b52b8 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80002308 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff806851b526a struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSection csyscall = { PHANDLE SectionHandle = 0x25a57200000 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0 BIT4 MAP_EXECUTE = 0 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0x10 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0x100 void *Group = 0x100000000 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff806851b52b8 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80002308 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCreateFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateFile csyscall = { PHANDLE FileHandle = 0x5c ACCESS_MASK_FILE DesiredAccess = { BIT1 READ_DATA :1 = 0x1 BIT2 ADD_FILE :1 = 0x1 BIT3 APPEND_DATA :1 = 0x1 BIT4 READ_EA :1 = 0x1 BIT5 WRITE_EA :1 = 0x1 BIT6 EXECUTE :1 = 0 BIT7 DELETE_CHILD :1 = 0 BIT8 READ_ATTRIBUTES :1 = 0x1 BIT9 WRITE_ATTRIBUTES :1 = 0x1 BIT10 unused1 :1 = 0 BIT11 unused2 :1 = 0 BIT12 unused3 :1 = 0 BIT13 unused4 :1 = 0 BIT14 unused5 :1 = 0 BIT15 unused6 :1 = 0 BIT16 unused9 :1 = 0 BIT17 DELETE :1 = 0 BIT18 READ_CONTROL :1 = 0x1 BIT19 WRITE_DAC :1 = 0 BIT20 WRITE_OWNER :1 = 0 BIT21 SYNCHRONIZE :1 = 0x1 BIT22 unused10 :1 = 0 BIT23 unused11 :1 = 0 BIT24 unused12 :1 = 0 BIT25 ACCESS_SYSTEM_SECURITY :1 = 0 BIT26 MAXIUM :1 = 0 BIT27 unused13 :1 = 0 BIT28 unused14 :1 = 0 BIT29 GENERIC_ALL :1 = 0 BIT30 GENERIC_EXECUTE :1 = 0 BIT31 GENERIC_WRITE :1 = 0 BIT32 GENERIC_READ :1 = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x2a USHORT MaximumLength = 0x2c STR Buffer = { char [256] chars = [ "\Device\ConDrv\Server" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0x1 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } LARGE_INTEGER AllocationSize = 0 FILE_ATTRIBUTES FileAttributes = { BIT1 READONLY :1 = 0 BIT2 HIDDEN :1 = 0 BIT3 SYSTEM :1 = 0 BIT4 UNUSED :1 = 0 BIT5 DIRECTORY :1 = 0 BIT6 ARCHIVE :1 = 0 BIT7 DEVICE :1 = 0 BIT8 NORMAL :1 = 0 BIT9 TEMPORARY :1 = 0 BIT10 SPARSE_FILE :1 = 0 BIT11 REPARSE_POINT :1 = 0 BIT12 COMPRESSED :1 = 0 BIT13 OFFLINE :1 = 0 BIT14 NOT_CONTENT_INDEXED :1 = 0 BIT15 ENCRYPTED :1 = 0 BIT16 INTEGRITY_STREAM :1 = 0 BIT17 VIRTUAL :1 = 0 BIT18 NO_SCRUB_DATA :1 = 0 BIT19 EA :1 = 0 BIT20 PINNED :1 = 0 } FILE_SHARE_ACCESS ShareAccess = { BIT1 FILE_SHARE_READ :1 = 0x1 BIT2 FILE_SHARE_WRITE :1 = 0x1 BIT3 FILE_SHARE_DELETE :1 = 0x1 } FILE_DISPOSITION CreateDisposition = CREATE FILE_OPTIONS CreateOptions = { BIT1 DIRECTORY_FILE = 0 BIT2 WRITE_THROUGH = 0 BIT3 SEQUENTIAL_ONLY = 0 BIT4 NO_INTERMEDIATE_BUFFERING = 0 BIT5 SYNCHRONOUS_IO_ALERT = 0 BIT6 SYNCHRONOUS_IO_NONALERT = 0 BIT7 NON_DIRECTORY_FILE = 0 BIT8 CREATE_TREE_CONNECTION = 0 BIT9 COMPLETE_IF_OPLOCKED = 0 BIT10 NO_EA_KNOWLEDGE = 0 BIT11 OPEN_REMOTE_INSTANCE = 0 BIT12 RANDOM_ACCESS = 0 BIT13 DELETE_ON_CLOSE = 0 BIT14 OPEN_BY_FILE_ID = 0 BIT15 OPEN_FOR_BACKUP_INTENT = 0 BIT16 NO_COMPRESSION = 0 BIT17 OPEN_REQUIRING_OPLOCK = 0 BIT18 DISALLOW_EXCLUSIVE = 0 BIT19 SESSION_AWARE = 0 BIT20 RESERVE_OPFILTER = 0 BIT21 OPEN_REPARSE_POINT = 0 BIT22 OPEN_NO_RECALL = 0 BIT23 OPEN_FOR_FREE_SPACE_QUERY = 0 } PVOID EaBuffer = 0 ULONG EaLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateFile csyscall = { PHANDLE FileHandle = 0x60 ACCESS_MASK_FILE DesiredAccess = { BIT1 READ_DATA :1 = 0x1 BIT2 ADD_FILE :1 = 0x1 BIT3 APPEND_DATA :1 = 0x1 BIT4 READ_EA :1 = 0x1 BIT5 WRITE_EA :1 = 0x1 BIT6 EXECUTE :1 = 0 BIT7 DELETE_CHILD :1 = 0 BIT8 READ_ATTRIBUTES :1 = 0x1 BIT9 WRITE_ATTRIBUTES :1 = 0x1 BIT10 unused1 :1 = 0 BIT11 unused2 :1 = 0 BIT12 unused3 :1 = 0 BIT13 unused4 :1 = 0 BIT14 unused5 :1 = 0 BIT15 unused6 :1 = 0 BIT16 unused9 :1 = 0 BIT17 DELETE :1 = 0 BIT18 READ_CONTROL :1 = 0x1 BIT19 WRITE_DAC :1 = 0 BIT20 WRITE_OWNER :1 = 0 BIT21 SYNCHRONIZE :1 = 0x1 BIT22 unused10 :1 = 0 BIT23 unused11 :1 = 0 BIT24 unused12 :1 = 0 BIT25 ACCESS_SYSTEM_SECURITY :1 = 0 BIT26 MAXIUM :1 = 0 BIT27 unused13 :1 = 0 BIT28 unused14 :1 = 0 BIT29 GENERIC_ALL :1 = 0 BIT30 GENERIC_EXECUTE :1 = 0 BIT31 GENERIC_WRITE :1 = 0 BIT32 GENERIC_READ :1 = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x5c STR name = { char [256] chars = [ "\Device\ConDrv\Server" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x14 USHORT MaximumLength = 0x16 STR Buffer = { char [256] chars = [ "\Reference" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } LARGE_INTEGER AllocationSize = 0 FILE_ATTRIBUTES FileAttributes = { BIT1 READONLY :1 = 0 BIT2 HIDDEN :1 = 0 BIT3 SYSTEM :1 = 0 BIT4 UNUSED :1 = 0 BIT5 DIRECTORY :1 = 0 BIT6 ARCHIVE :1 = 0 BIT7 DEVICE :1 = 0 BIT8 NORMAL :1 = 0 BIT9 TEMPORARY :1 = 0 BIT10 SPARSE_FILE :1 = 0 BIT11 REPARSE_POINT :1 = 0 BIT12 COMPRESSED :1 = 0 BIT13 OFFLINE :1 = 0 BIT14 NOT_CONTENT_INDEXED :1 = 0 BIT15 ENCRYPTED :1 = 0 BIT16 INTEGRITY_STREAM :1 = 0 BIT17 VIRTUAL :1 = 0 BIT18 NO_SCRUB_DATA :1 = 0 BIT19 EA :1 = 0 BIT20 PINNED :1 = 0 } FILE_SHARE_ACCESS ShareAccess = { BIT1 FILE_SHARE_READ :1 = 0x1 BIT2 FILE_SHARE_WRITE :1 = 0x1 BIT3 FILE_SHARE_DELETE :1 = 0x1 } FILE_DISPOSITION CreateDisposition = CREATE FILE_OPTIONS CreateOptions = { BIT1 DIRECTORY_FILE = 0 BIT2 WRITE_THROUGH = 0 BIT3 SEQUENTIAL_ONLY = 0 BIT4 NO_INTERMEDIATE_BUFFERING = 0 BIT5 SYNCHRONOUS_IO_ALERT = 0 BIT6 SYNCHRONOUS_IO_NONALERT = 0x1 BIT7 NON_DIRECTORY_FILE = 0 BIT8 CREATE_TREE_CONNECTION = 0 BIT9 COMPLETE_IF_OPLOCKED = 0 BIT10 NO_EA_KNOWLEDGE = 0 BIT11 OPEN_REMOTE_INSTANCE = 0 BIT12 RANDOM_ACCESS = 0 BIT13 DELETE_ON_CLOSE = 0 BIT14 OPEN_BY_FILE_ID = 0 BIT15 OPEN_FOR_BACKUP_INTENT = 0 BIT16 NO_COMPRESSION = 0 BIT17 OPEN_REQUIRING_OPLOCK = 0 BIT18 DISALLOW_EXCLUSIVE = 0 BIT19 SESSION_AWARE = 0 BIT20 RESERVE_OPFILTER = 0 BIT21 OPEN_REPARSE_POINT = 0 BIT22 OPEN_NO_RECALL = 0 BIT23 OPEN_FOR_FREE_SPACE_QUERY = 0 } PVOID EaBuffer = 0 ULONG EaLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57209000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x2000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8068509a482 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0x60 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x5c BIT2 SET_VALUE = 0x44 BIT3 CREATE_SUB_KEY = 0x65 BIT4 ENUMERATE_SUB_KEYS = 0x76 BIT5 NOTIFY = 0x69 BIT6 CREATE_LINK = 0x63 BIT9 WOW64_64KEY = 0x65 BIT10 WOW64_32KEY = 0x5c BIT11 BIT11 = 0x43 BIT12 BIT12 = 0x6f BIT13 BIT13 = 0x6e BIT14 BIT14 = 0x44 BIT15 BIT15 = 0x72 BIT16 BIT16 = 0x76 BIT17 DELETE = 0x5c BIT18 READ_CONTROL = 0x53 BIT19 WRITE_DAC = 0x65 BIT20 WRITE_OWNER = 0x72 BIT21 SYNCHRONIZE = 0x76 BIT22 BIT22 = 0x65 BIT23 BIT23 = 0x72 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0x5c BIT28 BIT28 = 0x52 BIT29 BIT29 = 0x65 BIT30 GENERIC_EXECUTE = 0x66 BIT32 GENERIC_READ = 0x65 BIT31 GENERIC_WRITE = 0x72 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x6563 HANDLE RootDirectory = { void *h = 0x3f5c STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff80005870 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x732c void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff80003110 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80003110 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtDuplicateTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c132c05 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtDuplicateToken csyscall = { HANDLE ExistingTokenHandle = { void *h = 0x80003110 STR name = { char [256] chars = [ "" ] } } ACCESS_MASK_TOKEN DesiredAccess = { BIT1 ASSIGN_PRIMARY = 0 BIT2 DUPLICATE = 0 BIT3 IMPERSONATE = 0 BIT4 QUERY = 0x1 BIT5 QUERY_SOURCE = 0 BIT6 ADJUST_PRIVILEGES = 0 BIT7 ADJUST_GROUPS = 0 BIT8 ADJUST_DEFAULT = 0 BIT9 ADJUST_SESSIONID = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0xc enum ImpersonationLevel = Impersonation UCHAR ContextTrackingMode = 0x1 UCHAR EffectiveOnly = 0 } } BOOLEAN EffectiveOnly = 0 TOKEN_TYPE TokenType = TokenImpersonation PHANDLE NewTokenHandle = 0xffffffff80006154 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c132db9 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80006154 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c132b09 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80003110 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11dda6 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0x80005870 STR name = { char [256] chars = [ "" ] } } PROCESSINFOCLASS ProcessInformationClass = MaxProcessInfoClass PVOID ProcessInformation = 0 ULONG ProcessInformationLength = 0 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11de10 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0x80005870 STR name = { char [256] chars = [ "" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessProtectionInformation PVOID ProcessInformation = 0 ULONG ProcessInformationLength = 0 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e13d struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80005870 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069fd64663 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff80005870 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x732c void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069fd646fe struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80005870 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff80005870 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11a623 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80005870 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff80005870 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11c45f struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80005870 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff80005870 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x732c void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11c4e0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80005870 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069fd64663 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff80005870 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x732c void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069fd646fe struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80005870 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8068732c453 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0x80005870 STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenIsAppContainer PVOID TokenInformation = 0xffff888300000000 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069a54b724 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0x80005870 STR name = { char [256] chars = [ "" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessImageFileName PVOID ProcessInformation = 0 ULONG ProcessInformationLength = 0 ULONG ReturnedResultLength = 0x7a NTSTATUS result = -1073741820 } }struct NtQueryInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069a54b724 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0x80005870 STR name = { char [256] chars = [ "" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessImageFileName PVOID ProcessInformation = 0x6a0068 ULONG ProcessInformationLength = 0 ULONG ReturnedResultLength = 0x7a NTSTATUS result = STATUS_SUCCESS } }struct NtCreateWnfStateNameCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8068509b50b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateWnfStateName csyscall = { WNF_STATE_NAME StateName = { UInt32 [2] Data = [ 0x80005870, 0 ] } WNF_STATE_NAME_LIFETIME NameLifetime = WnfWellKnownStateName WNF_DATA_SCOPE DataScope = WnfDataScopeSystem BOOLEAN PersistData = 0 WNF_TYPE_ID TypeId = { struct TypeId = { DWORD Data1 = 0 WORD Data2 = 0 WORD Data3 = 0 BYTE [8] Data4 = [ 0, 0, 0, 0, 0, 0, 0, 0 ] } } ULONG MaximumStateSize = 0 SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069a5493f0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xffffffff80003110 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0x1 BIT3 CREATE_SUB_KEY = 0x1 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0x1 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0x1 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x80000314 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x5c USHORT MaximumLength = 0x178 STR Buffer = { char [256] chars = [ "S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069a548fe9 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x80003110 STR name = { char [256] chars = [ "S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x68 USHORT MaximumLength = 0x68 STR Buffer = { char [256] chars = [ "\Device\HarddiskVolume3\Windows\System32\conhost.exe" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0xffffffff80000314 ULONG Length = 0x28 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069a54abe1 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80003110 STR name = { char [256] chars = [ "S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069a54ba35 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x8c USHORT MaximumLength = 0x8e STR Buffer = { char [256] chars = [ "\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BAM" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff80003110 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80003110 STR name = { char [256] chars = [ "S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff80003110 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x732c void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80003110 STR name = { char [256] chars = [ "S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x5c STR name = { char [256] chars = [ "\Device\ConDrv\Server" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f76a2aa struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0x1 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCreateFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateFile csyscall = { PHANDLE FileHandle = 0x68 ACCESS_MASK_FILE DesiredAccess = { BIT1 READ_DATA :1 = 0x1 BIT2 ADD_FILE :1 = 0x1 BIT3 APPEND_DATA :1 = 0x1 BIT4 READ_EA :1 = 0x1 BIT5 WRITE_EA :1 = 0x1 BIT6 EXECUTE :1 = 0 BIT7 DELETE_CHILD :1 = 0 BIT8 READ_ATTRIBUTES :1 = 0x1 BIT9 WRITE_ATTRIBUTES :1 = 0x1 BIT10 unused1 :1 = 0 BIT11 unused2 :1 = 0 BIT12 unused3 :1 = 0 BIT13 unused4 :1 = 0 BIT14 unused5 :1 = 0 BIT15 unused6 :1 = 0 BIT16 unused9 :1 = 0 BIT17 DELETE :1 = 0 BIT18 READ_CONTROL :1 = 0x1 BIT19 WRITE_DAC :1 = 0 BIT20 WRITE_OWNER :1 = 0 BIT21 SYNCHRONIZE :1 = 0x1 BIT22 unused10 :1 = 0 BIT23 unused11 :1 = 0 BIT24 unused12 :1 = 0 BIT25 ACCESS_SYSTEM_SECURITY :1 = 0 BIT26 MAXIUM :1 = 0 BIT27 unused13 :1 = 0 BIT28 unused14 :1 = 0 BIT29 GENERIC_ALL :1 = 0 BIT30 GENERIC_EXECUTE :1 = 0 BIT31 GENERIC_WRITE :1 = 0 BIT32 GENERIC_READ :1 = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x64 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0xc USHORT MaximumLength = 0xe STR Buffer = { char [256] chars = [ "\Input" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0x1 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } LARGE_INTEGER AllocationSize = 0 FILE_ATTRIBUTES FileAttributes = { BIT1 READONLY :1 = 0 BIT2 HIDDEN :1 = 0 BIT3 SYSTEM :1 = 0 BIT4 UNUSED :1 = 0 BIT5 DIRECTORY :1 = 0 BIT6 ARCHIVE :1 = 0 BIT7 DEVICE :1 = 0 BIT8 NORMAL :1 = 0 BIT9 TEMPORARY :1 = 0 BIT10 SPARSE_FILE :1 = 0 BIT11 REPARSE_POINT :1 = 0 BIT12 COMPRESSED :1 = 0 BIT13 OFFLINE :1 = 0 BIT14 NOT_CONTENT_INDEXED :1 = 0 BIT15 ENCRYPTED :1 = 0 BIT16 INTEGRITY_STREAM :1 = 0 BIT17 VIRTUAL :1 = 0 BIT18 NO_SCRUB_DATA :1 = 0 BIT19 EA :1 = 0 BIT20 PINNED :1 = 0 } FILE_SHARE_ACCESS ShareAccess = { BIT1 FILE_SHARE_READ :1 = 0x1 BIT2 FILE_SHARE_WRITE :1 = 0x1 BIT3 FILE_SHARE_DELETE :1 = 0x1 } FILE_DISPOSITION CreateDisposition = CREATE FILE_OPTIONS CreateOptions = { BIT1 DIRECTORY_FILE = 0 BIT2 WRITE_THROUGH = 0 BIT3 SEQUENTIAL_ONLY = 0 BIT4 NO_INTERMEDIATE_BUFFERING = 0 BIT5 SYNCHRONOUS_IO_ALERT = 0 BIT6 SYNCHRONOUS_IO_NONALERT = 0x1 BIT7 NON_DIRECTORY_FILE = 0 BIT8 CREATE_TREE_CONNECTION = 0 BIT9 COMPLETE_IF_OPLOCKED = 0 BIT10 NO_EA_KNOWLEDGE = 0 BIT11 OPEN_REMOTE_INSTANCE = 0 BIT12 RANDOM_ACCESS = 0 BIT13 DELETE_ON_CLOSE = 0 BIT14 OPEN_BY_FILE_ID = 0 BIT15 OPEN_FOR_BACKUP_INTENT = 0 BIT16 NO_COMPRESSION = 0 BIT17 OPEN_REQUIRING_OPLOCK = 0 BIT18 DISALLOW_EXCLUSIVE = 0 BIT19 SESSION_AWARE = 0 BIT20 RESERVE_OPFILTER = 0 BIT21 OPEN_REPARSE_POINT = 0 BIT22 OPEN_NO_RECALL = 0 BIT23 OPEN_FOR_FREE_SPACE_QUERY = 0 } PVOID EaBuffer = 0 ULONG EaLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateFile csyscall = { PHANDLE FileHandle = 0x6c ACCESS_MASK_FILE DesiredAccess = { BIT1 READ_DATA :1 = 0x1 BIT2 ADD_FILE :1 = 0x1 BIT3 APPEND_DATA :1 = 0x1 BIT4 READ_EA :1 = 0x1 BIT5 WRITE_EA :1 = 0x1 BIT6 EXECUTE :1 = 0 BIT7 DELETE_CHILD :1 = 0 BIT8 READ_ATTRIBUTES :1 = 0x1 BIT9 WRITE_ATTRIBUTES :1 = 0x1 BIT10 unused1 :1 = 0 BIT11 unused2 :1 = 0 BIT12 unused3 :1 = 0 BIT13 unused4 :1 = 0 BIT14 unused5 :1 = 0 BIT15 unused6 :1 = 0 BIT16 unused9 :1 = 0 BIT17 DELETE :1 = 0 BIT18 READ_CONTROL :1 = 0x1 BIT19 WRITE_DAC :1 = 0 BIT20 WRITE_OWNER :1 = 0 BIT21 SYNCHRONIZE :1 = 0x1 BIT22 unused10 :1 = 0 BIT23 unused11 :1 = 0 BIT24 unused12 :1 = 0 BIT25 ACCESS_SYSTEM_SECURITY :1 = 0 BIT26 MAXIUM :1 = 0 BIT27 unused13 :1 = 0 BIT28 unused14 :1 = 0 BIT29 GENERIC_ALL :1 = 0 BIT30 GENERIC_EXECUTE :1 = 0 BIT31 GENERIC_WRITE :1 = 0 BIT32 GENERIC_READ :1 = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x64 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0xe USHORT MaximumLength = 0x10 STR Buffer = { char [256] chars = [ "\Output" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0x1 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } LARGE_INTEGER AllocationSize = 0 FILE_ATTRIBUTES FileAttributes = { BIT1 READONLY :1 = 0 BIT2 HIDDEN :1 = 0 BIT3 SYSTEM :1 = 0 BIT4 UNUSED :1 = 0 BIT5 DIRECTORY :1 = 0 BIT6 ARCHIVE :1 = 0 BIT7 DEVICE :1 = 0 BIT8 NORMAL :1 = 0 BIT9 TEMPORARY :1 = 0 BIT10 SPARSE_FILE :1 = 0 BIT11 REPARSE_POINT :1 = 0 BIT12 COMPRESSED :1 = 0 BIT13 OFFLINE :1 = 0 BIT14 NOT_CONTENT_INDEXED :1 = 0 BIT15 ENCRYPTED :1 = 0 BIT16 INTEGRITY_STREAM :1 = 0 BIT17 VIRTUAL :1 = 0 BIT18 NO_SCRUB_DATA :1 = 0 BIT19 EA :1 = 0 BIT20 PINNED :1 = 0 } FILE_SHARE_ACCESS ShareAccess = { BIT1 FILE_SHARE_READ :1 = 0x1 BIT2 FILE_SHARE_WRITE :1 = 0x1 BIT3 FILE_SHARE_DELETE :1 = 0x1 } FILE_DISPOSITION CreateDisposition = CREATE FILE_OPTIONS CreateOptions = { BIT1 DIRECTORY_FILE = 0 BIT2 WRITE_THROUGH = 0 BIT3 SEQUENTIAL_ONLY = 0 BIT4 NO_INTERMEDIATE_BUFFERING = 0 BIT5 SYNCHRONOUS_IO_ALERT = 0 BIT6 SYNCHRONOUS_IO_NONALERT = 0x1 BIT7 NON_DIRECTORY_FILE = 0 BIT8 CREATE_TREE_CONNECTION = 0 BIT9 COMPLETE_IF_OPLOCKED = 0 BIT10 NO_EA_KNOWLEDGE = 0 BIT11 OPEN_REMOTE_INSTANCE = 0 BIT12 RANDOM_ACCESS = 0 BIT13 DELETE_ON_CLOSE = 0 BIT14 OPEN_BY_FILE_ID = 0 BIT15 OPEN_FOR_BACKUP_INTENT = 0 BIT16 NO_COMPRESSION = 0 BIT17 OPEN_REQUIRING_OPLOCK = 0 BIT18 DISALLOW_EXCLUSIVE = 0 BIT19 SESSION_AWARE = 0 BIT20 RESERVE_OPFILTER = 0 BIT21 OPEN_REPARSE_POINT = 0 BIT22 OPEN_NO_RECALL = 0 BIT23 OPEN_FOR_FREE_SPACE_QUERY = 0 } PVOID EaBuffer = 0 ULONG EaLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtDuplicateObjectCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtDuplicateObject csyscall = { HANDLE SourceProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } HANDLE SourceHandle = { void *h = 0x6c STR name = { char [256] chars = [ "\Output" ] } } HANDLE TargetProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } HANDLE TargetHandle = { void *h = 0x70 STR name = { char [256] chars = [ ' ', '\37777777752', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', '\0', '\0', ' ', 'W', 'Z', '\002', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '`', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\001', '\0', '\0', '\0', '\0', '\0', '\0', '\0', 'd', '\0', '\0', '\0', '\0', '\0', '\0', '\0', 'n', '\0', 'p', '\0', '\0', '\0', '\0', '\0', '\37777777620', '\37777777747', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', 'F', '\0', 'p', '\0', '\0', '\0', '\0', '\0', '\37777777620', '\37777777747', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', '\036', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', ' ', 'W', 'Z', '\002', '\0', '\0', '\', '\0', '?', '\0', '?', '\0', '\', '\0', 'C', '\0', ':', '\0', '\', '\0', 'W', '\0', 'i', '\0', 'n', '\0', 'd', '\0', 'o', '\0', 'w', '\0', 's', '\0', '\', '\0', 's', '\0', 'y', '\0', 's', '\0', 't', '\0', 'e', '\0', 'm', '\0', '3', '\0', '2', '\0', '\', '\0', 'c', '\0', 'o', '\0', 'n', '\0', 'h', '\0', 'o', '\0', 's', '\0', 't', '\0', '.', '\0', 'e', '\0', 'x', '\0', 'e', '\0', ' ', '\0', '0', '\0', 'x', '\0', 'f', '\0', 'f', '\0', 'f', '\0', 'f', '\0', 'f', '\0', 'f', '\0', 'f', '\0', 'f', '\0', ' ', '\0', '-', '\0', 'F', '\0', 'o', '\0', 'r', '\0', 'c', '\0', 'e', '\0', 'V', '\0', '1', '\0', '\0', '\0', '\37777777640', '\001', '7', '\37777777675', '\37777777773', '\177', '\0', '\0', '\020', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\37777777626', '#', ' ', 'W', 'Z', '\002', '\0', '\0', ' ', '\37777777751', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', 'P', '\0', '\0', '\0', '\0', '\0', '\0', '\0' ] } } ACCESS_MASK DesiredAccess = { BIT1 BIT1 = 0 BIT2 BIT2 = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } ULONG HandleAttributes = 0 ULONG Options = 0x6 NTSTATUS result = STATUS_SUCCESS } }struct NtDeviceIoControlFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtDeviceIoControlFile csyscall = { HANDLE FileHandle = { void *h = 0x64 STR name = { char [256] chars = [ "" ] } } HANDLE Event = { void *h = 0 STR name = { char [256] chars = [ "" ] } } PIO_APC_ROUTINE ApcRoutine = 0 PVOID ApcContext = 0 IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } IO_CTRL_CODE IoControlCode = 5242915 INBUF InputBuffer = { byte [128] buf = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } INLEN InputBufferLength = 0 OUTBUF outBuffer = { byte [128] buf = [ 0x2c, 0x73, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ] } OUTLEN outBufferLength = 0x8 NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessOwnerInformation PVOID ProcessInformation = 0xf23ad2e9f8 ULONG ProcessInformationSize = 0x8 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f7690de struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0x6c Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2e8d8 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2e8d8 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff80685101e15 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x6578650000001e STR name = { char [256] chars = [ '(', '\37777777751', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', '\030', '\0', '\0', '\0', 'e', 'n', 'g', '.', '@', '\37777777751', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', 'x', '\0', '\0', '\0', 'e', 'x', 'e', '\0', 'c', 'm', 'd', '.', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0' ] } } UNICODE_STRING ValueName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueBasicInformation PVOID KeyValueInformation = 0x70 ULONG Length = 0 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0xac USHORT MaximumLength = 0xae STR Buffer = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2eb18 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2eb18 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0x1e PVOID InBuffer = 0xf23ad2eb68 ULONG InBufferLen = 0x18 PVOID OutBuffer = 0xf23ad2eb80 ULONG OutBufferLen = 0x78 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2eb48 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2eb48 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff80685101e15 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x1e STR name = { char [256] chars = [ '\37777777630', '\37777777753', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', '\030', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\37777777660', '\37777777753', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', 'x', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0' ] } } UNICODE_STRING ValueName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = 6881394 PVOID KeyValueInformation = 0x70 ULONG Length = 0x730079 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtQuerySystemInformationCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySystemInformation csyscall = { SYSTEM_INFORMATION_CLASS SystemInformationClass = SystemBasicInformation PVOID SystemInformation = 0x7ffbbb5d2a40 ULONG SystemInformationLength = 0x40 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtSetEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetEvent csyscall = { HANDLE EventHandle = { void *h = 0x44 STR name = { char [256] chars = [ "" ] } } LONG PreviousState = 0x740073 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2efe0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2efe0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2eaf0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac443e8 SIZE_T RegionSize = 0x50 ULONG NewProtect = 0x4 ULONG OldProtect = 0x3ad2ec50 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2eaf0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44480 SIZE_T RegionSize = 0x20 ULONG NewProtect = 0x4 ULONG OldProtect = 0x3ad2ec50 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2eaf0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44440 SIZE_T RegionSize = 0x20 ULONG NewProtect = 0x4 ULONG OldProtect = 0x3ad2ec50 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2eaf0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac444a8 SIZE_T RegionSize = 0x40 ULONG NewProtect = 0x4 ULONG OldProtect = 0x3ad2ec50 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2eaf0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac444f0 SIZE_T RegionSize = 0x10 ULONG NewProtect = 0x4 ULONG OldProtect = 0x3ad2ec50 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2eaf0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44570 SIZE_T RegionSize = 0x58 ULONG NewProtect = 0x4 ULONG OldProtect = 0x3ad2ec50 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2eaf0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44468 SIZE_T RegionSize = 0x10 ULONG NewProtect = 0x4 ULONG OldProtect = 0x3ad2ec50 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2eaf0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44508 SIZE_T RegionSize = 0x60 ULONG NewProtect = 0x4 ULONG OldProtect = 0x3ad2ec50 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2eaf0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac446a8 SIZE_T RegionSize = 0x18 ULONG NewProtect = 0x4 ULONG OldProtect = 0x3ad2ec50 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2eaf0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac445d0 SIZE_T RegionSize = 0xb8 ULONG NewProtect = 0x4 ULONG OldProtect = 0x3ad2ec50 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2eaf0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44690 SIZE_T RegionSize = 0x10 ULONG NewProtect = 0x4 ULONG OldProtect = 0x3ad2ec50 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbac44000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0x1 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x84 USHORT MaximumLength = 0x86 STR Buffer = { char [256] chars = [ "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x7a USHORT MaximumLength = 0x7c STR Buffer = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Srp\GP\DLL" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0x7c ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x96 USHORT MaximumLength = 0x98 STR Buffer = { char [256] chars = [ "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x7c STR name = { char [256] chars = [ "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x24 USHORT MaximumLength = 0x26 STR Buffer = { char [256] chars = [ "TransparentEnabled" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0xf23ad2f270 ULONG Length = 0x50 ULONG ResultLength = 0x7a NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x7c STR name = { char [256] chars = [ "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0xf23ad2f090 ULONG TokenInformationLength = 0x58 ULONG ReturnedResultLength = 0x2c NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0xee USHORT MaximumLength = 0xf2 STR Buffer = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Policies\Microsoft\Windows\Saf" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2efe0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0x7c ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x7c STR name = { char [256] chars = [ "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x20 USHORT MaximumLength = 0x22 STR Buffer = { char [256] chars = [ "LongPathsEnabled" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x400000000 ULONG Length = 0x14 ULONG ResultLength = 0x10 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x7c STR name = { char [256] chars = [ "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationThreadCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationThread csyscall = { HANDLE ThreadHandle = { void *h = 0xfffffffffffffffe STR name = { char [256] chars = [ "NtCurrentThread" ] } } THREADINFOCLASS ThreadInformationClass = ThreadDynamicCodePolicyInfo PVOID ThreadInformation = 0 ULONG ThreadInformationLength = 0x4 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQuerySystemInformationExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySystemInformationEx csyscall = { SYSTEM_INFORMATION_CLASS SystemInformationClass = SystemLogicalProcessorAndGroupInformation PVOID InputBuffer = 0xf23ad2f1c0 ULONG InputBufferLength = 0x4 PVOID SystemInformation = 0 ULONG SystemInformationLength = 0 ULONG ReturnedResultLength = 0x30 NTSTATUS result = -1073741820 } }struct NtQuerySystemInformationExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySystemInformationEx csyscall = { SYSTEM_INFORMATION_CLASS SystemInformationClass = SystemLogicalProcessorAndGroupInformation PVOID InputBuffer = 0xf23ad2f1c0 ULONG InputBufferLength = 0x4 PVOID SystemInformation = 0x25a572061f0 ULONG SystemInformationLength = 0x30 ULONG ReturnedResultLength = 0x30 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateIoCompletionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateIoCompletion csyscall = { PHANDLE IoCompletionHandle = 0x7c ACCESS_MASK_IOCOMPLETION DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG Count = 0xd NTSTATUS result = STATUS_SUCCESS } }struct NtCreateWorkerFactoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateWorkerFactory csyscall = { PHANDLE WorkerFactoryHandleReturn = 0 ACCESS_MASK DesiredAccess = { BIT1 BIT1 = 0x1 BIT2 BIT2 = 0x1 BIT3 BIT3 = 0x1 BIT4 BIT4 = 0x1 BIT5 BIT5 = 0x1 BIT6 BIT6 = 0x1 BIT7 BIT7 = 0x1 BIT8 BIT8 = 0x1 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } HANDLE CompletionPortHandle = { void *h = 0x7c STR name = { char [256] chars = [ "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers" ] } } HANDLE WorkerProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PTPP_START_ROUTINE StartParameter = 0x7ffbbd256870 PVOID MaxThreadCount = 0x25a57206f70 ULONG StackReserve = 0x200 SIZE_T StackCommit = 0x100000 SIZE_T arg1 = 0xfc000 NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationWorkerFactoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationWorkerFactory csyscall = { HANDLE WorkerFactoryHandle = { void *h = 0x80 STR name = { char [256] chars = [ "" ] } } WORKERFACTORYINFOCLASS WorkerFactoryInformationClass = WorkerFactoryFlags PVOID WorkerFactoryInformation = 0xf23ad2f268 ULONG WorkerFactoryInformationLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateTimer2CALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateTimer2 csyscall = { PHANDLE TimerHandle = 0x84 PVOID ReservedA = 0 PVOID ReservedB = 0 ULONG Attributes = 0x8 ACCESS_MASK_TIMER DesiredAccess = { BIT1 QUERY_STATE = 0 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCreateWaitCompletionPacketCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateWaitCompletionPacket csyscall = { PHANDLE WaitCompletionPacketHandle = 0x88 ACCESS_MASK DesiredAccess = { BIT1 BIT1 = 0x1 BIT2 BIT2 = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtAssociateWaitCompletionPacketCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAssociateWaitCompletionPacket csyscall = { HANDLE WaitCompletionPacketHandle = { void *h = 0x88 STR name = { char [256] chars = [ "" ] } } HANDLE IoCompletionHandle = { void *h = 0x7c STR name = { char [256] chars = [ "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers" ] } } HANDLE TargetObjectHandle = { void *h = 0x84 STR name = { char [256] chars = [ "" ] } } PVOID KeyContext = 0x25a57207010 PVOID ApcContext = 0x25a57206fe0 NTSTATUS IoStatus = STATUS_SUCCESS ULONG IoStatusInformation = 0 BOOLEAN AlreadySignaled = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateTimer2CALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateTimer2 csyscall = { PHANDLE TimerHandle = 0x8c PVOID ReservedA = 0 PVOID ReservedB = 0 ULONG Attributes = 0x8 ACCESS_MASK_TIMER DesiredAccess = { BIT1 QUERY_STATE = 0 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCreateWaitCompletionPacketCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateWaitCompletionPacket csyscall = { PHANDLE WaitCompletionPacketHandle = 0x90 ACCESS_MASK DesiredAccess = { BIT1 BIT1 = 0x1 BIT2 BIT2 = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtAssociateWaitCompletionPacketCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAssociateWaitCompletionPacket csyscall = { HANDLE WaitCompletionPacketHandle = { void *h = 0x90 STR name = { char [256] chars = [ "" ] } } HANDLE IoCompletionHandle = { void *h = 0x7c STR name = { char [256] chars = [ "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers" ] } } HANDLE TargetObjectHandle = { void *h = 0x8c STR name = { char [256] chars = [ "" ] } } PVOID KeyContext = 0x25a57207088 PVOID ApcContext = 0x25a57206fe0 NTSTATUS IoStatus = STATUS_SUCCESS ULONG IoStatusInformation = 0 BOOLEAN AlreadySignaled = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationWorkerFactoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationWorkerFactory csyscall = { HANDLE WorkerFactoryHandle = { void *h = 0x80 STR name = { char [256] chars = [ "" ] } } WORKERFACTORYINFOCLASS WorkerFactoryInformationClass = WorkerFactoryIdleTimeout PVOID WorkerFactoryInformation = 0xf23ad2f268 ULONG WorkerFactoryInformationLength = 0x8 NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationWorkerFactoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationWorkerFactory csyscall = { HANDLE WorkerFactoryHandle = { void *h = 0x80 STR name = { char [256] chars = [ "" ] } } WORKERFACTORYINFOCLASS WorkerFactoryInformationClass = WorkerFactoryThreadMaximum PVOID WorkerFactoryInformation = 0xf23ad2f268 ULONG WorkerFactoryInformationLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadToken csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0x1 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0x1 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ff7a7c68530 SIZE_T RegionSize = 0x9f0 ULONG NewProtect = 0x4 ULONG OldProtect = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSection csyscall = { PHANDLE SectionHandle = 0x94 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0x1 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x3c STR name = { char [256] chars = [ "\KnownDlls" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x14 USHORT MaximumLength = 0x16 STR Buffer = { char [256] chars = [ "msvcrt.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0x94 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0x5c BIT2 CREATE_THREAD = 0x4b BIT3 SET_SESSIONID = 0x6e BIT4 VM_OPERATION = 0x6f BIT5 VM_READ = 0x77 BIT6 VM_WRITE = 0x6e BIT7 DUP_HANDLE = 0x44 BIT8 CREATE_PROCESS = 0x6c BIT9 SET_QUOTA = 0x6c BIT10 SET_INFORMATION = 0x73 BIT11 QUERY_INFORMATION = 0x5c BIT12 SUSPEND_RESUME = 0x6d BIT13 QUERY_LIMITED_INFORMATION = 0x73 BIT14 BIT14 = 0x76 BIT15 BIT15 = 0x63 BIT16 BIT16 = 0x72 BIT17 DELETE = 0x74 BIT18 READ_CONTROL = 0x2e BIT19 WRITE_DAC = 0x64 BIT20 WRITE_OWNER = 0x6c BIT21 SYNCHRONIZE = 0x6c BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0x10000 void *Group = 0 void *Sacl = 0x10000 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff800044b8 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11b09b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d00 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadTokenEx csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0x1 ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtOpenProcessTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d29 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcessTokenEx csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0x1 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0xffffffff800044b8 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114dc9 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenSessionId PVOID TokenInformation = 0xffff888300000001 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114e0b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryPerformanceCounterCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryPerformanceCounter csyscall = { LARGE_INTEGER PerformanceCounter = 0x25a57208ae0 LARGE_INTEGER PerformanceFrequency = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbcfbb668 SIZE_T RegionSize = 0x8 ULONG NewProtect = 0x4 ULONG OldProtect = 0xbcf40000 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbcfbb000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQuerySecurityAttributesTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySecurityAttributesToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffc STR name = { char [256] chars = [ "NtCurrentProcessToken" ] } } UNICODE_STRING Attributes = { USHORT Length = 0x1c USHORT MaximumLength = 0x1e STR Buffer = { char [256] chars = [ "WIN://SYSAPPID" ] } } ULONG NumberOfAttributes = 0 PVOID Buffer = 0xf23ad2e5a0 ULONG Length = 0x330 ULONG ReturnLength = 0 NTSTATUS result = -1073741275 } }struct NtQuerySecurityAttributesTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySecurityAttributesToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffc STR name = { char [256] chars = [ "NtCurrentProcessToken" ] } } UNICODE_STRING Attributes = { USHORT Length = 0x1c USHORT MaximumLength = 0x1e STR Buffer = { char [256] chars = [ "WIN://SYSAPPID" ] } } ULONG NumberOfAttributes = 0 PVOID Buffer = 0xf23ad2e5a0 ULONG Length = 0x330 ULONG ReturnLength = 0 NTSTATUS result = -1073741275 } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbcf40000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2e818 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbcfbb0d0 SIZE_T RegionSize = 0x598 ULONG NewProtect = 0x4 ULONG OldProtect = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff806850800e6 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0x80 STR name = { char [256] chars = [ "" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessBasicInformation PVOID ProcessInformation = 0x598 ULONG ProcessInformationSize = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff80685080152 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23b004000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0xfc000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff806850801a8 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23b001000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x3000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0x1 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff800044b8 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff800044b8 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtResumeThreadCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff80684ca49f8 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtResumeThread csyscall = { HANDLE ThreadHandle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } ULONG PreviousSuspendCount = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x94 STR name = { char [256] chars = [ "\KnownDlls\msvcrt.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSection csyscall = { PHANDLE SectionHandle = 0x94 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0x1 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x3c STR name = { char [256] chars = [ "\KnownDlls" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x16 USHORT MaximumLength = 0x18 STR Buffer = { char [256] chars = [ "combase.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0x94 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0x5c BIT2 CREATE_THREAD = 0x4b BIT3 SET_SESSIONID = 0x6e BIT4 VM_OPERATION = 0x6f BIT5 VM_READ = 0x77 BIT6 VM_WRITE = 0x6e BIT7 DUP_HANDLE = 0x44 BIT8 CREATE_PROCESS = 0x6c BIT9 SET_QUOTA = 0x6c BIT10 SET_INFORMATION = 0x73 BIT11 QUERY_INFORMATION = 0x5c BIT12 SUSPEND_RESUME = 0x63 BIT13 QUERY_LIMITED_INFORMATION = 0x6f BIT14 BIT14 = 0x6d BIT15 BIT15 = 0x62 BIT16 BIT16 = 0x61 BIT17 DELETE = 0x73 BIT18 READ_CONTROL = 0x65 BIT19 WRITE_DAC = 0x2e BIT20 WRITE_OWNER = 0x64 BIT21 SYNCHRONIZE = 0x6c BIT22 BIT22 = 0x6c BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0x10000 void *Group = 0 void *Sacl = 0x10000 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff800044b8 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11b09b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d00 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadTokenEx csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0x1 ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtOpenProcessTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d29 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcessTokenEx csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0x1 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0xffffffff800044b8 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114dc9 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenSessionId PVOID TokenInformation = 0xffff888300000001 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114e0b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryPerformanceCounterCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryPerformanceCounter csyscall = { LARGE_INTEGER PerformanceCounter = 0x25a57208eb0 LARGE_INTEGER PerformanceFrequency = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbc266000 SIZE_T RegionSize = 0x6a0 ULONG NewProtect = 0x2 ULONG OldProtect = 0xbbf10000 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbc1b5bc0 SIZE_T RegionSize = 0x8 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbc1b5000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbbf10000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2e818 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbc1b4958 SIZE_T RegionSize = 0x1268 ULONG NewProtect = 0x4 ULONG OldProtect = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSection csyscall = { PHANDLE SectionHandle = 0x98 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0x1 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x3c STR name = { char [256] chars = [ "\KnownDlls" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x18 USHORT MaximumLength = 0x1a STR Buffer = { char [256] chars = [ "ucrtbase.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0x98 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0x5c BIT2 CREATE_THREAD = 0x4b BIT3 SET_SESSIONID = 0x6e BIT4 VM_OPERATION = 0x6f BIT5 VM_READ = 0x77 BIT6 VM_WRITE = 0x6e BIT7 DUP_HANDLE = 0x44 BIT8 CREATE_PROCESS = 0x6c BIT9 SET_QUOTA = 0x6c BIT10 SET_INFORMATION = 0x73 BIT11 QUERY_INFORMATION = 0x5c BIT12 SUSPEND_RESUME = 0x75 BIT13 QUERY_LIMITED_INFORMATION = 0x63 BIT14 BIT14 = 0x72 BIT15 BIT15 = 0x74 BIT16 BIT16 = 0x62 BIT17 DELETE = 0x61 BIT18 READ_CONTROL = 0x73 BIT19 WRITE_DAC = 0x65 BIT20 WRITE_OWNER = 0x2e BIT21 SYNCHRONIZE = 0x64 BIT22 BIT22 = 0x6c BIT23 BIT23 = 0x6c BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0x10000 void *Group = 0 void *Sacl = 0x10000 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtWorkerFactoryWorkerReadyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtWorkerFactoryWorkerReady csyscall = { HANDLE WorkerFactoryHandle = { void *h = 0 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff800044b8 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11b09b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23b0ff730 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d00 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadTokenEx csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0x1 ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23b0ff730 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d29 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcessTokenEx csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0x1 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0xffffffff800044b8 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114dc9 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenSessionId PVOID TokenInformation = 0xffff888300000001 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbcfbb0d0 SIZE_T RegionSize = 0x598 ULONG NewProtect = 0x2 ULONG OldProtect = 0x1 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114e0b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessTlsInformation PVOID ProcessInformation = 0xf23b0ff740 ULONG ProcessInformationSize = 0x28 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryPerformanceCounterCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryPerformanceCounter csyscall = { LARGE_INTEGER PerformanceCounter = 0x25a57209390 LARGE_INTEGER PerformanceFrequency = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtSetEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetEvent csyscall = { HANDLE EventHandle = { void *h = 0x48 STR name = { char [256] chars = [ "" ] } } LONG PreviousState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbafd8af0 SIZE_T RegionSize = 0x8 ULONG NewProtect = 0x4 ULONG OldProtect = 0xbaf10000 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbafd8000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbaf10000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2e0d8 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbafd85c8 SIZE_T RegionSize = 0x528 ULONG NewProtect = 0x4 ULONG OldProtect = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtReleaseWorkerFactoryWorkerCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtReleaseWorkerFactoryWorker csyscall = { HANDLE WorkerFactoryHandle = { void *h = 0x80 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x98 STR name = { char [256] chars = [ "\KnownDlls\ucrtbase.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0x98 STR name = { char [256] chars = [ "\KnownDlls\ucrtbase.dll" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23b0ff730 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0x3c STR name = { char [256] chars = [ "\KnownDlls" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23b0ff730 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSection csyscall = { PHANDLE SectionHandle = 0x98 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0x1 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x3c STR name = { char [256] chars = [ "\KnownDlls" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x14 USHORT MaximumLength = 0x16 STR Buffer = { char [256] chars = [ "RPCRT4.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbafd85c8 SIZE_T RegionSize = 0x528 ULONG NewProtect = 0x2 ULONG OldProtect = 0xbac1b63d NTSTATUS result = STATUS_SUCCESS } }struct NtSetEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetEvent csyscall = { HANDLE EventHandle = { void *h = 0x48 STR name = { char [256] chars = [ "" ] } } LONG PreviousState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0x98 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0x5c BIT2 CREATE_THREAD = 0x4b BIT3 SET_SESSIONID = 0x6e BIT4 VM_OPERATION = 0x6f BIT5 VM_READ = 0x77 BIT6 VM_WRITE = 0x6e BIT7 DUP_HANDLE = 0x44 BIT8 CREATE_PROCESS = 0x6c BIT9 SET_QUOTA = 0x6c BIT10 SET_INFORMATION = 0x73 BIT11 QUERY_INFORMATION = 0x5c BIT12 SUSPEND_RESUME = 0x52 BIT13 QUERY_LIMITED_INFORMATION = 0x50 BIT14 BIT14 = 0x43 BIT15 BIT15 = 0x52 BIT16 BIT16 = 0x54 BIT17 DELETE = 0x34 BIT18 READ_CONTROL = 0x2e BIT19 WRITE_DAC = 0x64 BIT20 WRITE_OWNER = 0x6c BIT21 SYNCHRONIZE = 0x6c BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0x10000 void *Group = 0 void *Sacl = 0x10000 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff800044b8 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11b09b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d00 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadTokenEx csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0x1 ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtOpenProcessTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d29 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcessTokenEx csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0x1 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0xffffffff800044b8 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114dc9 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenSessionId PVOID TokenInformation = 0xffff888300000001 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114e0b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryPerformanceCounterCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryPerformanceCounter csyscall = { LARGE_INTEGER PerformanceCounter = 0x25a57209c20 LARGE_INTEGER PerformanceFrequency = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb969000 SIZE_T RegionSize = 0x288 ULONG NewProtect = 0x2 ULONG OldProtect = 0xbb850000 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb93d6b0 SIZE_T RegionSize = 0x8 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb93d000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb850000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2e0d8 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb93cbe0 SIZE_T RegionSize = 0xad0 ULONG NewProtect = 0x4 ULONG OldProtect = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtReleaseWorkerFactoryWorkerCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtReleaseWorkerFactoryWorker csyscall = { HANDLE WorkerFactoryHandle = { void *h = 0x80 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x98 STR name = { char [256] chars = [ "\KnownDlls\RPCRT4.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0x80 STR name = { char [256] chars = [ "" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23b0ff730 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff806850800e6 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0x80 STR name = { char [256] chars = [ "" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessBasicInformation PVOID ProcessInformation = 0xad0 ULONG ProcessInformationSize = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23b0ff730 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff80685080152 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23b104000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0xfc000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff806850801a8 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23b101000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x3000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0x1 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23b0ff6b0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23b0ff6b0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0 STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23b0ff6b0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff800044b8 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "NtCurrentProcess" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } PVOID BaseAddress = 0x7ffbbb93cbe0 SIZE_T RegionSize = 0xad0 ULONG NewProtect = 0x2 ULONG OldProtect = 0x1 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0 STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbaf10000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23b0ff730 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff800044b8 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "NtCurrentProcess" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb850000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23b0ff730 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtResumeThreadCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff80684ca49f8 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtResumeThread csyscall = { HANDLE ThreadHandle = { void *h = 0x800044b8 STR name = { char [256] chars = [ "" ] } } ULONG PreviousSuspendCount = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "\KnownDlls\combase.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23b0ff730 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbcf40000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2f060 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23b0ff730 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb520000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2f060 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23b0ff6b0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xff STR name = { char [256] chars = [ "" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2f060 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23b0ff6b0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23b0ff6b0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2efe0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23b0ff6b0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2efe0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2efe0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbc1b4958 SIZE_T RegionSize = 0x1268 ULONG NewProtect = 0x2 ULONG OldProtect = 0x1 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbbf10000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2f060 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessTlsInformation PVOID ProcessInformation = 0xf23b0ff740 ULONG ProcessInformationSize = 0x28 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ff7a7c68530 SIZE_T RegionSize = 0x9f0 ULONG NewProtect = 0x2 ULONG OldProtect = 0x1 NTSTATUS result = STATUS_SUCCESS } }struct NtSetEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetEvent csyscall = { HANDLE EventHandle = { void *h = 0x48 STR name = { char [256] chars = [ "" ] } } LONG PreviousState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtSetEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetEvent csyscall = { HANDLE EventHandle = { void *h = 0x44 STR name = { char [256] chars = [ "" ] } } LONG PreviousState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57300000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x130000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0 BIT14 MEM_RESERVE = 0x1 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtFreeVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtFreeVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23ad2ece0 SIZE_T RegionSize = 0x120000 ULONG FreeType = 0x8000 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57420000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x2000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x68 STR name = { char [256] chars = [ "\Input" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2efd0 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x6c STR name = { char [256] chars = [ "\Output" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2efd0 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x70 STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2efd0 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0x94 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x8e USHORT MaximumLength = 0x90 STR Buffer = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x94 STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions" ] } } UNICODE_STRING ValueName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueFullInformation PVOID KeyValueInformation = 0x100000000 ULONG Length = 0x214 ULONG ResultLength = 0x2a NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x94 STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x10 USHORT MaximumLength = 0x12 STR Buffer = { char [256] chars = [ "000604xx" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueFullInformation PVOID KeyValueInformation = 0x100000000 ULONG Length = 0x214 ULONG ResultLength = 0x42 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57422000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x1000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57423000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x2000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbcfcb370 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2edf0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57425000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x2000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0x98 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x84 USHORT MaximumLength = 0x86 STR Buffer = { char [256] chars = [ "\Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x98 STR name = { char [256] chars = [ "\Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x20 USHORT MaximumLength = 0x22 STR Buffer = { char [256] chars = [ "ResourcePolicies" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0 ULONG Length = 0x18 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x98 STR name = { char [256] chars = [ "\Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57300000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x62000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0 BIT14 MEM_RESERVE = 0x1 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57300000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x1000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2ebe0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2ebe0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2ebe0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2ec90 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a5720b000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x2000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x68 STR name = { char [256] chars = [ "\Input" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2efb0 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x6c STR name = { char [256] chars = [ "\Output" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2efb0 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtWorkerFactoryWorkerReadyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083824c50c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x5058 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtWorkerFactoryWorkerReady csyscall = { HANDLE WorkerFactoryHandle = { void *h = 0 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x70 STR name = { char [256] chars = [ "" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2efb0 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2de70 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a5720d000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x1000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a5720e000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x2000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbba900000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2ec70 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0x98 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0x1 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x22 USHORT MaximumLength = 0x22 STR Buffer = { char [256] chars = [ "\REGISTRY\MACHINE" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x98 STR name = { char [256] chars = [ "\REGISTRY\MACHINE" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyHandleTagsInformation PVOID KeyInformation = 0xf23ad2eb58 ULONG Length = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0x9c ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x98 STR name = { char [256] chars = [ "\REGISTRY\MACHINE" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x2c USHORT MaximumLength = 0x2e STR Buffer = { char [256] chars = [ "SOFTWARE\Microsoft\OLE" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x9c STR name = { char [256] chars = [ "\REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x34 USHORT MaximumLength = 0x36 STR Buffer = { char [256] chars = [ "PageAllocatorUseSystemHeap" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0xf200000030 ULONG Length = 0x14 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtSetInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessRaiseUMExceptionOnInvalidHandleClose PVOID ProcessInformation = 0xf23ad2eee0 ULONG ProcessInformationSize = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x9c STR name = { char [256] chars = [ "\REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x98 STR name = { char [256] chars = [ "\REGISTRY\MACHINE" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyHandleTagsInformation PVOID KeyInformation = 0xf23ad2eb58 ULONG Length = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0x9c ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x98 STR name = { char [256] chars = [ "\REGISTRY\MACHINE" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x2c USHORT MaximumLength = 0x2e STR Buffer = { char [256] chars = [ "SOFTWARE\Microsoft\OLE" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x9c STR name = { char [256] chars = [ "\REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x40 USHORT MaximumLength = 0x42 STR Buffer = { char [256] chars = [ "PageAllocatorSystemHeapIsPrivate" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0xf200000030 ULONG Length = 0x14 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x9c STR name = { char [256] chars = [ "\REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x98 STR name = { char [256] chars = [ "\REGISTRY\MACHINE" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyHandleTagsInformation PVOID KeyInformation = 0xf23ad2eb78 ULONG Length = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0x9c ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x98 STR name = { char [256] chars = [ "\REGISTRY\MACHINE" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x2c USHORT MaximumLength = 0x2e STR Buffer = { char [256] chars = [ "SOFTWARE\Microsoft\OLE" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x9c STR name = { char [256] chars = [ "\REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x28 USHORT MaximumLength = 0x2a STR Buffer = { char [256] chars = [ "AggressiveMTATesting" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0xf200000030 ULONG Length = 0x10 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x9c STR name = { char [256] chars = [ "\REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryWnfStateDataCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryWnfStateData csyscall = { WNF_STATE_NAME StateName = { UInt32 [2] Data = [ 0xa3bc0875, 0x280032e ] } WNF_TYPE_ID TypeId = { struct TypeId = { DWORD Data1 = 0x48f96463 WORD Data2 = 0x52d6 WORD Data3 = 0x4e85 BYTE [8] Data4 = [ 0x9c, 0x2, 0xf2, 0xc1, 0x4e, 0x17, 0x26, 0x4e ] } } PVOID ExplicitScope = 0 WNF_CHANGE_STAMP ChangeStamp = 0x7ffb PVOID Buffer = 0xf23ad2dd40 ULONG BufferSize = 0x1000 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateEvent csyscall = { PHANDLE EventHandle = 0x9c ACCESS_MASK_EVENT DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } EVENT_TYPE EventType = SynchronizationEvent BOOLEAN InitialState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateWaitCompletionPacketCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateWaitCompletionPacket csyscall = { PHANDLE WaitCompletionPacketHandle = 0xa0 ACCESS_MASK DesiredAccess = { BIT1 BIT1 = 0x1 BIT2 BIT2 = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtSetWnfProcessNotificationEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetWnfProcessNotificationEvent csyscall = { HANDLE NotificationEvent = { void *h = 0x9c STR name = { char [256] chars = [ "\REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtAssociateWaitCompletionPacketCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAssociateWaitCompletionPacket csyscall = { HANDLE WaitCompletionPacketHandle = { void *h = 0xa0 STR name = { char [256] chars = [ "" ] } } HANDLE IoCompletionHandle = { void *h = 0x14 STR name = { char [256] chars = [ "" ] } } HANDLE TargetObjectHandle = { void *h = 0x9c STR name = { char [256] chars = [ "\REGISTRY\MACHINE\SOFTWARE\Microsoft\OLE" ] } } PVOID KeyContext = 0x25a5720d3e8 PVOID ApcContext = 0x25a5720d260 NTSTATUS IoStatus = STATUS_SUCCESS ULONG IoStatusInformation = 0 BOOLEAN AlreadySignaled = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtSubscribeWnfStateChangeCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSubscribeWnfStateChange csyscall = { WNF_STATE_NAME StateName = { UInt32 [2] Data = [ 0xa3bc0875, 0x280032e ] } WNF_CHANGE_STAMP ChangeStamp = 0x6 ULONG EventMask = 0x11 ULONG SubscriptionId = 0xa3bc0875 NTSTATUS result = STATUS_SUCCESS } }struct NtQuerySystemInformationExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySystemInformationEx csyscall = { SYSTEM_INFORMATION_CLASS SystemInformationClass = SystemFeatureConfigurationSectionInformation PVOID InputBuffer = 0xf23ad2ec50 ULONG InputBufferLength = 0x18 PVOID SystemInformation = 0xf23ad2ec70 ULONG SystemInformationLength = 0x50 ULONG ReturnedResultLength = 0x6c707865 NTSTATUS result = STATUS_SUCCESS } }struct NtMapViewOfSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtMapViewOfSection csyscall = { HANDLE SectionHandle = { void *h = 0xa4 STR name = { char [256] chars = [ "" ] } } HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571a0000 ULONG ZeroBits = 0 SIZE_T CommitSize = 0 LARGE_INTEGER SectionOffset = 0 SIZE_T ViewSize = 0x1000 SECTION_INHERIT InheritDisposition = ViewUnmap ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT WinProtect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0x1 BIT3 PAGE_READWRITE = 0 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtMapViewOfSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtMapViewOfSection csyscall = { HANDLE SectionHandle = { void *h = 0xa8 STR name = { char [256] chars = [ "" ] } } HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571b0000 ULONG ZeroBits = 0 SIZE_T CommitSize = 0 LARGE_INTEGER SectionOffset = 0 SIZE_T ViewSize = 0x1000 SECTION_INHERIT InheritDisposition = ViewUnmap ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT WinProtect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0x1 BIT3 PAGE_READWRITE = 0 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtMapViewOfSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtMapViewOfSection csyscall = { HANDLE SectionHandle = { void *h = 0x50 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection" ] } } HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571c0000 ULONG ZeroBits = 0 SIZE_T CommitSize = 0 LARGE_INTEGER SectionOffset = 0 SIZE_T ViewSize = 0x1000 SECTION_INHERIT InheritDisposition = ViewUnmap ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT WinProtect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0x1 BIT3 PAGE_READWRITE = 0 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xa4 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xa8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x50 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffc STR name = { char [256] chars = [ "NtCurrentProcessToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenElevation PVOID TokenInformation = 0x25a00000000 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffc STR name = { char [256] chars = [ "NtCurrentProcessToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUIAccess PVOID TokenInformation = 0xf200000000 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x98 STR name = { char [256] chars = [ "\REGISTRY\MACHINE" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyHandleTagsInformation PVOID KeyInformation = 0xf23ad2eaa8 ULONG Length = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0x50 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0x1 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x98 STR name = { char [256] chars = [ "\REGISTRY\MACHINE" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0x2 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationKey csyscall = { HANDLE KeyHandle = { void *h = 0x50 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection" ] } } KEY_SET_INFORMATION_CLASS KeySetInformationClass = KeySetHandleTagsInformation PVOID KeySetInformation = 0xf23ad2eae8 ULONG KeySetInformationLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x50 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyHandleTagsInformation PVOID KeyInformation = 0xf23ad2ea58 ULONG Length = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x50 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x66 USHORT MaximumLength = 0x68 STR Buffer = { char [256] chars = [ "Software\Microsoft\Ole\FeatureDevelopmentProperties" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = -1073741772 } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xa8 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0x1 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x80 USHORT MaximumLength = 0x82 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xa8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x50 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyNameInformation PVOID KeyInformation = 0 ULONG Length = 0 ULONG ReturnedResultLength = 0x26 NTSTATUS result = -1073741789 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x50 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyNameInformation PVOID KeyInformation = 0x25a5720c4d0 ULONG Length = 0x26 ULONG ReturnedResultLength = 0x26 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0x1 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0xe6 USHORT MaximumLength = 0xe8 STR Buffer = { char [256] chars = [ "\Registry\Machine\SOFTWARE\Microsoft\AppModel\Lookaside\machine\Software\Microsoft\Ole\FeatureDevelop" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x50 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyHandleTagsInformation PVOID KeyInformation = 0xf23ad2e978 ULONG Length = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x50 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x66 USHORT MaximumLength = 0x68 STR Buffer = { char [256] chars = [ "Software\Microsoft\Ole\FeatureDevelopmentProperties" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = -1073741772 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x50 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyNameInformation PVOID KeyInformation = 0 ULONG Length = 0 ULONG ReturnedResultLength = 0x26 NTSTATUS result = -1073741789 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x50 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyNameInformation PVOID KeyInformation = 0x25a5720c6b0 ULONG Length = 0x26 ULONG ReturnedResultLength = 0x26 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0x1 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0xe6 USHORT MaximumLength = 0xe8 STR Buffer = { char [256] chars = [ "\Registry\Machine\SOFTWARE\Microsoft\AppModel\Lookaside\machine\Software\Microsoft\Ole\FeatureDevelop" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x50 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyHandleTagsInformation PVOID KeyInformation = 0xf23ad2e978 ULONG Length = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0xa8 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x50 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x2c USHORT MaximumLength = 0x2e STR Buffer = { char [256] chars = [ "Software\Microsoft\Ole" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateEvent csyscall = { PHANDLE EventHandle = 0xa4 ACCESS_MASK_EVENT DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } EVENT_TYPE EventType = NotificationEvent BOOLEAN InitialState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtNotifyChangeKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtNotifyChangeKey csyscall = { HANDLE KeyHandle = { void *h = 0xa8 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection\Software\Microsoft\Ole" ] } } HANDLE Event = { void *h = 0xa4 STR name = { char [256] chars = [ "" ] } } PIO_APC_ROUTINE ApcRoutine = 0 PVOID ApcContext = 0 IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } ULONG CompletionFilter = 0x10000001 BOOLEAN WatchTree = 0 PVOID Buffer = 0 ULONG BufferSize = 0 BOOLEAN Asynchronous = 0x1 NTSTATUS result = STATUS_PENDING } }struct NtOpenThreadTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadToken csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0x1 BIT4 GET_CONTEXT = 0 BIT5 SET_CONTEXT = 0 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0x1 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0xf23ad2ecd0 ULONG TokenInformationLength = 0x58 ULONG ReturnedResultLength = 0x2c NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0x54 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0x1 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x7a USHORT MaximumLength = 0xac STR Buffer = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0x1 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x54 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyHandleTagsInformation PVOID KeyInformation = 0xf23ad2ea28 ULONG Length = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0x5c ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0x1 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x54 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x3e USHORT MaximumLength = 0x40 STR Buffer = { char [256] chars = [ "Software\Classes\Local Settings" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationKey csyscall = { HANDLE KeyHandle = { void *h = 0x5c STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings" ] } } KEY_SET_INFORMATION_CLASS KeySetInformationClass = KeySetHandleTagsInformation PVOID KeySetInformation = 0xf23ad2ea68 ULONG KeySetInformationLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x54 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x5c STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyHandleTagsInformation PVOID KeyInformation = 0xf23ad2ea68 ULONG Length = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x5c STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x66 USHORT MaximumLength = 0x68 STR Buffer = { char [256] chars = [ "Software\Microsoft\Ole\FeatureDevelopmentProperties" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = -1073741772 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x5c STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyNameInformation PVOID KeyInformation = 0 ULONG Length = 0 ULONG ReturnedResultLength = 0xac NTSTATUS result = -1073741789 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x5c STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyNameInformation PVOID KeyInformation = 0x25a5720d740 ULONG Length = 0xac ULONG ReturnedResultLength = 0xac NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0 ULONG TokenInformationLength = 0 ULONG ReturnedResultLength = 0x2c NTSTATUS result = -1073741789 } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0x25a57205fc0 ULONG TokenInformationLength = 0x2c ULONG ReturnedResultLength = 0x2c NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0x1 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x120 USHORT MaximumLength = 0x122 STR Buffer = { char [256] chars = [ "\Registry\Machine\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\Local Settings\Software" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x5c STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyHandleTagsInformation PVOID KeyInformation = 0xf23ad2e988 ULONG Length = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x5c STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x66 USHORT MaximumLength = 0x68 STR Buffer = { char [256] chars = [ "Software\Microsoft\Ole\FeatureDevelopmentProperties" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = -1073741772 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x5c STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyNameInformation PVOID KeyInformation = 0 ULONG Length = 0 ULONG ReturnedResultLength = 0xac NTSTATUS result = -1073741789 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x5c STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyNameInformation PVOID KeyInformation = 0x25a5720d740 ULONG Length = 0xac ULONG ReturnedResultLength = 0xac NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0 ULONG TokenInformationLength = 0 ULONG ReturnedResultLength = 0x2c NTSTATUS result = -1073741789 } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0x25a57205cc0 ULONG TokenInformationLength = 0x2c ULONG ReturnedResultLength = 0x2c NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0x1 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x120 USHORT MaximumLength = 0x122 STR Buffer = { char [256] chars = [ "\Registry\Machine\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\Local Settings\Software" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x5c STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyHandleTagsInformation PVOID KeyInformation = 0xf23ad2e988 ULONG Length = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x5c STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x2c USHORT MaximumLength = 0x2e STR Buffer = { char [256] chars = [ "Software\Microsoft\Ole" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = -1073741772 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x5c STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyNameInformation PVOID KeyInformation = 0 ULONG Length = 0 ULONG ReturnedResultLength = 0xac NTSTATUS result = -1073741789 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x5c STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyNameInformation PVOID KeyInformation = 0x25a5720ef90 ULONG Length = 0xac ULONG ReturnedResultLength = 0xac NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0 ULONG TokenInformationLength = 0 ULONG ReturnedResultLength = 0x2c NTSTATUS result = -1073741789 } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0x25a572055c0 ULONG TokenInformationLength = 0x2c ULONG ReturnedResultLength = 0x2c NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0x1 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0xe6 USHORT MaximumLength = 0xe8 STR Buffer = { char [256] chars = [ "\Registry\Machine\SOFTWARE\Microsoft\AppModel\Lookaside\user\software\Classes\Local Settings\Software" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x5c STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyHandleTagsInformation PVOID KeyInformation = 0xf23ad2e988 ULONG Length = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0x54 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x5c STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x24 USHORT MaximumLength = 0x26 STR Buffer = { char [256] chars = [ "Software\Microsoft" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateEvent csyscall = { PHANDLE EventHandle = 0xac ACCESS_MASK_EVENT DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } EVENT_TYPE EventType = NotificationEvent BOOLEAN InitialState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtNotifyChangeKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtNotifyChangeKey csyscall = { HANDLE KeyHandle = { void *h = 0x54 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings\Software\Microsoft" ] } } HANDLE Event = { void *h = 0xac STR name = { char [256] chars = [ "" ] } } PIO_APC_ROUTINE ApcRoutine = 0 PVOID ApcContext = 0 IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } ULONG CompletionFilter = 0x10000001 BOOLEAN WatchTree = 0x1 PVOID Buffer = 0 ULONG BufferSize = 0 BOOLEAN Asynchronous = 0x1 NTSTATUS result = STATUS_PENDING } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb850000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryImageInformation PVOID MemoryInformation = 0xf23ad2eca0 SIZE_T MemoryInformationLength = 0x18 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2ebc8 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2ebc8 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2ec08 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2ec08 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff80685101e15 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x1e STR name = { char [256] chars = [ 'X', '\37777777754', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', '\030', '\0', '\0', '\0', '\0', '\0', '\0', '\0', 'p', '\37777777754', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', 'x', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0' ] } } UNICODE_STRING ValueName = { USHORT Length = 0 USHORT MaximumLength = 0xbb85 STR Buffer = { char [256] chars = [ '\37777777773', '\177', '\0', '\0', '\006', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\37777777640', '\37777777754', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', '\030', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0' ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueBasicInformation PVOID KeyValueInformation = 0xa000000000 ULONG Length = 0 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2ec08 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2ec08 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff80685101e15 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x1e STR name = { char [256] chars = [ 'X', '\37777777754', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', '\030', '\0', '\0', '\0', '\0', '\0', '\0', '\0', 'p', '\37777777754', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', 'x', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0' ] } } UNICODE_STRING ValueName = { USHORT Length = 0 USHORT MaximumLength = 0xbb85 STR Buffer = { char [256] chars = [ '\37777777773', '\177', '\0', '\0', '\006', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\37777777640', '\37777777754', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', '\030', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0' ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueBasicInformation PVOID KeyValueInformation = 0xa000000000 ULONG Length = 0 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtCreateEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateEvent csyscall = { PHANDLE EventHandle = 0xbc ACCESS_MASK_EVENT DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } EVENT_TYPE EventType = NotificationEvent BOOLEAN InitialState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateEvent csyscall = { PHANDLE EventHandle = 0xc0 ACCESS_MASK_EVENT DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } EVENT_TYPE EventType = SynchronizationEvent BOOLEAN InitialState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateEvent csyscall = { PHANDLE EventHandle = 0xc4 ACCESS_MASK_EVENT DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } EVENT_TYPE EventType = NotificationEvent BOOLEAN InitialState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateEvent csyscall = { PHANDLE EventHandle = 0xc8 ACCESS_MASK_EVENT DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } EVENT_TYPE EventType = SynchronizationEvent BOOLEAN InitialState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateEvent csyscall = { PHANDLE EventHandle = 0xcc ACCESS_MASK_EVENT DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } EVENT_TYPE EventType = NotificationEvent BOOLEAN InitialState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateEvent csyscall = { PHANDLE EventHandle = 0xd0 ACCESS_MASK_EVENT DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } EVENT_TYPE EventType = SynchronizationEvent BOOLEAN InitialState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcessToken csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0x1 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } PHANDLE TokenHandle = 0xd4 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xd4 STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenSessionId PVOID TokenInformation = 0x1 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xd4 STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenIsAppContainer PVOID TokenInformation = 0 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xd4 STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenPrivateNameSpace PVOID TokenInformation = 0x3ad2ecd800000000 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenDirectoryObjectCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenDirectoryObject csyscall = { PHANDLE DirectoryHandle = 0xd8 ACCESS_MASK_DIRECTORY DesiredAccess = { BIT1 QUERY = 0x1 BIT2 TRAVERSE = 0x1 BIT3 CREATE_OBJECT = 0x1 BIT4 CREATE_SUBDIRECTORY = 0x1 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x38 USHORT MaximumLength = 0x3a STR Buffer = { char [256] chars = [ "\Sessions\1\BaseNamedObjects" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xd4 STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenBnoIsolation PVOID TokenInformation = 0 ULONG TokenInformationLength = 0x120 ULONG ReturnedResultLength = 0x10 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xd4 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenEvent csyscall = { PHANDLE EventHandle = 0x1 ACCESS_MASK_EVENT DesiredAccess = { BIT1 QUERY_STATE = 0 BIT2 MODIFY_STATE = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xd8 STR name = { char [256] chars = [ "\Sessions\1\BaseNamedObjects" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x34 USHORT MaximumLength = 0x36 STR Buffer = { char [256] chars = [ "HookSwitchHookEnabledEvent" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2ee98 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2ee98 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2ee98 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2ee98 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2ee98 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2ee98 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2ee98 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2ee98 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2ee98 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2ee98 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2ee48 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2ee48 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff80685101e15 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x1e STR name = { char [256] chars = [ '\37777777630', '\37777777756', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', '\030', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\37777777660', '\37777777756', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', 'x', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\37777777730', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\', 'S', 'e', 's', 's', 'i', 'o', 'n', 's', '\', '1', '\', 'B', 'a', 's', 'e', 'N', 'a', 'm', 'e', 'd', 'O', 'b', 'j', 'e', 'c', 't', 's', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\37777777634', 'y', '\37777777722', '\0', '\', 'S', 'e', 's', 's', 'i', 'o', 'n', 's', '\', '1', '\', 'A', 'p', 'p', 'C', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0' ] } } UNICODE_STRING ValueName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueBasicInformation PVOID KeyValueInformation = 0 ULONG Length = 0 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57210000 ULONG ZeroBits = 0x32002d SIZE_T RegionSize = 0x2000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2ee48 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2ee48 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff80685101e15 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x1e STR name = { char [256] chars = [ '\37777777630', '\37777777756', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', '\030', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\37777777660', '\37777777756', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', 'x', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0' ] } } UNICODE_STRING ValueName = { USHORT Length = 0 USHORT MaximumLength = 0x5721 STR Buffer = { char [256] chars = [ 'Z', '\002', '\0', '\0', '-', '\0', '2', '\0', '\0', '\0', '\0', '\0', '\0', ' ', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\001', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\001', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0' ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueBasicInformation PVOID KeyValueInformation = 0x400 ULONG Length = 0 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtSetEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetEvent csyscall = { HANDLE EventHandle = { void *h = 0x44 STR name = { char [256] chars = [ "" ] } } LONG PreviousState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xf4 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x84 USHORT MaximumLength = 0x86 STR Buffer = { char [256] chars = [ "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xf4 STR name = { char [256] chars = [ "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x36 USHORT MaximumLength = 0x38 STR Buffer = { char [256] chars = [ "SmtDelaySleepLoopWindowSize" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x25a57209d60 ULONG Length = 0x50 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xf4 STR name = { char [256] chars = [ "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x34 USHORT MaximumLength = 0x36 STR Buffer = { char [256] chars = [ "SmtDelaySpinCountThreshold" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x25a57209d60 ULONG Length = 0x50 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xf4 STR name = { char [256] chars = [ "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x22 USHORT MaximumLength = 0x24 STR Buffer = { char [256] chars = [ "SmtDelayBaseYield" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x25a57209d60 ULONG Length = 0x50 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xf4 STR name = { char [256] chars = [ "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x1c USHORT MaximumLength = 0x1e STR Buffer = { char [256] chars = [ "SmtFactorYield" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x25a57209d60 ULONG Length = 0x50 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xf4 STR name = { char [256] chars = [ "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x20 USHORT MaximumLength = 0x22 STR Buffer = { char [256] chars = [ "SmtDelayMaxYield" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x25a57209d60 ULONG Length = 0x50 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xf4 STR name = { char [256] chars = [ "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationWorkerFactoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationWorkerFactory csyscall = { HANDLE WorkerFactoryHandle = { void *h = 0x80 STR name = { char [256] chars = [ "" ] } } WORKERFACTORYINFOCLASS WorkerFactoryInformationClass = WorkerFactoryBindingCount PVOID WorkerFactoryInformation = 0xf23ad2f5a8 ULONG WorkerFactoryInformationLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtSetEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetEvent csyscall = { HANDLE EventHandle = { void *h = 0x8 STR name = { char [256] chars = [ "" ] } } LONG PreviousState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtTestAlertCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTestAlert csyscall = { NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0 STR name = { char [256] chars = [ "" ] } } PVOID BaseAddress = 0 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryBasicInformation PVOID MemoryInformation = 0xffff00001f80 SIZE_T MemoryInformationLength = 0 SIZE_T ReturnLength = 0x3 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ff7a7c49d90 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2fb30 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ff7a7c49d90 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryMappedFilenameInformation PVOID MemoryInformation = 0xf23ad2fba8 SIZE_T MemoryInformationLength = 0x21a SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThread csyscall = { PHANDLE ThreadHandle = 0xf4 ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0x1 BIT2 SUSPEND_RESUME = 0x1 BIT3 ALERT = 0x1 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0x1 BIT6 SET_INFORMATION = 0x1 BIT7 BIT7 = 0x1 BIT8 BIT8 = 0x1 BIT9 BIT9 = 0x1 BIT10 BIT10 = 0x1 BIT11 SET_LIMITED_INFORMATION = 0x1 BIT12 QUERY_LIMITED_INFORMATION = 0x1 BIT13 BIT13 = 0x1 BIT14 BIT14 = 0x1 BIT15 BIT15 = 0x1 BIT16 BIT16 = 0x1 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0 void *UniqueThread = 0x1050 } NTSTATUS result = STATUS_SUCCESS } }struct NtGetMUIRegistryInfoCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtGetMUIRegistryInfo csyscall = { ULONG Flags = 0 ULONG DataSize = 0 PVOID Data = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtGetMUIRegistryInfoCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtGetMUIRegistryInfo csyscall = { ULONG Flags = 0 ULONG DataSize = 0x4d0 PVOID Data = 0x25a57211090 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0xf23ad2f7d0 ULONG TokenInformationLength = 0x58 ULONG ReturnedResultLength = 0x2c NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xf8 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0x1 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x7a USHORT MaximumLength = 0xac STR Buffer = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0x1 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x78 USHORT MaximumLength = 0x7a STR Buffer = { char [256] chars = [ "Control Panel\Desktop\MuiCached\MachineLanguageConfiguration" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x74 USHORT MaximumLength = 0x76 STR Buffer = { char [256] chars = [ "\Registry\Machine\Software\Policies\Microsoft\MUI\Settings" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0xf23ad2f6e0 ULONG TokenInformationLength = 0x58 ULONG ReturnedResultLength = 0x2c NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xf8 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0x1 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x7a USHORT MaximumLength = 0xac STR Buffer = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0x1 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x62 USHORT MaximumLength = 0x64 STR Buffer = { char [256] chars = [ "Software\Policies\Microsoft\Control Panel\Desktop" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x56 USHORT MaximumLength = 0x58 STR Buffer = { char [256] chars = [ "Control Panel\Desktop\LanguageConfiguration" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x74 USHORT MaximumLength = 0x76 STR Buffer = { char [256] chars = [ "\Registry\Machine\Software\Policies\Microsoft\MUI\Settings" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0xf23ad2f650 ULONG TokenInformationLength = 0x58 ULONG ReturnedResultLength = 0x2c NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xf8 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0x1 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x7a USHORT MaximumLength = 0xac STR Buffer = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0x1 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x62 USHORT MaximumLength = 0x64 STR Buffer = { char [256] chars = [ "Software\Policies\Microsoft\Control Panel\Desktop" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xfc ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x2a USHORT MaximumLength = 0x2c STR Buffer = { char [256] chars = [ "Control Panel\Desktop" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\Desktop" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x28 USHORT MaximumLength = 0x2a STR Buffer = { char [256] chars = [ "PreferredUILanguages" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0 ULONG Length = 0xc ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\Desktop" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x74 USHORT MaximumLength = 0x76 STR Buffer = { char [256] chars = [ "\Registry\Machine\Software\Policies\Microsoft\MUI\Settings" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0xf23ad2f650 ULONG TokenInformationLength = 0x58 ULONG ReturnedResultLength = 0x2c NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xf8 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0x1 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x7a USHORT MaximumLength = 0xac STR Buffer = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0x1 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xfc ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x3e USHORT MaximumLength = 0x40 STR Buffer = { char [256] chars = [ "Control Panel\Desktop\MuiCached" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\Desktop\MuiCached" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x36 USHORT MaximumLength = 0x38 STR Buffer = { char [256] chars = [ "MachinePreferredUILanguages" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x700000000 ULONG Length = 0xc ULONG ResultLength = 0x18 NTSTATUS result = -2147483643 } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\Desktop\MuiCached" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x36 USHORT MaximumLength = 0x38 STR Buffer = { char [256] chars = [ "MachinePreferredUILanguages" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x700000000 ULONG Length = 0x18 ULONG ResultLength = 0x18 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\Desktop\MuiCached" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f7690de struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0x3 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x74 USHORT MaximumLength = 0x76 STR Buffer = { char [256] chars = [ "\Registry\Machine\Software\Policies\Microsoft\MUI\Settings" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0xf23ad2f780 ULONG TokenInformationLength = 0x58 ULONG ReturnedResultLength = 0x2c NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xf8 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0x1 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x7a USHORT MaximumLength = 0xac STR Buffer = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0x1 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x62 USHORT MaximumLength = 0x64 STR Buffer = { char [256] chars = [ "Software\Policies\Microsoft\Control Panel\Desktop" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xfc ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x2a USHORT MaximumLength = 0x2c STR Buffer = { char [256] chars = [ "Control Panel\Desktop" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\Desktop" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x28 USHORT MaximumLength = 0x2a STR Buffer = { char [256] chars = [ "PreferredUILanguages" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0 ULONG Length = 0xc ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\Desktop" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x74 USHORT MaximumLength = 0x76 STR Buffer = { char [256] chars = [ "\Registry\Machine\Software\Policies\Microsoft\MUI\Settings" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0xf23ad2f7f0 ULONG TokenInformationLength = 0x58 ULONG ReturnedResultLength = 0x2c NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xf8 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0x1 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x7a USHORT MaximumLength = 0xac STR Buffer = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0x1 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x62 USHORT MaximumLength = 0x64 STR Buffer = { char [256] chars = [ "Software\Policies\Microsoft\Control Panel\Desktop" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x56 USHORT MaximumLength = 0x58 STR Buffer = { char [256] chars = [ "Control Panel\Desktop\LanguageConfiguration" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0xf23ad2fb20 ULONG TokenInformationLength = 0x58 ULONG ReturnedResultLength = 0x2c NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xf8 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0x1 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x7a USHORT MaximumLength = 0xac STR Buffer = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0x1 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyHandleTagsInformation PVOID KeyInformation = 0xf23ad2f998 ULONG Length = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x54 USHORT MaximumLength = 0x56 STR Buffer = { char [256] chars = [ "Software\Policies\Microsoft\Windows\System" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = -1073741772 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyNameInformation PVOID KeyInformation = 0 ULONG Length = 0 ULONG ReturnedResultLength = 0x7e NTSTATUS result = -1073741789 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyNameInformation PVOID KeyInformation = 0x25a5720d790 ULONG Length = 0x7e ULONG ReturnedResultLength = 0x7e NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0 ULONG TokenInformationLength = 0 ULONG ReturnedResultLength = 0x2c NTSTATUS result = -1073741789 } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0x25a57205540 ULONG TokenInformationLength = 0x2c ULONG ReturnedResultLength = 0x2c NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0x1 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0xce USHORT MaximumLength = 0xd0 STR Buffer = { char [256] chars = [ "\Registry\Machine\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Policies\Microsoft\Windows\Syst" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23ad2fda4 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryBasicInformation PVOID MemoryInformation = 0xf23ad2fd20 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0x30 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23ac30000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryBasicInformation PVOID MemoryInformation = 0xf23ad2fd20 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0x30 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23ac31000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryBasicInformation PVOID MemoryInformation = 0xf23ad2fd20 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0x30 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23ac34000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryBasicInformation PVOID MemoryInformation = 0xf23ad2fd20 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0x30 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23ad30000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryBasicInformation PVOID MemoryInformation = 0xf23ad2fd20 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0x30 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f7690de struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57212000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x1000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57213000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x1000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57214000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x1000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x98 STR name = { char [256] chars = [ "\REGISTRY\MACHINE" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyHandleTagsInformation PVOID KeyInformation = 0xf23ad2e858 ULONG Length = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0xfc ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0x1 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x98 STR name = { char [256] chars = [ "\REGISTRY\MACHINE" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x48 USHORT MaximumLength = 0x4a STR Buffer = { char [256] chars = [ "Software\Microsoft\Command Processor" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\MACHINE\Software\Microsoft\Command Processor" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x1e USHORT MaximumLength = 0x20 STR Buffer = { char [256] chars = [ "DisableUNCCheck" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x30 ULONG Length = 0x90 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\MACHINE\Software\Microsoft\Command Processor" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x20 USHORT MaximumLength = 0x22 STR Buffer = { char [256] chars = [ "EnableExtensions" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x400000000 ULONG Length = 0x90 ULONG ResultLength = 0x10 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\MACHINE\Software\Microsoft\Command Processor" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x20 USHORT MaximumLength = 0x22 STR Buffer = { char [256] chars = [ "DelayedExpansion" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x400000000 ULONG Length = 0x90 ULONG ResultLength = 0x10 NTSTATUS result = -1073741772 } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\MACHINE\Software\Microsoft\Command Processor" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x18 USHORT MaximumLength = 0x1a STR Buffer = { char [256] chars = [ "DefaultColor" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x400000000 ULONG Length = 0x90 ULONG ResultLength = 0x10 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\MACHINE\Software\Microsoft\Command Processor" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x1c USHORT MaximumLength = 0x1e STR Buffer = { char [256] chars = [ "CompletionChar" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x400000000 ULONG Length = 0x90 ULONG ResultLength = 0x10 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\MACHINE\Software\Microsoft\Command Processor" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x24 USHORT MaximumLength = 0x26 STR Buffer = { char [256] chars = [ "PathCompletionChar" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x400000000 ULONG Length = 0x90 ULONG ResultLength = 0x10 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\MACHINE\Software\Microsoft\Command Processor" ] } } UNICODE_STRING ValueName = { USHORT Length = 0xe USHORT MaximumLength = 0x10 STR Buffer = { char [256] chars = [ "AutoRun" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x400000000 ULONG Length = 0x90 ULONG ResultLength = 0x10 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\MACHINE\Software\Microsoft\Command Processor" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyHandleTagsInformation PVOID KeyInformation = 0xf23ad2e858 ULONG Length = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0x1 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x48 USHORT MaximumLength = 0x4a STR Buffer = { char [256] chars = [ "Software\Microsoft\Command Processor" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = -1073741772 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyNameInformation PVOID KeyInformation = 0 ULONG Length = 0 ULONG ReturnedResultLength = 0x7e NTSTATUS result = -1073741789 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0xf8 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyNameInformation PVOID KeyInformation = 0x25a5720d790 ULONG Length = 0x7e ULONG ReturnedResultLength = 0x7e NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0 ULONG TokenInformationLength = 0 ULONG ReturnedResultLength = 0x2c NTSTATUS result = -1073741789 } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0x25a572060c0 ULONG TokenInformationLength = 0x2c ULONG ReturnedResultLength = 0x2c NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0x1 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0xc2 USHORT MaximumLength = 0xc4 STR Buffer = { char [256] chars = [ "\Registry\Machine\SOFTWARE\Microsoft\AppModel\Lookaside\user\Software\Microsoft\Command Processor" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57427000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x8000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57430000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x100000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0 BIT14 MEM_RESERVE = 0x1 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57430000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x11000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57441000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x10000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57215000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x1000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57216000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x1000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57451000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x10000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryAttributesFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryAttributesFile csyscall = { OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x24 USHORT MaximumLength = 0x26 STR Buffer = { char [256] chars = [ "\??\C:\Users\Jonas" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } FILE_BASIC_INFORMATION FileInformation = { union _LARGE_INTEGER CreationTime = { UInt32 LowPart = 0xf572938a Int32 HighPart = 0xf572938a struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0xf572938a Int32 HighPart = 0x1d8bce2 } Int64 QuadPart = 0x1d8bce2f572938a } union _LARGE_INTEGER LastAccessTime = { UInt32 LowPart = 0x4cf7a82f Int32 HighPart = 0x4cf7a82f struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x4cf7a82f Int32 HighPart = 0x1d8c10a } Int64 QuadPart = 0x1d8c10a4cf7a82f } union _LARGE_INTEGER LastWriteTime = { UInt32 LowPart = 0x93672666 Int32 HighPart = 0x93672666 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x93672666 Int32 HighPart = 0x1d8bf47 } Int64 QuadPart = 0x1d8bf4793672666 } union _LARGE_INTEGER ChangeTime = { UInt32 LowPart = 0x93672666 Int32 HighPart = 0x93672666 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x93672666 Int32 HighPart = 0x1d8bf47 } Int64 QuadPart = 0x1d8bf4793672666 } ULONG FileAttributes = 0x10 } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenFile csyscall = { PHANDLE FileHandle = 0xfc ACCESS_MASK_FILE DesiredAccess = { BIT1 READ_DATA :1 = 0x1 BIT2 ADD_FILE :1 = 0 BIT3 APPEND_DATA :1 = 0 BIT4 READ_EA :1 = 0 BIT5 WRITE_EA :1 = 0 BIT6 EXECUTE :1 = 0 BIT7 DELETE_CHILD :1 = 0 BIT8 READ_ATTRIBUTES :1 = 0 BIT9 WRITE_ATTRIBUTES :1 = 0 BIT10 unused1 :1 = 0 BIT11 unused2 :1 = 0 BIT12 unused3 :1 = 0 BIT13 unused4 :1 = 0 BIT14 unused5 :1 = 0 BIT15 unused6 :1 = 0 BIT16 unused9 :1 = 0 BIT17 DELETE :1 = 0 BIT18 READ_CONTROL :1 = 0 BIT19 WRITE_DAC :1 = 0 BIT20 WRITE_OWNER :1 = 0 BIT21 SYNCHRONIZE :1 = 0x1 BIT22 unused10 :1 = 0 BIT23 unused11 :1 = 0 BIT24 unused12 :1 = 0 BIT25 ACCESS_SYSTEM_SECURITY :1 = 0 BIT26 MAXIUM :1 = 0 BIT27 unused13 :1 = 0 BIT28 unused14 :1 = 0 BIT29 GENERIC_ALL :1 = 0 BIT30 GENERIC_EXECUTE :1 = 0 BIT31 GENERIC_WRITE :1 = 0 BIT32 GENERIC_READ :1 = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0xe USHORT MaximumLength = 0xe STR Buffer = { char [256] chars = [ "\??\C:\Users" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0x25a00000000 UInt64 Information = 0x1 } FILE_SHARE_ACCESS ShareAccess = { BIT1 FILE_SHARE_READ :1 = 0x1 BIT2 FILE_SHARE_WRITE :1 = 0x1 BIT3 FILE_SHARE_DELETE :1 = 0x1 } FILE_OPTIONS OpenOptions = { BIT1 DIRECTORY_FILE = 0x1 BIT2 WRITE_THROUGH = 0 BIT3 SEQUENTIAL_ONLY = 0 BIT4 NO_INTERMEDIATE_BUFFERING = 0 BIT5 SYNCHRONOUS_IO_ALERT = 0 BIT6 SYNCHRONOUS_IO_NONALERT = 0x1 BIT7 NON_DIRECTORY_FILE = 0 BIT8 CREATE_TREE_CONNECTION = 0 BIT9 COMPLETE_IF_OPLOCKED = 0 BIT10 NO_EA_KNOWLEDGE = 0 BIT11 OPEN_REMOTE_INSTANCE = 0 BIT12 RANDOM_ACCESS = 0 BIT13 DELETE_ON_CLOSE = 0 BIT14 OPEN_BY_FILE_ID = 0 BIT15 OPEN_FOR_BACKUP_INTENT = 0x1 BIT16 NO_COMPRESSION = 0 BIT17 OPEN_REQUIRING_OPLOCK = 0 BIT18 DISALLOW_EXCLUSIVE = 0 BIT19 SESSION_AWARE = 0 BIT20 RESERVE_OPFILTER = 0 BIT21 OPEN_REPARSE_POINT = 0 BIT22 OPEN_NO_RECALL = 0 BIT23 OPEN_FOR_FREE_SPACE_QUERY = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryDirectoryFileExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryDirectoryFileEx csyscall = { HANDLE FileHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\??\C:\Users" ] } } HANDLE Event = { void *h = 0 STR name = { char [256] chars = [ "" ] } } PIO_APC_ROUTINE ApcRoutine = 0 PVOID ApcContext = 0 IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0x25a00000000 UInt64 Information = 0x68 } PVOID FileInformation = 0xf23ad2f200 ULONG Length = 0x268 FILE_INFORMATION_CLASS FileInformationClass = FileBothDirectoryInformation ULONG QueryFlags = 0x2 UNICODE_STRING FileName = { USHORT Length = 0xa USHORT MaximumLength = 0xa STR Buffer = { char [256] chars = [ "Users" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\??\C:\Users" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenFile csyscall = { PHANDLE FileHandle = 0xfc ACCESS_MASK_FILE DesiredAccess = { BIT1 READ_DATA :1 = 0x1 BIT2 ADD_FILE :1 = 0 BIT3 APPEND_DATA :1 = 0 BIT4 READ_EA :1 = 0 BIT5 WRITE_EA :1 = 0 BIT6 EXECUTE :1 = 0 BIT7 DELETE_CHILD :1 = 0 BIT8 READ_ATTRIBUTES :1 = 0 BIT9 WRITE_ATTRIBUTES :1 = 0 BIT10 unused1 :1 = 0 BIT11 unused2 :1 = 0 BIT12 unused3 :1 = 0 BIT13 unused4 :1 = 0 BIT14 unused5 :1 = 0 BIT15 unused6 :1 = 0 BIT16 unused9 :1 = 0 BIT17 DELETE :1 = 0 BIT18 READ_CONTROL :1 = 0 BIT19 WRITE_DAC :1 = 0 BIT20 WRITE_OWNER :1 = 0 BIT21 SYNCHRONIZE :1 = 0x1 BIT22 unused10 :1 = 0 BIT23 unused11 :1 = 0 BIT24 unused12 :1 = 0 BIT25 ACCESS_SYSTEM_SECURITY :1 = 0 BIT26 MAXIUM :1 = 0 BIT27 unused13 :1 = 0 BIT28 unused14 :1 = 0 BIT29 GENERIC_ALL :1 = 0 BIT30 GENERIC_EXECUTE :1 = 0 BIT31 GENERIC_WRITE :1 = 0 BIT32 GENERIC_READ :1 = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x1a USHORT MaximumLength = 0x1a STR Buffer = { char [256] chars = [ "\??\C:\Users\Jonas" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0x25a00000000 UInt64 Information = 0x1 } FILE_SHARE_ACCESS ShareAccess = { BIT1 FILE_SHARE_READ :1 = 0x1 BIT2 FILE_SHARE_WRITE :1 = 0x1 BIT3 FILE_SHARE_DELETE :1 = 0x1 } FILE_OPTIONS OpenOptions = { BIT1 DIRECTORY_FILE = 0x1 BIT2 WRITE_THROUGH = 0 BIT3 SEQUENTIAL_ONLY = 0 BIT4 NO_INTERMEDIATE_BUFFERING = 0 BIT5 SYNCHRONOUS_IO_ALERT = 0 BIT6 SYNCHRONOUS_IO_NONALERT = 0x1 BIT7 NON_DIRECTORY_FILE = 0 BIT8 CREATE_TREE_CONNECTION = 0 BIT9 COMPLETE_IF_OPLOCKED = 0 BIT10 NO_EA_KNOWLEDGE = 0 BIT11 OPEN_REMOTE_INSTANCE = 0 BIT12 RANDOM_ACCESS = 0 BIT13 DELETE_ON_CLOSE = 0 BIT14 OPEN_BY_FILE_ID = 0 BIT15 OPEN_FOR_BACKUP_INTENT = 0x1 BIT16 NO_COMPRESSION = 0 BIT17 OPEN_REQUIRING_OPLOCK = 0 BIT18 DISALLOW_EXCLUSIVE = 0 BIT19 SESSION_AWARE = 0 BIT20 RESERVE_OPFILTER = 0 BIT21 OPEN_REPARSE_POINT = 0 BIT22 OPEN_NO_RECALL = 0 BIT23 OPEN_FOR_FREE_SPACE_QUERY = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryDirectoryFileExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryDirectoryFileEx csyscall = { HANDLE FileHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\??\C:\Users\Jonas" ] } } HANDLE Event = { void *h = 0 STR name = { char [256] chars = [ "" ] } } PIO_APC_ROUTINE ApcRoutine = 0 PVOID ApcContext = 0 IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0x25a00000000 UInt64 Information = 0x68 } PVOID FileInformation = 0xf23ad2f200 ULONG Length = 0x268 FILE_INFORMATION_CLASS FileInformationClass = FileBothDirectoryInformation ULONG QueryFlags = 0x2 UNICODE_STRING FileName = { USHORT Length = 0xa USHORT MaximumLength = 0xa STR Buffer = { char [256] chars = [ "Jonas" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\??\C:\Users\Jonas" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryAttributesFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryAttributesFile csyscall = { OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x24 USHORT MaximumLength = 0x26 STR Buffer = { char [256] chars = [ "\??\C:\Users\Jonas" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } FILE_BASIC_INFORMATION FileInformation = { union _LARGE_INTEGER CreationTime = { UInt32 LowPart = 0xf572938a Int32 HighPart = 0xf572938a struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0xf572938a Int32 HighPart = 0x1d8bce2 } Int64 QuadPart = 0x1d8bce2f572938a } union _LARGE_INTEGER LastAccessTime = { UInt32 LowPart = 0x4cf7a82f Int32 HighPart = 0x4cf7a82f struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x4cf7a82f Int32 HighPart = 0x1d8c10a } Int64 QuadPart = 0x1d8c10a4cf7a82f } union _LARGE_INTEGER LastWriteTime = { UInt32 LowPart = 0x93672666 Int32 HighPart = 0x93672666 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x93672666 Int32 HighPart = 0x1d8bf47 } Int64 QuadPart = 0x1d8bf4793672666 } union _LARGE_INTEGER ChangeTime = { UInt32 LowPart = 0x93672666 Int32 HighPart = 0x93672666 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x93672666 Int32 HighPart = 0x1d8bf47 } Int64 QuadPart = 0x1d8bf4793672666 } ULONG FileAttributes = 0x10 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57217000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x5000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f7690de struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0xfc Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffc STR name = { char [256] chars = [ "NtCurrentProcessToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenStatistics PVOID TokenInformation = 0x11216714c ULONG TokenInformationLength = 0x38 ULONG ReturnedResultLength = 0x38 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0xfffffffffffffffa STR name = { char [256] chars = [ "NtCurrentEffectiveToken" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser PVOID TokenInformation = 0xf23ad2ed60 ULONG TokenInformationLength = 0x58 ULONG ReturnedResultLength = 0x2c NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xfc ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0x1 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x7a USHORT MaximumLength = 0xac STR Buffer = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0x1 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0x100 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x50 USHORT MaximumLength = 0x52 STR Buffer = { char [256] chars = [ "Control Panel\International\User Profile" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtEnumerateKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtEnumerateKey csyscall = { HANDLE KeyHandle = { void *h = 0x100 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\International\User Profile" ] } } ULONG Index = 0 KEY_INFORMATION_CLASS KeyInformationClass = KeyBasicInformation PVOID KeyInformation = 0xf23ad2ef40 ULONG Length = 0x20e ULONG ReturnedResultLength = 0x1a NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xfc ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x100 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\International\User Profile" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0xa USHORT MaximumLength = 0xc STR Buffer = { char [256] chars = [ "en-DK" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\International\User Profile\en-DK" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x1e USHORT MaximumLength = 0x20 STR Buffer = { char [256] chars = [ "TransientLangId" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueFullInformation PVOID KeyValueInformation = 0x400000000 ULONG Length = 0x213 ULONG ResultLength = 0x3c NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\International\User Profile\en-DK" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xfc ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x86 USHORT MaximumLength = 0x88 STR Buffer = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale" ] } } UNICODE_STRING ValueName = { USHORT Length = 0xa USHORT MaximumLength = 0xc STR Buffer = { char [256] chars = [ "en-DK" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueFullInformation PVOID KeyValueInformation = 0 ULONG Length = 0x214 ULONG ResultLength = 0x57209ee0 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xfc ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x8a USHORT MaximumLength = 0x8c STR Buffer = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale" ] } } UNICODE_STRING ValueName = { USHORT Length = 0xa USHORT MaximumLength = 0xc STR Buffer = { char [256] chars = [ "en-DK" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueFullInformation PVOID KeyValueInformation = 0 ULONG Length = 0x214 ULONG ResultLength = 0x57209ee0 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xfc ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x86 USHORT MaximumLength = 0x88 STR Buffer = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x4 USHORT MaximumLength = 0x6 STR Buffer = { char [256] chars = [ "en" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueFullInformation PVOID KeyValueInformation = 0 ULONG Length = 0x214 ULONG ResultLength = 0x57209ee0 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xfc ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x8a USHORT MaximumLength = 0x8c STR Buffer = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x4 USHORT MaximumLength = 0x6 STR Buffer = { char [256] chars = [ "en" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueFullInformation PVOID KeyValueInformation = 0 ULONG Length = 0x214 ULONG ResultLength = 0x57209ee0 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xfc ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x86 USHORT MaximumLength = 0x88 STR Buffer = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale" ] } } UNICODE_STRING ValueName = { USHORT Length = 0xa USHORT MaximumLength = 0xc STR Buffer = { char [256] chars = [ "en-US" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueFullInformation PVOID KeyValueInformation = 0 ULONG Length = 0x214 ULONG ResultLength = 0xbac2c000 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xfc ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x8a USHORT MaximumLength = 0x8c STR Buffer = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale" ] } } UNICODE_STRING ValueName = { USHORT Length = 0xa USHORT MaximumLength = 0xc STR Buffer = { char [256] chars = [ "en-US" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueFullInformation PVOID KeyValueInformation = 0 ULONG Length = 0x214 ULONG ResultLength = 0xbac2c000 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtEnumerateKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtEnumerateKey csyscall = { HANDLE KeyHandle = { void *h = 0x100 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\International\User Profile" ] } } ULONG Index = 0x1 KEY_INFORMATION_CLASS KeyInformationClass = KeyBasicInformation PVOID KeyInformation = 0xf23ad2ef40 ULONG Length = 0x20e ULONG ReturnedResultLength = 0x1a NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xfc ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x100 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\International\User Profile" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0xa USHORT MaximumLength = 0xc STR Buffer = { char [256] chars = [ "en-GB" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\International\User Profile\en-GB" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x1e USHORT MaximumLength = 0x20 STR Buffer = { char [256] chars = [ "TransientLangId" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueFullInformation PVOID KeyValueInformation = 0 ULONG Length = 0x213 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\International\User Profile\en-GB" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtEnumerateKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtEnumerateKey csyscall = { HANDLE KeyHandle = { void *h = 0x100 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\International\User Profile" ] } } ULONG Index = 0x2 KEY_INFORMATION_CLASS KeyInformationClass = KeyBasicInformation PVOID KeyInformation = 0xf23ad2ef40 ULONG Length = 0x20e ULONG ReturnedResultLength = 0x1a NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xfc ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x100 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\International\User Profile" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0xa USHORT MaximumLength = 0xc STR Buffer = { char [256] chars = [ "en-US" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\International\User Profile\en-US" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x1e USHORT MaximumLength = 0x20 STR Buffer = { char [256] chars = [ "TransientLangId" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueFullInformation PVOID KeyValueInformation = 0 ULONG Length = 0x213 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\International\User Profile\en-US" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtEnumerateKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtEnumerateKey csyscall = { HANDLE KeyHandle = { void *h = 0x100 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\International\User Profile" ] } } ULONG Index = 0x3 KEY_INFORMATION_CLASS KeyInformationClass = KeyBasicInformation PVOID KeyInformation = 0xf23ad2ef40 ULONG Length = 0x20e ULONG ReturnedResultLength = 0x1a NTSTATUS result = -2147483622 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x100 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Control Panel\International\User Profile" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0x100 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x86 USHORT MaximumLength = 0x88 STR Buffer = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x100 STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale" ] } } UNICODE_STRING ValueName = { USHORT Length = 0xa USHORT MaximumLength = 0xc STR Buffer = { char [256] chars = [ "en-GB" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueFullInformation PVOID KeyValueInformation = 0 ULONG Length = 0x214 ULONG ResultLength = 0xbd287265 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x100 STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\CustomLocale" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0x100 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x8a USHORT MaximumLength = 0x8c STR Buffer = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x100 STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale" ] } } UNICODE_STRING ValueName = { USHORT Length = 0xa USHORT MaximumLength = 0xc STR Buffer = { char [256] chars = [ "en-GB" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueFullInformation PVOID KeyValueInformation = 0 ULONG Length = 0x214 ULONG ResultLength = 0xbd287265 NTSTATUS result = -1073741772 } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x100 STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\ExtendedLocale" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0x100 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x7e USHORT MaximumLength = 0x80 STR Buffer = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\Codepage" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x100 STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\Codepage" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x22 USHORT MaximumLength = 0x24 STR Buffer = { char [256] chars = [ "AllowDeprecatedCP" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueFullInformation PVOID KeyValueInformation = 0x400000000 ULONG Length = 0x214 ULONG ResultLength = 0x3c NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f7690de struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0x100 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x6c STR name = { char [256] chars = [ "\Output" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0x25a00000000 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2fc90 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0x100 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0x100 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadToken csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0x1 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0x1 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtQueryInformationThreadCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationThread csyscall = { HANDLE ThreadHandle = { void *h = 0xfffffffffffffffe STR name = { char [256] chars = [ "NtCurrentThread" ] } } THREADINFOCLASS ThreadInformationClass = ThreadDynamicCodePolicyInfo PVOID ThreadInformation = 0 ULONG ThreadInformationLength = 0x4 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSection csyscall = { PHANDLE SectionHandle = 0 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0x1 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x3c STR name = { char [256] chars = [ "\KnownDlls" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x18 USHORT MaximumLength = 0x1a STR Buffer = { char [256] chars = [ "winbrand.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtQueryAttributesFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryAttributesFile csyscall = { OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x48 USHORT MaximumLength = 0x100 STR Buffer = { char [256] chars = [ "\??\C:\Windows\SYSTEM32\winbrand.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0x1 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } FILE_BASIC_INFORMATION FileInformation = { union _LARGE_INTEGER CreationTime = { UInt32 LowPart = 0x440a1c5e Int32 HighPart = 0x440a1c5e struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x440a1c5e Int32 HighPart = 0x1d7d187 } Int64 QuadPart = 0x1d7d187440a1c5e } union _LARGE_INTEGER LastAccessTime = { UInt32 LowPart = 0xd0528421 Int32 HighPart = 0xd0528421 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0xd0528421 Int32 HighPart = 0x1d8c108 } Int64 QuadPart = 0x1d8c108d0528421 } union _LARGE_INTEGER LastWriteTime = { UInt32 LowPart = 0x440a1c5e Int32 HighPart = 0x440a1c5e struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x440a1c5e Int32 HighPart = 0x1d7d187 } Int64 QuadPart = 0x1d7d187440a1c5e } union _LARGE_INTEGER ChangeTime = { UInt32 LowPart = 0x525c089c Int32 HighPart = 0x525c089c struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x525c089c Int32 HighPart = 0x1d8bd05 } Int64 QuadPart = 0x1d8bd05525c089c } ULONG FileAttributes = 0x20 } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenFile csyscall = { PHANDLE FileHandle = 0xfc ACCESS_MASK_FILE DesiredAccess = { BIT1 READ_DATA :1 = 0x1 BIT2 ADD_FILE :1 = 0 BIT3 APPEND_DATA :1 = 0 BIT4 READ_EA :1 = 0 BIT5 WRITE_EA :1 = 0 BIT6 EXECUTE :1 = 0x1 BIT7 DELETE_CHILD :1 = 0 BIT8 READ_ATTRIBUTES :1 = 0 BIT9 WRITE_ATTRIBUTES :1 = 0 BIT10 unused1 :1 = 0 BIT11 unused2 :1 = 0 BIT12 unused3 :1 = 0 BIT13 unused4 :1 = 0 BIT14 unused5 :1 = 0 BIT15 unused6 :1 = 0 BIT16 unused9 :1 = 0 BIT17 DELETE :1 = 0 BIT18 READ_CONTROL :1 = 0 BIT19 WRITE_DAC :1 = 0 BIT20 WRITE_OWNER :1 = 0 BIT21 SYNCHRONIZE :1 = 0x1 BIT22 unused10 :1 = 0 BIT23 unused11 :1 = 0 BIT24 unused12 :1 = 0 BIT25 ACCESS_SYSTEM_SECURITY :1 = 0 BIT26 MAXIUM :1 = 0 BIT27 unused13 :1 = 0 BIT28 unused14 :1 = 0 BIT29 GENERIC_ALL :1 = 0 BIT30 GENERIC_EXECUTE :1 = 0 BIT31 GENERIC_WRITE :1 = 0 BIT32 GENERIC_READ :1 = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x48 USHORT MaximumLength = 0x100 STR Buffer = { char [256] chars = [ "\??\C:\Windows\SYSTEM32\winbrand.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0x1 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0x25a00000000 UInt64 Information = 0x1 } FILE_SHARE_ACCESS ShareAccess = { BIT1 FILE_SHARE_READ :1 = 0x1 BIT2 FILE_SHARE_WRITE :1 = 0 BIT3 FILE_SHARE_DELETE :1 = 0x1 } FILE_OPTIONS OpenOptions = { BIT1 DIRECTORY_FILE = 0 BIT2 WRITE_THROUGH = 0 BIT3 SEQUENTIAL_ONLY = 0 BIT4 NO_INTERMEDIATE_BUFFERING = 0 BIT5 SYNCHRONOUS_IO_ALERT = 0 BIT6 SYNCHRONOUS_IO_NONALERT = 0x1 BIT7 NON_DIRECTORY_FILE = 0x1 BIT8 CREATE_TREE_CONNECTION = 0 BIT9 COMPLETE_IF_OPLOCKED = 0 BIT10 NO_EA_KNOWLEDGE = 0 BIT11 OPEN_REMOTE_INSTANCE = 0 BIT12 RANDOM_ACCESS = 0 BIT13 DELETE_ON_CLOSE = 0 BIT14 OPEN_BY_FILE_ID = 0 BIT15 OPEN_FOR_BACKUP_INTENT = 0 BIT16 NO_COMPRESSION = 0 BIT17 OPEN_REQUIRING_OPLOCK = 0 BIT18 DISALLOW_EXCLUSIVE = 0 BIT19 SESSION_AWARE = 0 BIT20 RESERVE_OPFILTER = 0 BIT21 OPEN_REPARSE_POINT = 0 BIT22 OPEN_NO_RECALL = 0 BIT23 OPEN_FOR_FREE_SPACE_QUERY = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCreateSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateSection csyscall = { PHANDLE SectionHandle = 0x104 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0x1 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } LARGE_INTEGER MaximumSize = 0 ULONG SectionPageProtection = 0x10 ULONG AllocationAttributes = 0x1000000 HANDLE FileHandle = { void *h = 0xfc STR name = { char [256] chars = [ "\??\C:\Windows\SYSTEM32\winbrand.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0x104 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0x10000 void *Group = 0 void *Sacl = 0x10000 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0 void *UniqueThread = 0x100000000000010 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800060d8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff800060d8 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11b09b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800060d8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d00 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadTokenEx csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0x1 ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtOpenProcessTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d29 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcessTokenEx csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0x1 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0xffffffff800060d8 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114dc9 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0x800060d8 STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenSessionId PVOID TokenInformation = 0xffff888300000001 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114e0b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800060d8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryPerformanceCounterCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryPerformanceCounter csyscall = { LARGE_INTEGER PerformanceCounter = 0x25a57207150 LARGE_INTEGER PerformanceFrequency = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffb9d232000 SIZE_T RegionSize = 0x78 ULONG NewProtect = 0x2 ULONG OldProtect = 0x9d200000 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffb9d2296d8 SIZE_T RegionSize = 0x8 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffb9d229000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffb9d200000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2e978 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffb9d229248 SIZE_T RegionSize = 0x490 ULONG NewProtect = 0x4 ULONG OldProtect = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSection csyscall = { PHANDLE SectionHandle = 0x108 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0x1 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x3c STR name = { char [256] chars = [ "\KnownDlls" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x14 USHORT MaximumLength = 0x16 STR Buffer = { char [256] chars = [ "shcore.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0x108 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0x5c BIT2 CREATE_THREAD = 0x4b BIT3 SET_SESSIONID = 0x6e BIT4 VM_OPERATION = 0x6f BIT5 VM_READ = 0x77 BIT6 VM_WRITE = 0x6e BIT7 DUP_HANDLE = 0x44 BIT8 CREATE_PROCESS = 0x6c BIT9 SET_QUOTA = 0x6c BIT10 SET_INFORMATION = 0x73 BIT11 QUERY_INFORMATION = 0x5c BIT12 SUSPEND_RESUME = 0x73 BIT13 QUERY_LIMITED_INFORMATION = 0x68 BIT14 BIT14 = 0x63 BIT15 BIT15 = 0x6f BIT16 BIT16 = 0x72 BIT17 DELETE = 0x65 BIT18 READ_CONTROL = 0x2e BIT19 WRITE_DAC = 0x64 BIT20 WRITE_OWNER = 0x6c BIT21 SYNCHRONIZE = 0x6c BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0x10000 void *Group = 0 void *Sacl = 0x10000 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800020bc STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff800020bc ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11b09b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800020bc STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d00 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadTokenEx csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0x1 ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtOpenProcessTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d29 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcessTokenEx csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0x1 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0xffffffff800020bc NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114dc9 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0x800020bc STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenSessionId PVOID TokenInformation = 0xffff888300000001 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114e0b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800020bc STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryPerformanceCounterCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryPerformanceCounter csyscall = { LARGE_INTEGER PerformanceCounter = 0x25a572154e0 LARGE_INTEGER PerformanceFrequency = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb354000 SIZE_T RegionSize = 0x428 ULONG NewProtect = 0x2 ULONG OldProtect = 0xbb270000 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb321178 SIZE_T RegionSize = 0x8 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb321000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb270000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2e238 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb3206a0 SIZE_T RegionSize = 0xad8 ULONG NewProtect = 0x4 ULONG OldProtect = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSection csyscall = { PHANDLE SectionHandle = 0x10c ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0x1 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x3c STR name = { char [256] chars = [ "\KnownDlls" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x1a USHORT MaximumLength = 0x1c STR Buffer = { char [256] chars = [ "msvcp_win.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0x10c ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0x5c BIT2 CREATE_THREAD = 0x4b BIT3 SET_SESSIONID = 0x6e BIT4 VM_OPERATION = 0x6f BIT5 VM_READ = 0x77 BIT6 VM_WRITE = 0x6e BIT7 DUP_HANDLE = 0x44 BIT8 CREATE_PROCESS = 0x6c BIT9 SET_QUOTA = 0x6c BIT10 SET_INFORMATION = 0x73 BIT11 QUERY_INFORMATION = 0x5c BIT12 SUSPEND_RESUME = 0x6d BIT13 QUERY_LIMITED_INFORMATION = 0x73 BIT14 BIT14 = 0x76 BIT15 BIT15 = 0x63 BIT16 BIT16 = 0x70 BIT17 DELETE = 0x5f BIT18 READ_CONTROL = 0x77 BIT19 WRITE_DAC = 0x69 BIT20 WRITE_OWNER = 0x6e BIT21 SYNCHRONIZE = 0x2e BIT22 BIT22 = 0x64 BIT23 BIT23 = 0x6c BIT24 BIT24 = 0x6c BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0x10000 void *Group = 0 void *Sacl = 0x10000 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800020bc STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff800020bc ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11b09b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800020bc STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d00 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadTokenEx csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0x1 ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtOpenProcessTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d29 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcessTokenEx csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0x1 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0xffffffff800020bc NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114dc9 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0x800020bc STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenSessionId PVOID TokenInformation = 0xffff888300000001 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114e0b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800020bc STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryPerformanceCounterCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryPerformanceCounter csyscall = { LARGE_INTEGER PerformanceCounter = 0x25a572157c0 LARGE_INTEGER PerformanceFrequency = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb0ca000 SIZE_T RegionSize = 0x40 ULONG NewProtect = 0x2 ULONG OldProtect = 0xbb030000 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb088418 SIZE_T RegionSize = 0x8 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb088000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb030000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2daf8 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb087d58 SIZE_T RegionSize = 0x6c0 ULONG NewProtect = 0x4 ULONG OldProtect = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtReleaseWorkerFactoryWorkerCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtReleaseWorkerFactoryWorker csyscall = { HANDLE WorkerFactoryHandle = { void *h = 0x80 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x10c STR name = { char [256] chars = [ "\KnownDlls\msvcp_win.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtReleaseWorkerFactoryWorkerCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtReleaseWorkerFactoryWorker csyscall = { HANDLE WorkerFactoryHandle = { void *h = 0x80 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x108 STR name = { char [256] chars = [ "\KnownDlls\shcore.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083824c50c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x5058 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb087d58 SIZE_T RegionSize = 0x6c0 ULONG NewProtect = 0x2 ULONG OldProtect = 0x1 NTSTATUS result = STATUS_SUCCESS } }struct NtReleaseWorkerFactoryWorkerCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtReleaseWorkerFactoryWorker csyscall = { HANDLE WorkerFactoryHandle = { void *h = 0x80 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x104 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083824c50c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x5058 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffb9d229248 SIZE_T RegionSize = 0x490 ULONG NewProtect = 0x2 ULONG OldProtect = 0x1 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\??\C:\Windows\SYSTEM32\winbrand.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbb3206a0 SIZE_T RegionSize = 0xad8 ULONG NewProtect = 0x2 ULONG OldProtect = 0x1 NTSTATUS result = STATUS_SUCCESS } }struct NtWaitForSingleObjectCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtWaitForSingleObject csyscall = { HANDLE Handle = { void *h = 0x48 STR name = { char [256] chars = [ "" ] } } BOOLEAN Alertable = 0 LARGE_INTEGER Timeout = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessTlsInformation PVOID ProcessInformation = 0xf23b0ff740 ULONG ProcessInformationSize = 0x28 NTSTATUS result = STATUS_SUCCESS } }struct NtSetEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083871c80c0 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x37ac BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetEvent csyscall = { HANDLE EventHandle = { void *h = 0x48 STR name = { char [256] chars = [ "" ] } } LONG PreviousState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtWaitForSingleObjectCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtWaitForSingleObject csyscall = { HANDLE Handle = { void *h = 0x48 STR name = { char [256] chars = [ "" ] } } BOOLEAN Alertable = 0 LARGE_INTEGER Timeout = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2ebc8 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2ebc8 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2ea78 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2ea78 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtSetEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetEvent csyscall = { HANDLE EventHandle = { void *h = 0x44 STR name = { char [256] chars = [ "" ] } } LONG PreviousState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ff7a7c91000 SIZE_T RegionSize = 0x8 ULONG NewProtect = 0x4 ULONG OldProtect = 0x3ad2f5d0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ff7a7c91000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQuerySystemInformationCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySystemInformation csyscall = { SYSTEM_INFORMATION_CLASS SystemInformationClass = SystemPolicyInformation PVOID SystemInformation = 0xf23ad2fb80 ULONG SystemInformationLength = 0x20 ULONG ReturnedResultLength = 0x2e646d63 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryAttributesFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryAttributesFile csyscall = { OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x68 USHORT MaximumLength = 0x6a STR Buffer = { char [256] chars = [ "\??\C:\Windows\SYSTEM32\Branding\Basebrd\Basebrd.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } FILE_BASIC_INFORMATION FileInformation = { union _LARGE_INTEGER CreationTime = { UInt32 LowPart = 0 Int32 HighPart = 0 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0 Int32 HighPart = 0 } Int64 QuadPart = 0 } union _LARGE_INTEGER LastAccessTime = { UInt32 LowPart = 0 Int32 HighPart = 0 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0 Int32 HighPart = 0xf2 } Int64 QuadPart = 0xf200000000 } union _LARGE_INTEGER LastWriteTime = { UInt32 LowPart = 0 Int32 HighPart = 0 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0 Int32 HighPart = 0 } Int64 QuadPart = 0 } union _LARGE_INTEGER ChangeTime = { UInt32 LowPart = 0x3ad2bd00 Int32 HighPart = 0x3ad2bd00 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x3ad2bd00 Int32 HighPart = 0xf2 } Int64 QuadPart = 0xf23ad2bd00 } ULONG FileAttributes = 0 } NTSTATUS result = -1073741766 } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0x110 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x84 USHORT MaximumLength = 0x86 STR Buffer = { char [256] chars = [ "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x110 STR name = { char [256] chars = [ "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x22 USHORT MaximumLength = 0x24 STR Buffer = { char [256] chars = [ "SafeDllSearchMode" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0 ULONG Length = 0x10 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtQueryAttributesFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryAttributesFile csyscall = { OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x56 USHORT MaximumLength = 0x58 STR Buffer = { char [256] chars = [ "\??\C:\Windows\Branding\Basebrd\Basebrd.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } FILE_BASIC_INFORMATION FileInformation = { union _LARGE_INTEGER CreationTime = { UInt32 LowPart = 0x2c4ed5f8 Int32 HighPart = 0x2c4ed5f8 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x2c4ed5f8 Int32 HighPart = 0x1d7d187 } Int64 QuadPart = 0x1d7d1872c4ed5f8 } union _LARGE_INTEGER LastAccessTime = { UInt32 LowPart = 0xd052ab1e Int32 HighPart = 0xd052ab1e struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0xd052ab1e Int32 HighPart = 0x1d8c108 } Int64 QuadPart = 0x1d8c108d052ab1e } union _LARGE_INTEGER LastWriteTime = { UInt32 LowPart = 0x2c4ed5f8 Int32 HighPart = 0x2c4ed5f8 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x2c4ed5f8 Int32 HighPart = 0x1d7d187 } Int64 QuadPart = 0x1d7d1872c4ed5f8 } union _LARGE_INTEGER ChangeTime = { UInt32 LowPart = 0x51a184fd Int32 HighPart = 0x51a184fd struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x51a184fd Int32 HighPart = 0x1d8bd05 } Int64 QuadPart = 0x1d8bd0551a184fd } ULONG FileAttributes = 0x20 } NTSTATUS result = STATUS_SUCCESS } }struct NtCreateFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateFile csyscall = { PHANDLE FileHandle = 0x114 ACCESS_MASK_FILE DesiredAccess = { BIT1 READ_DATA :1 = 0 BIT2 ADD_FILE :1 = 0 BIT3 APPEND_DATA :1 = 0 BIT4 READ_EA :1 = 0 BIT5 WRITE_EA :1 = 0 BIT6 EXECUTE :1 = 0 BIT7 DELETE_CHILD :1 = 0 BIT8 READ_ATTRIBUTES :1 = 0x1 BIT9 WRITE_ATTRIBUTES :1 = 0 BIT10 unused1 :1 = 0 BIT11 unused2 :1 = 0 BIT12 unused3 :1 = 0 BIT13 unused4 :1 = 0 BIT14 unused5 :1 = 0 BIT15 unused6 :1 = 0 BIT16 unused9 :1 = 0 BIT17 DELETE :1 = 0 BIT18 READ_CONTROL :1 = 0 BIT19 WRITE_DAC :1 = 0 BIT20 WRITE_OWNER :1 = 0 BIT21 SYNCHRONIZE :1 = 0x1 BIT22 unused10 :1 = 0 BIT23 unused11 :1 = 0 BIT24 unused12 :1 = 0 BIT25 ACCESS_SYSTEM_SECURITY :1 = 0 BIT26 MAXIUM :1 = 0 BIT27 unused13 :1 = 0 BIT28 unused14 :1 = 0 BIT29 GENERIC_ALL :1 = 0 BIT30 GENERIC_EXECUTE :1 = 0 BIT31 GENERIC_WRITE :1 = 0 BIT32 GENERIC_READ :1 = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x56 USHORT MaximumLength = 0x58 STR Buffer = { char [256] chars = [ "\??\C:\Windows\Branding\Basebrd\Basebrd.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0xc enum ImpersonationLevel = Impersonation UCHAR ContextTrackingMode = 0x1 UCHAR EffectiveOnly = 0x1 } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0x1 } LARGE_INTEGER AllocationSize = 0 FILE_ATTRIBUTES FileAttributes = { BIT1 READONLY :1 = 0 BIT2 HIDDEN :1 = 0 BIT3 SYSTEM :1 = 0 BIT4 UNUSED :1 = 0 BIT5 DIRECTORY :1 = 0 BIT6 ARCHIVE :1 = 0 BIT7 DEVICE :1 = 0 BIT8 NORMAL :1 = 0 BIT9 TEMPORARY :1 = 0 BIT10 SPARSE_FILE :1 = 0 BIT11 REPARSE_POINT :1 = 0 BIT12 COMPRESSED :1 = 0 BIT13 OFFLINE :1 = 0 BIT14 NOT_CONTENT_INDEXED :1 = 0 BIT15 ENCRYPTED :1 = 0 BIT16 INTEGRITY_STREAM :1 = 0 BIT17 VIRTUAL :1 = 0 BIT18 NO_SCRUB_DATA :1 = 0 BIT19 EA :1 = 0 BIT20 PINNED :1 = 0 } FILE_SHARE_ACCESS ShareAccess = { BIT1 FILE_SHARE_READ :1 = 0x1 BIT2 FILE_SHARE_WRITE :1 = 0 BIT3 FILE_SHARE_DELETE :1 = 0x1 } FILE_DISPOSITION CreateDisposition = OPEN FILE_OPTIONS CreateOptions = { BIT1 DIRECTORY_FILE = 0 BIT2 WRITE_THROUGH = 0 BIT3 SEQUENTIAL_ONLY = 0 BIT4 NO_INTERMEDIATE_BUFFERING = 0 BIT5 SYNCHRONOUS_IO_ALERT = 0 BIT6 SYNCHRONOUS_IO_NONALERT = 0x1 BIT7 NON_DIRECTORY_FILE = 0x1 BIT8 CREATE_TREE_CONNECTION = 0 BIT9 COMPLETE_IF_OPLOCKED = 0 BIT10 NO_EA_KNOWLEDGE = 0 BIT11 OPEN_REMOTE_INSTANCE = 0 BIT12 RANDOM_ACCESS = 0 BIT13 DELETE_ON_CLOSE = 0 BIT14 OPEN_BY_FILE_ID = 0 BIT15 OPEN_FOR_BACKUP_INTENT = 0 BIT16 NO_COMPRESSION = 0 BIT17 OPEN_REQUIRING_OPLOCK = 0 BIT18 DISALLOW_EXCLUSIVE = 0 BIT19 SESSION_AWARE = 0 BIT20 RESERVE_OPFILTER = 0 BIT21 OPEN_REPARSE_POINT = 0 BIT22 OPEN_NO_RECALL = 0 BIT23 OPEN_FOR_FREE_SPACE_QUERY = 0 } PVOID EaBuffer = 0 ULONG EaLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateSection csyscall = { PHANDLE SectionHandle = 0x118 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } LARGE_INTEGER MaximumSize = 0 ULONG SectionPageProtection = 0x2 ULONG AllocationAttributes = 0x8000000 HANDLE FileHandle = { void *h = 0x114 STR name = { char [256] chars = [ "\??\C:\Windows\Branding\Basebrd\Basebrd.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtMapViewOfSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtMapViewOfSection csyscall = { HANDLE SectionHandle = { void *h = 0x118 STR name = { char [256] chars = [ "" ] } } HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571d0000 ULONG ZeroBits = 0 SIZE_T CommitSize = 0 LARGE_INTEGER SectionOffset = 0 SIZE_T ViewSize = 0xf000 SECTION_INHERIT InheritDisposition = ViewShare ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT WinProtect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0x1 BIT3 PAGE_READWRITE = 0 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x114 STR name = { char [256] chars = [ "\??\C:\Windows\Branding\Basebrd\Basebrd.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x118 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571d0000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2bd78 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571d0000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2bfb8 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtUnmapViewOfSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtUnmapViewOfSection csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571d0000 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryAttributesFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryAttributesFile csyscall = { OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x68 USHORT MaximumLength = 0x6a STR Buffer = { char [256] chars = [ "\??\C:\Windows\SYSTEM32\Branding\Basebrd\Basebrd.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } FILE_BASIC_INFORMATION FileInformation = { union _LARGE_INTEGER CreationTime = { UInt32 LowPart = 0 Int32 HighPart = 0 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0 Int32 HighPart = 0 } Int64 QuadPart = 0 } union _LARGE_INTEGER LastAccessTime = { UInt32 LowPart = 0 Int32 HighPart = 0 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0 Int32 HighPart = 0xf2 } Int64 QuadPart = 0xf200000000 } union _LARGE_INTEGER LastWriteTime = { UInt32 LowPart = 0 Int32 HighPart = 0 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0 Int32 HighPart = 0 } Int64 QuadPart = 0 } union _LARGE_INTEGER ChangeTime = { UInt32 LowPart = 0x3ad2be00 Int32 HighPart = 0x3ad2be00 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x3ad2be00 Int32 HighPart = 0xf2 } Int64 QuadPart = 0xf23ad2be00 } ULONG FileAttributes = 0 } NTSTATUS result = -1073741766 } }struct NtQueryAttributesFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryAttributesFile csyscall = { OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x56 USHORT MaximumLength = 0x58 STR Buffer = { char [256] chars = [ "\??\C:\Windows\Branding\Basebrd\Basebrd.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } FILE_BASIC_INFORMATION FileInformation = { union _LARGE_INTEGER CreationTime = { UInt32 LowPart = 0x2c4ed5f8 Int32 HighPart = 0x2c4ed5f8 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x2c4ed5f8 Int32 HighPart = 0x1d7d187 } Int64 QuadPart = 0x1d7d1872c4ed5f8 } union _LARGE_INTEGER LastAccessTime = { UInt32 LowPart = 0x4f27ed7a Int32 HighPart = 0x4f27ed7a struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x4f27ed7a Int32 HighPart = 0x1d8c10a } Int64 QuadPart = 0x1d8c10a4f27ed7a } union _LARGE_INTEGER LastWriteTime = { UInt32 LowPart = 0x2c4ed5f8 Int32 HighPart = 0x2c4ed5f8 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x2c4ed5f8 Int32 HighPart = 0x1d7d187 } Int64 QuadPart = 0x1d7d1872c4ed5f8 } union _LARGE_INTEGER ChangeTime = { UInt32 LowPart = 0x51a184fd Int32 HighPart = 0x51a184fd struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x51a184fd Int32 HighPart = 0x1d8bd05 } Int64 QuadPart = 0x1d8bd0551a184fd } ULONG FileAttributes = 0x20 } NTSTATUS result = STATUS_SUCCESS } }struct NtCreateFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateFile csyscall = { PHANDLE FileHandle = 0x108 ACCESS_MASK_FILE DesiredAccess = { BIT1 READ_DATA :1 = 0 BIT2 ADD_FILE :1 = 0 BIT3 APPEND_DATA :1 = 0 BIT4 READ_EA :1 = 0 BIT5 WRITE_EA :1 = 0 BIT6 EXECUTE :1 = 0 BIT7 DELETE_CHILD :1 = 0 BIT8 READ_ATTRIBUTES :1 = 0x1 BIT9 WRITE_ATTRIBUTES :1 = 0 BIT10 unused1 :1 = 0 BIT11 unused2 :1 = 0 BIT12 unused3 :1 = 0 BIT13 unused4 :1 = 0 BIT14 unused5 :1 = 0 BIT15 unused6 :1 = 0 BIT16 unused9 :1 = 0 BIT17 DELETE :1 = 0 BIT18 READ_CONTROL :1 = 0 BIT19 WRITE_DAC :1 = 0 BIT20 WRITE_OWNER :1 = 0 BIT21 SYNCHRONIZE :1 = 0x1 BIT22 unused10 :1 = 0 BIT23 unused11 :1 = 0 BIT24 unused12 :1 = 0 BIT25 ACCESS_SYSTEM_SECURITY :1 = 0 BIT26 MAXIUM :1 = 0 BIT27 unused13 :1 = 0 BIT28 unused14 :1 = 0 BIT29 GENERIC_ALL :1 = 0 BIT30 GENERIC_EXECUTE :1 = 0 BIT31 GENERIC_WRITE :1 = 0 BIT32 GENERIC_READ :1 = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x56 USHORT MaximumLength = 0x58 STR Buffer = { char [256] chars = [ "\??\C:\Windows\Branding\Basebrd\Basebrd.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0xc enum ImpersonationLevel = Impersonation UCHAR ContextTrackingMode = 0x1 UCHAR EffectiveOnly = 0x1 } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0x1 } LARGE_INTEGER AllocationSize = 0 FILE_ATTRIBUTES FileAttributes = { BIT1 READONLY :1 = 0 BIT2 HIDDEN :1 = 0 BIT3 SYSTEM :1 = 0 BIT4 UNUSED :1 = 0 BIT5 DIRECTORY :1 = 0 BIT6 ARCHIVE :1 = 0 BIT7 DEVICE :1 = 0 BIT8 NORMAL :1 = 0 BIT9 TEMPORARY :1 = 0 BIT10 SPARSE_FILE :1 = 0 BIT11 REPARSE_POINT :1 = 0 BIT12 COMPRESSED :1 = 0 BIT13 OFFLINE :1 = 0 BIT14 NOT_CONTENT_INDEXED :1 = 0 BIT15 ENCRYPTED :1 = 0 BIT16 INTEGRITY_STREAM :1 = 0 BIT17 VIRTUAL :1 = 0 BIT18 NO_SCRUB_DATA :1 = 0 BIT19 EA :1 = 0 BIT20 PINNED :1 = 0 } FILE_SHARE_ACCESS ShareAccess = { BIT1 FILE_SHARE_READ :1 = 0x1 BIT2 FILE_SHARE_WRITE :1 = 0 BIT3 FILE_SHARE_DELETE :1 = 0x1 } FILE_DISPOSITION CreateDisposition = OPEN FILE_OPTIONS CreateOptions = { BIT1 DIRECTORY_FILE = 0 BIT2 WRITE_THROUGH = 0 BIT3 SEQUENTIAL_ONLY = 0 BIT4 NO_INTERMEDIATE_BUFFERING = 0 BIT5 SYNCHRONOUS_IO_ALERT = 0 BIT6 SYNCHRONOUS_IO_NONALERT = 0x1 BIT7 NON_DIRECTORY_FILE = 0x1 BIT8 CREATE_TREE_CONNECTION = 0 BIT9 COMPLETE_IF_OPLOCKED = 0 BIT10 NO_EA_KNOWLEDGE = 0 BIT11 OPEN_REMOTE_INSTANCE = 0 BIT12 RANDOM_ACCESS = 0 BIT13 DELETE_ON_CLOSE = 0 BIT14 OPEN_BY_FILE_ID = 0 BIT15 OPEN_FOR_BACKUP_INTENT = 0 BIT16 NO_COMPRESSION = 0 BIT17 OPEN_REQUIRING_OPLOCK = 0 BIT18 DISALLOW_EXCLUSIVE = 0 BIT19 SESSION_AWARE = 0 BIT20 RESERVE_OPFILTER = 0 BIT21 OPEN_REPARSE_POINT = 0 BIT22 OPEN_NO_RECALL = 0 BIT23 OPEN_FOR_FREE_SPACE_QUERY = 0 } PVOID EaBuffer = 0 ULONG EaLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateSection csyscall = { PHANDLE SectionHandle = 0x10c ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } LARGE_INTEGER MaximumSize = 0 ULONG SectionPageProtection = 0x2 ULONG AllocationAttributes = 0x8000000 HANDLE FileHandle = { void *h = 0x108 STR name = { char [256] chars = [ "\??\C:\Windows\Branding\Basebrd\Basebrd.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtMapViewOfSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtMapViewOfSection csyscall = { HANDLE SectionHandle = { void *h = 0x10c STR name = { char [256] chars = [ "\KnownDlls\msvcp_win.dll" ] } } HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571d0000 ULONG ZeroBits = 0 SIZE_T CommitSize = 0 LARGE_INTEGER SectionOffset = 0 SIZE_T ViewSize = 0xf000 SECTION_INHERIT InheritDisposition = ViewShare ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT WinProtect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0x1 BIT3 PAGE_READWRITE = 0 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x108 STR name = { char [256] chars = [ "\??\C:\Windows\Branding\Basebrd\Basebrd.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x10c STR name = { char [256] chars = [ "\KnownDlls\msvcp_win.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571d0000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2bee8 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571d0000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2c128 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0x10c ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x94 USHORT MaximumLength = 0x200 STR Buffer = { char [256] chars = [ "\Registry\Machine\Software\Microsoft\LanguageOverlay\OverlayPackages\en-GB" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x10c STR name = { char [256] chars = [ "\Registry\Machine\Software\Microsoft\LanguageOverlay\OverlayPackages\en-GB" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x8 USHORT MaximumLength = 0xa STR Buffer = { char [256] chars = [ "Type" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x400000000 ULONG Length = 0x10 ULONG ResultLength = 0x10 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x10c STR name = { char [256] chars = [ "\Registry\Machine\Software\Microsoft\LanguageOverlay\OverlayPackages\en-GB" ] } } UNICODE_STRING ValueName = { USHORT Length = 0xc USHORT MaximumLength = 0xe STR Buffer = { char [256] chars = [ "Latest" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x100000000 ULONG Length = 0x2ca ULONG ResultLength = 0xde NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x10c STR name = { char [256] chars = [ "\Registry\Machine\Software\Microsoft\LanguageOverlay\OverlayPackages\en-GB" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenFile csyscall = { PHANDLE FileHandle = 0x10c ACCESS_MASK_FILE DesiredAccess = { BIT1 READ_DATA :1 = 0x1 BIT2 ADD_FILE :1 = 0 BIT3 APPEND_DATA :1 = 0 BIT4 READ_EA :1 = 0 BIT5 WRITE_EA :1 = 0 BIT6 EXECUTE :1 = 0 BIT7 DELETE_CHILD :1 = 0 BIT8 READ_ATTRIBUTES :1 = 0 BIT9 WRITE_ATTRIBUTES :1 = 0 BIT10 unused1 :1 = 0 BIT11 unused2 :1 = 0 BIT12 unused3 :1 = 0 BIT13 unused4 :1 = 0 BIT14 unused5 :1 = 0 BIT15 unused6 :1 = 0 BIT16 unused9 :1 = 0 BIT17 DELETE :1 = 0 BIT18 READ_CONTROL :1 = 0 BIT19 WRITE_DAC :1 = 0 BIT20 WRITE_OWNER :1 = 0 BIT21 SYNCHRONIZE :1 = 0x1 BIT22 unused10 :1 = 0 BIT23 unused11 :1 = 0 BIT24 unused12 :1 = 0 BIT25 ACCESS_SYSTEM_SECURITY :1 = 0 BIT26 MAXIUM :1 = 0 BIT27 unused13 :1 = 0 BIT28 unused14 :1 = 0 BIT29 GENERIC_ALL :1 = 0 BIT30 GENERIC_EXECUTE :1 = 0 BIT31 GENERIC_WRITE :1 = 0 BIT32 GENERIC_READ :1 = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x178 USHORT MaximumLength = 0x17a STR Buffer = { char [256] chars = [ "\??\C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePacken-GB_22000.22.104.0_neutral__8wekyb" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0x1 } FILE_SHARE_ACCESS ShareAccess = { BIT1 FILE_SHARE_READ :1 = 0x1 BIT2 FILE_SHARE_WRITE :1 = 0 BIT3 FILE_SHARE_DELETE :1 = 0x1 } FILE_OPTIONS OpenOptions = { BIT1 DIRECTORY_FILE = 0 BIT2 WRITE_THROUGH = 0 BIT3 SEQUENTIAL_ONLY = 0 BIT4 NO_INTERMEDIATE_BUFFERING = 0 BIT5 SYNCHRONOUS_IO_ALERT = 0 BIT6 SYNCHRONOUS_IO_NONALERT = 0x1 BIT7 NON_DIRECTORY_FILE = 0x1 BIT8 CREATE_TREE_CONNECTION = 0 BIT9 COMPLETE_IF_OPLOCKED = 0 BIT10 NO_EA_KNOWLEDGE = 0 BIT11 OPEN_REMOTE_INSTANCE = 0 BIT12 RANDOM_ACCESS = 0 BIT13 DELETE_ON_CLOSE = 0 BIT14 OPEN_BY_FILE_ID = 0 BIT15 OPEN_FOR_BACKUP_INTENT = 0 BIT16 NO_COMPRESSION = 0 BIT17 OPEN_REQUIRING_OPLOCK = 0 BIT18 DISALLOW_EXCLUSIVE = 0 BIT19 SESSION_AWARE = 0 BIT20 RESERVE_OPFILTER = 0 BIT21 OPEN_REPARSE_POINT = 0 BIT22 OPEN_NO_RECALL = 0 BIT23 OPEN_FOR_FREE_SPACE_QUERY = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCreateSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateSection csyscall = { PHANDLE SectionHandle = 0x108 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } LARGE_INTEGER MaximumSize = 0 ULONG SectionPageProtection = 0x2 ULONG AllocationAttributes = 0x8000000 HANDLE FileHandle = { void *h = 0x10c STR name = { char [256] chars = [ "\??\C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePacken-GB_22000.22.104.0_neutral__8wekyb" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtMapViewOfSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtMapViewOfSection csyscall = { HANDLE SectionHandle = { void *h = 0x108 STR name = { char [256] chars = [ "\??\C:\Windows\Branding\Basebrd\Basebrd.dll" ] } } HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571e0000 ULONG ZeroBits = 0 SIZE_T CommitSize = 0 LARGE_INTEGER SectionOffset = 0 SIZE_T ViewSize = 0x5000 SECTION_INHERIT InheritDisposition = ViewShare ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT WinProtect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0x1 BIT3 PAGE_READWRITE = 0 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x108 STR name = { char [256] chars = [ "\??\C:\Windows\Branding\Basebrd\Basebrd.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571e0000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2b288 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571e0000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2b360 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571e0000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2bef8 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571e0000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2c2b0 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryLicenseValueCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryLicenseValue csyscall = { UNICODE_STRING ValueName = { USHORT Length = 0x24 USHORT MaximumLength = 0x26 STR Buffer = { char [256] chars = [ "Kernel-ProductInfo" ] } } ULONG Type = 0 PVOID Data = 0xf23ad2c2f8 ULONG DataSize = 0x4 ULONG ResultDataSize = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryLicenseValueCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryLicenseValue csyscall = { UNICODE_STRING ValueName = { USHORT Length = 0x3e USHORT MaximumLength = 0x40 STR Buffer = { char [256] chars = [ "Kernel-ProductInfoLegacyMapping" ] } } ULONG Type = 0x4 PVOID Data = 0xf23ad2c330 ULONG DataSize = 0xc8 ULONG ResultDataSize = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadToken csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0x1 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0x1 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtQueryInformationThreadCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationThread csyscall = { HANDLE ThreadHandle = { void *h = 0xfffffffffffffffe STR name = { char [256] chars = [ "NtCurrentThread" ] } } THREADINFOCLASS ThreadInformationClass = ThreadDynamicCodePolicyInfo PVOID ThreadInformation = 0 ULONG ThreadInformationLength = 0x4 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSection csyscall = { PHANDLE SectionHandle = 0 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0x1 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x3c STR name = { char [256] chars = [ "\KnownDlls" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x10 USHORT MaximumLength = 0x12 STR Buffer = { char [256] chars = [ "wldp.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtQueryAttributesFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryAttributesFile csyscall = { OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x40 USHORT MaximumLength = 0x100 STR Buffer = { char [256] chars = [ "\??\C:\Windows\SYSTEM32\wldp.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0x1 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } FILE_BASIC_INFORMATION FileInformation = { union _LARGE_INTEGER CreationTime = { UInt32 LowPart = 0x44ac3c80 Int32 HighPart = 0x44ac3c80 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x44ac3c80 Int32 HighPart = 0x1d7d187 } Int64 QuadPart = 0x1d7d18744ac3c80 } union _LARGE_INTEGER LastAccessTime = { UInt32 LowPart = 0x32d564a8 Int32 HighPart = 0x32d564a8 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x32d564a8 Int32 HighPart = 0x1d8c10a } Int64 QuadPart = 0x1d8c10a32d564a8 } union _LARGE_INTEGER LastWriteTime = { UInt32 LowPart = 0x44ae9e3e Int32 HighPart = 0x44ae9e3e struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x44ae9e3e Int32 HighPart = 0x1d7d187 } Int64 QuadPart = 0x1d7d18744ae9e3e } union _LARGE_INTEGER ChangeTime = { UInt32 LowPart = 0x507d7048 Int32 HighPart = 0x507d7048 struct _LARGE_INTEGER:: u = { UInt32 LowPart = 0x507d7048 Int32 HighPart = 0x1d8bd05 } Int64 QuadPart = 0x1d8bd05507d7048 } ULONG FileAttributes = 0x20 } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenFile csyscall = { PHANDLE FileHandle = 0x11c ACCESS_MASK_FILE DesiredAccess = { BIT1 READ_DATA :1 = 0x1 BIT2 ADD_FILE :1 = 0 BIT3 APPEND_DATA :1 = 0 BIT4 READ_EA :1 = 0 BIT5 WRITE_EA :1 = 0 BIT6 EXECUTE :1 = 0x1 BIT7 DELETE_CHILD :1 = 0 BIT8 READ_ATTRIBUTES :1 = 0 BIT9 WRITE_ATTRIBUTES :1 = 0 BIT10 unused1 :1 = 0 BIT11 unused2 :1 = 0 BIT12 unused3 :1 = 0 BIT13 unused4 :1 = 0 BIT14 unused5 :1 = 0 BIT15 unused6 :1 = 0 BIT16 unused9 :1 = 0 BIT17 DELETE :1 = 0 BIT18 READ_CONTROL :1 = 0 BIT19 WRITE_DAC :1 = 0 BIT20 WRITE_OWNER :1 = 0 BIT21 SYNCHRONIZE :1 = 0x1 BIT22 unused10 :1 = 0 BIT23 unused11 :1 = 0 BIT24 unused12 :1 = 0 BIT25 ACCESS_SYSTEM_SECURITY :1 = 0 BIT26 MAXIUM :1 = 0 BIT27 unused13 :1 = 0 BIT28 unused14 :1 = 0 BIT29 GENERIC_ALL :1 = 0 BIT30 GENERIC_EXECUTE :1 = 0 BIT31 GENERIC_WRITE :1 = 0 BIT32 GENERIC_READ :1 = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x40 USHORT MaximumLength = 0x100 STR Buffer = { char [256] chars = [ "\??\C:\Windows\SYSTEM32\wldp.dll" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0x1 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0xf200000000 UInt64 Information = 0x1 } FILE_SHARE_ACCESS ShareAccess = { BIT1 FILE_SHARE_READ :1 = 0x1 BIT2 FILE_SHARE_WRITE :1 = 0 BIT3 FILE_SHARE_DELETE :1 = 0x1 } FILE_OPTIONS OpenOptions = { BIT1 DIRECTORY_FILE = 0 BIT2 WRITE_THROUGH = 0 BIT3 SEQUENTIAL_ONLY = 0 BIT4 NO_INTERMEDIATE_BUFFERING = 0 BIT5 SYNCHRONOUS_IO_ALERT = 0 BIT6 SYNCHRONOUS_IO_NONALERT = 0x1 BIT7 NON_DIRECTORY_FILE = 0x1 BIT8 CREATE_TREE_CONNECTION = 0 BIT9 COMPLETE_IF_OPLOCKED = 0 BIT10 NO_EA_KNOWLEDGE = 0 BIT11 OPEN_REMOTE_INSTANCE = 0 BIT12 RANDOM_ACCESS = 0 BIT13 DELETE_ON_CLOSE = 0 BIT14 OPEN_BY_FILE_ID = 0 BIT15 OPEN_FOR_BACKUP_INTENT = 0 BIT16 NO_COMPRESSION = 0 BIT17 OPEN_REQUIRING_OPLOCK = 0 BIT18 DISALLOW_EXCLUSIVE = 0 BIT19 SESSION_AWARE = 0 BIT20 RESERVE_OPFILTER = 0 BIT21 OPEN_REPARSE_POINT = 0 BIT22 OPEN_NO_RECALL = 0 BIT23 OPEN_FOR_FREE_SPACE_QUERY = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCreateSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateSection csyscall = { PHANDLE SectionHandle = 0x120 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0x1 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } LARGE_INTEGER MaximumSize = 0 ULONG SectionPageProtection = 0x10 ULONG AllocationAttributes = 0x1000000 HANDLE FileHandle = { void *h = 0x11c STR name = { char [256] chars = [ "\??\C:\Windows\SYSTEM32\wldp.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0x120 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0x10000 void *Group = 0 void *Sacl = 0x10000 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0 void *UniqueThread = 0x100000000000010 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800020bc STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff800020bc ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c11b09b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800020bc STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d00 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadTokenEx csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0x1 ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtOpenProcessTokenExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114d29 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcessTokenEx csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0x1 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } ULONG HandleAttributes = 0x200 PHANDLE TokenHandle = 0xffffffff800020bc NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114dc9 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0x800020bc STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenSessionId PVOID TokenInformation = 0xffff888300000001 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069c114e0b struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800020bc STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryPerformanceCounterCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryPerformanceCounter csyscall = { LARGE_INTEGER PerformanceCounter = 0x25a57215620 LARGE_INTEGER PerformanceFrequency = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbb9eb9000 SIZE_T RegionSize = 0x240 ULONG NewProtect = 0x2 ULONG OldProtect = 0xb9e80000 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbb9ea7168 SIZE_T RegionSize = 0x8 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbb9ea7000 SIZE_T RegionSize = 0x1000 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbb9e80000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2b898 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbb9ea6bc0 SIZE_T RegionSize = 0x5a8 ULONG NewProtect = 0x4 ULONG OldProtect = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbb9ea6bc0 SIZE_T RegionSize = 0x5a8 ULONG NewProtect = 0x2 ULONG OldProtect = 0x1 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x120 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x11c STR name = { char [256] chars = [ "\??\C:\Windows\SYSTEM32\wldp.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2bb18 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2bb18 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2bac8 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2bac8 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff80685101e15 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x1e STR name = { char [256] chars = [ '\030', '\37777777673', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', '\030', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '0', '\37777777673', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', 'x', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0' ] } } UNICODE_STRING ValueName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ '\37777777773', '\177', '\0', '\0', '\37777777650', '\005', '\0', '\0', '\0', '\0', '\0', '\0', '\002', '\0', '\0', '\0', '\001', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\37777777777', '\37777777777', '\37777777777', '\37777777777', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0' ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueBasicInformation PVOID KeyValueInformation = 0x1 ULONG Length = 0 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2bac8 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2bac8 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff80685101e15 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x1e STR name = { char [256] chars = [ '\030', '\37777777673', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', '\030', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '0', '\37777777673', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', 'x', '\0', '\0', '\0', '\0', '\0', '\0', '\0', 'c', 'm', 'd', '.', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0' ] } } UNICODE_STRING ValueName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ '\37777777773', '\177', '\0', '\0', '\37777777650', '\005', '\0', '\0', '\0', '\0', '\0', '\0', '\002', '\0', '\0', '\0', '\001', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\37777777777', '\37777777777', '\37777777777', '\37777777777', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0' ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueBasicInformation PVOID KeyValueInformation = 0x1 ULONG Length = 0 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtTraceControlCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTraceControl csyscall = { ULONG FunctionCode = 0xf PVOID InBuffer = 0xf23ad2bac8 ULONG InBufferLen = 0xa0 PVOID OutBuffer = 0xf23ad2bac8 ULONG OutBufferLen = 0xa0 ULONG ReturnedResultLength = 0xa0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff80685101e15 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x1e STR name = { char [256] chars = [ '\030', '\37777777673', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', '\030', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '0', '\37777777673', '\37777777722', ':', '\37777777762', '\0', '\0', '\0', 'x', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0' ] } } UNICODE_STRING ValueName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ '\37777777773', '\177', '\0', '\0', '\37777777650', '\005', '\0', '\0', '\0', '\0', '\0', '\0', '\002', '\0', '\0', '\0', '\001', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\37777777777', '\37777777777', '\37777777777', '\37777777777', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0' ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueBasicInformation PVOID KeyValueInformation = 0x1 ULONG Length = 0 ULONG ResultLength = 0 NTSTATUS result = -1073741772 } }struct NtSetEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetEvent csyscall = { HANDLE EventHandle = { void *h = 0x44 STR name = { char [256] chars = [ "" ] } } LONG PreviousState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQuerySystemInformationCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQuerySystemInformation csyscall = { SYSTEM_INFORMATION_CLASS SystemInformationClass = SystemCodeIntegrityPolicyInformation PVOID SystemInformation = 0xf23ad2c3c0 ULONG SystemInformationLength = 0x20 ULONG ReturnedResultLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x120 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x118 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x114 STR name = { char [256] chars = [ "\??\C:\Windows\Branding\Basebrd\Basebrd.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x11c STR name = { char [256] chars = [ "\??\C:\Windows\SYSTEM32\wldp.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtSetEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetEvent csyscall = { HANDLE EventHandle = { void *h = 0x44 STR name = { char [256] chars = [ "" ] } } LONG PreviousState = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x4 ULONG OldProtect = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtProtectVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtProtectVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbbd3cd000 SIZE_T RegionSize = 0x3520 ULONG NewProtect = 0x2 ULONG OldProtect = 0x2 NTSTATUS result = STATUS_SUCCESS } }struct NtUnmapViewOfSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtUnmapViewOfSection csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x7ffbb9e80000 NTSTATUS result = STATUS_SUCCESS } }struct NtSetTimer2CALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetTimer2 csyscall = { HANDLE TimerHandle = { void *h = 0x24 STR name = { char [256] chars = [ "" ] } } LARGE_INTEGER DueTime = 0xffffffff4d2fa200 LARGE_INTEGER Period = 0 T2_SET_PARAMETERS Parameters = { ULONG Version = 0 ULONG Reserved = 0x7ffb LONG64 NoWakeTolerance = 0x2cb41780 } NTSTATUS result = STATUS_SUCCESS } }struct NtCreateMutantCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateMutant csyscall = { PHANDLE MutantHandle = 0x11c ACCESS_MASK_MUTANT DesiredAccess = { BIT1 MUTANT_QUERY_STATE = 0x1 BIT2 BIT2 = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xd8 STR name = { char [256] chars = [ "\Sessions\1\BaseNamedObjects" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x42 USHORT MaximumLength = 0x44 STR Buffer = { char [256] chars = [ "Local\SM0:18452:304:WilStaging_02" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0x1 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } BOOLEAN InitialOwner = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtWaitForSingleObjectCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtWaitForSingleObject csyscall = { HANDLE Handle = { void *h = 0x11c STR name = { char [256] chars = [ "\Sessions\1\BaseNamedObjects\Local\SM0:18452:304:WilStaging_02" ] } } BOOLEAN Alertable = 0 LARGE_INTEGER Timeout = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenSemaphoreCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenSemaphore csyscall = { PHANDLE SemaphoreHandle = 0xf23ad2bdb0 ACCESS_MASK_SEMAPHORE DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xd8 STR name = { char [256] chars = [ "\Sessions\1\BaseNamedObjects" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x48 USHORT MaximumLength = 0x4a STR Buffer = { char [256] chars = [ "Local\SM0:18452:304:WilStaging_02_p0" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtCreateSemaphoreCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateSemaphore csyscall = { PHANDLE SemaphoreHandle = 0x114 ACCESS_MASK_SEMAPHORE DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xd8 STR name = { char [256] chars = [ "\Sessions\1\BaseNamedObjects" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x48 USHORT MaximumLength = 0x4a STR Buffer = { char [256] chars = [ "Local\SM0:18452:304:WilStaging_02_p0" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0x1 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } LONG InitialCount = 0x15c856b4 LONG MaximumCount = 0x15c856b4 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateSemaphoreCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateSemaphore csyscall = { PHANDLE SemaphoreHandle = 0x118 ACCESS_MASK_SEMAPHORE DesiredAccess = { BIT1 QUERY_STATE = 0x1 BIT2 MODIFY_STATE = 0x1 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0xd8 STR name = { char [256] chars = [ "\Sessions\1\BaseNamedObjects" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x4a USHORT MaximumLength = 0x4c STR Buffer = { char [256] chars = [ "Local\SM0:18452:304:WilStaging_02_p0h" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0x1 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } LONG InitialCount = 0x12d LONG MaximumCount = 0x12d NTSTATUS result = STATUS_SUCCESS } }struct NtReleaseMutantCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtReleaseMutant csyscall = { HANDLE MutantHandle = { void *h = 0x11c STR name = { char [256] chars = [ "\Sessions\1\BaseNamedObjects\Local\SM0:18452:304:WilStaging_02" ] } } LONG PreviousCount = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtUnmapViewOfSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtUnmapViewOfSection csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571e0000 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x10c STR name = { char [256] chars = [ "\??\C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePacken-GB_22000.22.104.0_neutral__8wekyb" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtUnmapViewOfSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtUnmapViewOfSection csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571d0000 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x94 STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x10 USHORT MaximumLength = 0x12 STR Buffer = { char [256] chars = [ "000604xx" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValueFullInformation PVOID KeyValueInformation = 0x100000000 ULONG Length = 0x214 ULONG ResultLength = 0x42 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateFile csyscall = { PHANDLE FileHandle = 0x10c ACCESS_MASK_FILE DesiredAccess = { BIT1 READ_DATA :1 = 0 BIT2 ADD_FILE :1 = 0 BIT3 APPEND_DATA :1 = 0 BIT4 READ_EA :1 = 0 BIT5 WRITE_EA :1 = 0 BIT6 EXECUTE :1 = 0 BIT7 DELETE_CHILD :1 = 0 BIT8 READ_ATTRIBUTES :1 = 0x1 BIT9 WRITE_ATTRIBUTES :1 = 0 BIT10 unused1 :1 = 0 BIT11 unused2 :1 = 0 BIT12 unused3 :1 = 0 BIT13 unused4 :1 = 0 BIT14 unused5 :1 = 0 BIT15 unused6 :1 = 0 BIT16 unused9 :1 = 0 BIT17 DELETE :1 = 0 BIT18 READ_CONTROL :1 = 0 BIT19 WRITE_DAC :1 = 0 BIT20 WRITE_OWNER :1 = 0 BIT21 SYNCHRONIZE :1 = 0x1 BIT22 unused10 :1 = 0 BIT23 unused11 :1 = 0 BIT24 unused12 :1 = 0 BIT25 ACCESS_SYSTEM_SECURITY :1 = 0 BIT26 MAXIUM :1 = 0 BIT27 unused13 :1 = 0 BIT28 unused14 :1 = 0 BIT29 GENERIC_ALL :1 = 0 BIT30 GENERIC_EXECUTE :1 = 0 BIT31 GENERIC_WRITE :1 = 0 BIT32 GENERIC_READ :1 = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x68 USHORT MaximumLength = 0x6a STR Buffer = { char [256] chars = [ "\??\C:\Windows\Globalization\Sorting\sortdefault.nls" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0xc enum ImpersonationLevel = Impersonation UCHAR ContextTrackingMode = 0x1 UCHAR EffectiveOnly = 0x1 } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0x1 } LARGE_INTEGER AllocationSize = 0 FILE_ATTRIBUTES FileAttributes = { BIT1 READONLY :1 = 0 BIT2 HIDDEN :1 = 0 BIT3 SYSTEM :1 = 0 BIT4 UNUSED :1 = 0 BIT5 DIRECTORY :1 = 0 BIT6 ARCHIVE :1 = 0 BIT7 DEVICE :1 = 0 BIT8 NORMAL :1 = 0x1 BIT9 TEMPORARY :1 = 0 BIT10 SPARSE_FILE :1 = 0 BIT11 REPARSE_POINT :1 = 0 BIT12 COMPRESSED :1 = 0 BIT13 OFFLINE :1 = 0 BIT14 NOT_CONTENT_INDEXED :1 = 0 BIT15 ENCRYPTED :1 = 0 BIT16 INTEGRITY_STREAM :1 = 0 BIT17 VIRTUAL :1 = 0 BIT18 NO_SCRUB_DATA :1 = 0 BIT19 EA :1 = 0 BIT20 PINNED :1 = 0 } FILE_SHARE_ACCESS ShareAccess = { BIT1 FILE_SHARE_READ :1 = 0x1 BIT2 FILE_SHARE_WRITE :1 = 0 BIT3 FILE_SHARE_DELETE :1 = 0 } FILE_DISPOSITION CreateDisposition = OPEN FILE_OPTIONS CreateOptions = { BIT1 DIRECTORY_FILE = 0 BIT2 WRITE_THROUGH = 0 BIT3 SEQUENTIAL_ONLY = 0 BIT4 NO_INTERMEDIATE_BUFFERING = 0 BIT5 SYNCHRONOUS_IO_ALERT = 0 BIT6 SYNCHRONOUS_IO_NONALERT = 0x1 BIT7 NON_DIRECTORY_FILE = 0x1 BIT8 CREATE_TREE_CONNECTION = 0 BIT9 COMPLETE_IF_OPLOCKED = 0 BIT10 NO_EA_KNOWLEDGE = 0 BIT11 OPEN_REMOTE_INSTANCE = 0 BIT12 RANDOM_ACCESS = 0 BIT13 DELETE_ON_CLOSE = 0 BIT14 OPEN_BY_FILE_ID = 0 BIT15 OPEN_FOR_BACKUP_INTENT = 0 BIT16 NO_COMPRESSION = 0 BIT17 OPEN_REQUIRING_OPLOCK = 0 BIT18 DISALLOW_EXCLUSIVE = 0 BIT19 SESSION_AWARE = 0 BIT20 RESERVE_OPFILTER = 0 BIT21 OPEN_REPARSE_POINT = 0 BIT22 OPEN_NO_RECALL = 0 BIT23 OPEN_FOR_FREE_SPACE_QUERY = 0 } PVOID EaBuffer = 0 ULONG EaLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtCreateSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateSection csyscall = { PHANDLE SectionHandle = 0x120 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } LARGE_INTEGER MaximumSize = 0 ULONG SectionPageProtection = 0x2 ULONG AllocationAttributes = 0x8000000 HANDLE FileHandle = { void *h = 0x10c STR name = { char [256] chars = [ "\??\C:\Windows\Globalization\Sorting\sortdefault.nls" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtMapViewOfSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtMapViewOfSection csyscall = { HANDLE SectionHandle = { void *h = 0x120 STR name = { char [256] chars = [ "" ] } } HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57530000 ULONG ZeroBits = 0 SIZE_T CommitSize = 0 LARGE_INTEGER SectionOffset = 0 SIZE_T ViewSize = 0x33a000 SECTION_INHERIT InheritDisposition = ViewShare ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT WinProtect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0x1 BIT3 PAGE_READWRITE = 0 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessRaiseUMExceptionOnInvalidHandleClose PVOID ProcessInformation = 0xf23ad2c290 ULONG ProcessInformationSize = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x120 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x10c STR name = { char [256] chars = [ "\??\C:\Windows\Globalization\Sorting\sortdefault.nls" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0x10c ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x84 USHORT MaximumLength = 0x86 STR Buffer = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x10c STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids" ] } } UNICODE_STRING ValueName = { USHORT Length = 0xa USHORT MaximumLength = 0xc STR Buffer = { char [256] chars = [ "en-DK" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0 ULONG Length = 0x5a ULONG ResultLength = 0x3ad2c4aa NTSTATUS result = -1073741772 } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x10c STR name = { char [256] chars = [ "\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Ids" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x4 USHORT MaximumLength = 0x6 STR Buffer = { char [256] chars = [ "en" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0 ULONG Length = 0x5a ULONG ResultLength = 0x3ad2c4aa NTSTATUS result = -1073741772 } }struct NtQueryKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryKey csyscall = { HANDLE KeyHandle = { void *h = 0x98 STR name = { char [256] chars = [ "\REGISTRY\MACHINE" ] } } KEY_INFORMATION_CLASS KeyInformationClass = KeyHandleTagsInformation PVOID KeyInformation = 0xf23ad2f858 ULONG Length = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyExCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKeyEx csyscall = { PHANDLE KeyHandle = 0x108 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0 BIT5 NOTIFY = 0 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0x1 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x98 STR name = { char [256] chars = [ "\REGISTRY\MACHINE" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x58 USHORT MaximumLength = 0x5a STR Buffer = { char [256] chars = [ "Software\Microsoft\Windows NT\CurrentVersion" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } ULONG OpenOptions = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x108 STR name = { char [256] chars = [ "\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x6 USHORT MaximumLength = 0x8 STR Buffer = { char [256] chars = [ "UBR" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x400000000 ULONG Length = 0x10 ULONG ResultLength = 0x10 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x108 STR name = { char [256] chars = [ "\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x6c STR name = { char [256] chars = [ "\Output" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2fb90 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0x124 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x94 USHORT MaximumLength = 0x200 STR Buffer = { char [256] chars = [ "\Registry\Machine\Software\Microsoft\LanguageOverlay\OverlayPackages\en-GB" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x124 STR name = { char [256] chars = [ "\Registry\Machine\Software\Microsoft\LanguageOverlay\OverlayPackages\en-GB" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x8 USHORT MaximumLength = 0xa STR Buffer = { char [256] chars = [ "Type" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x400000000 ULONG Length = 0x10 ULONG ResultLength = 0x10 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x124 STR name = { char [256] chars = [ "\Registry\Machine\Software\Microsoft\LanguageOverlay\OverlayPackages\en-GB" ] } } UNICODE_STRING ValueName = { USHORT Length = 0xc USHORT MaximumLength = 0xe STR Buffer = { char [256] chars = [ "Latest" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x100000000 ULONG Length = 0x2ca ULONG ResultLength = 0xde NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x124 STR name = { char [256] chars = [ "\Registry\Machine\Software\Microsoft\LanguageOverlay\OverlayPackages\en-GB" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenFile csyscall = { PHANDLE FileHandle = 0 ACCESS_MASK_FILE DesiredAccess = { BIT1 READ_DATA :1 = 0x1 BIT2 ADD_FILE :1 = 0 BIT3 APPEND_DATA :1 = 0 BIT4 READ_EA :1 = 0 BIT5 WRITE_EA :1 = 0 BIT6 EXECUTE :1 = 0 BIT7 DELETE_CHILD :1 = 0 BIT8 READ_ATTRIBUTES :1 = 0 BIT9 WRITE_ATTRIBUTES :1 = 0 BIT10 unused1 :1 = 0 BIT11 unused2 :1 = 0 BIT12 unused3 :1 = 0 BIT13 unused4 :1 = 0 BIT14 unused5 :1 = 0 BIT15 unused6 :1 = 0 BIT16 unused9 :1 = 0 BIT17 DELETE :1 = 0 BIT18 READ_CONTROL :1 = 0 BIT19 WRITE_DAC :1 = 0 BIT20 WRITE_OWNER :1 = 0 BIT21 SYNCHRONIZE :1 = 0x1 BIT22 unused10 :1 = 0 BIT23 unused11 :1 = 0 BIT24 unused12 :1 = 0 BIT25 ACCESS_SYSTEM_SECURITY :1 = 0 BIT26 MAXIUM :1 = 0 BIT27 unused13 :1 = 0 BIT28 unused14 :1 = 0 BIT29 GENERIC_ALL :1 = 0 BIT30 GENERIC_EXECUTE :1 = 0 BIT31 GENERIC_WRITE :1 = 0 BIT32 GENERIC_READ :1 = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x160 USHORT MaximumLength = 0x162 STR Buffer = { char [256] chars = [ "\??\C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePacken-GB_22000.22.104.0_neutral__8wekyb" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } FILE_SHARE_ACCESS ShareAccess = { BIT1 FILE_SHARE_READ :1 = 0x1 BIT2 FILE_SHARE_WRITE :1 = 0 BIT3 FILE_SHARE_DELETE :1 = 0x1 } FILE_OPTIONS OpenOptions = { BIT1 DIRECTORY_FILE = 0 BIT2 WRITE_THROUGH = 0 BIT3 SEQUENTIAL_ONLY = 0 BIT4 NO_INTERMEDIATE_BUFFERING = 0 BIT5 SYNCHRONOUS_IO_ALERT = 0 BIT6 SYNCHRONOUS_IO_NONALERT = 0x1 BIT7 NON_DIRECTORY_FILE = 0x1 BIT8 CREATE_TREE_CONNECTION = 0 BIT9 COMPLETE_IF_OPLOCKED = 0 BIT10 NO_EA_KNOWLEDGE = 0 BIT11 OPEN_REMOTE_INSTANCE = 0 BIT12 RANDOM_ACCESS = 0 BIT13 DELETE_ON_CLOSE = 0 BIT14 OPEN_BY_FILE_ID = 0 BIT15 OPEN_FOR_BACKUP_INTENT = 0 BIT16 NO_COMPRESSION = 0 BIT17 OPEN_REQUIRING_OPLOCK = 0 BIT18 DISALLOW_EXCLUSIVE = 0 BIT19 SESSION_AWARE = 0 BIT20 RESERVE_OPFILTER = 0 BIT21 OPEN_REPARSE_POINT = 0 BIT22 OPEN_NO_RECALL = 0 BIT23 OPEN_FOR_FREE_SPACE_QUERY = 0 } NTSTATUS result = -1073741766 } }struct NtOpenFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenFile csyscall = { PHANDLE FileHandle = 0 ACCESS_MASK_FILE DesiredAccess = { BIT1 READ_DATA :1 = 0x1 BIT2 ADD_FILE :1 = 0 BIT3 APPEND_DATA :1 = 0 BIT4 READ_EA :1 = 0 BIT5 WRITE_EA :1 = 0 BIT6 EXECUTE :1 = 0 BIT7 DELETE_CHILD :1 = 0 BIT8 READ_ATTRIBUTES :1 = 0 BIT9 WRITE_ATTRIBUTES :1 = 0 BIT10 unused1 :1 = 0 BIT11 unused2 :1 = 0 BIT12 unused3 :1 = 0 BIT13 unused4 :1 = 0 BIT14 unused5 :1 = 0 BIT15 unused6 :1 = 0 BIT16 unused9 :1 = 0 BIT17 DELETE :1 = 0 BIT18 READ_CONTROL :1 = 0 BIT19 WRITE_DAC :1 = 0 BIT20 WRITE_OWNER :1 = 0 BIT21 SYNCHRONIZE :1 = 0x1 BIT22 unused10 :1 = 0 BIT23 unused11 :1 = 0 BIT24 unused12 :1 = 0 BIT25 ACCESS_SYSTEM_SECURITY :1 = 0 BIT26 MAXIUM :1 = 0 BIT27 unused13 :1 = 0 BIT28 unused14 :1 = 0 BIT29 GENERIC_ALL :1 = 0 BIT30 GENERIC_EXECUTE :1 = 0 BIT31 GENERIC_WRITE :1 = 0 BIT32 GENERIC_READ :1 = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x52 USHORT MaximumLength = 0x54 STR Buffer = { char [256] chars = [ "\??\C:\Windows\system32\en-GB\cmd.exe.mui" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } FILE_SHARE_ACCESS ShareAccess = { BIT1 FILE_SHARE_READ :1 = 0x1 BIT2 FILE_SHARE_WRITE :1 = 0 BIT3 FILE_SHARE_DELETE :1 = 0x1 } FILE_OPTIONS OpenOptions = { BIT1 DIRECTORY_FILE = 0 BIT2 WRITE_THROUGH = 0 BIT3 SEQUENTIAL_ONLY = 0 BIT4 NO_INTERMEDIATE_BUFFERING = 0 BIT5 SYNCHRONOUS_IO_ALERT = 0 BIT6 SYNCHRONOUS_IO_NONALERT = 0x1 BIT7 NON_DIRECTORY_FILE = 0x1 BIT8 CREATE_TREE_CONNECTION = 0 BIT9 COMPLETE_IF_OPLOCKED = 0 BIT10 NO_EA_KNOWLEDGE = 0 BIT11 OPEN_REMOTE_INSTANCE = 0 BIT12 RANDOM_ACCESS = 0 BIT13 DELETE_ON_CLOSE = 0 BIT14 OPEN_BY_FILE_ID = 0 BIT15 OPEN_FOR_BACKUP_INTENT = 0 BIT16 NO_COMPRESSION = 0 BIT17 OPEN_REQUIRING_OPLOCK = 0 BIT18 DISALLOW_EXCLUSIVE = 0 BIT19 SESSION_AWARE = 0 BIT20 RESERVE_OPFILTER = 0 BIT21 OPEN_REPARSE_POINT = 0 BIT22 OPEN_NO_RECALL = 0 BIT23 OPEN_FOR_FREE_SPACE_QUERY = 0 } NTSTATUS result = -1073741772 } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x8e USHORT MaximumLength = 0x200 STR Buffer = { char [256] chars = [ "\Registry\Machine\Software\Microsoft\LanguageOverlay\OverlayPackages\en" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtOpenFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenFile csyscall = { PHANDLE FileHandle = 0 ACCESS_MASK_FILE DesiredAccess = { BIT1 READ_DATA :1 = 0x1 BIT2 ADD_FILE :1 = 0 BIT3 APPEND_DATA :1 = 0 BIT4 READ_EA :1 = 0 BIT5 WRITE_EA :1 = 0 BIT6 EXECUTE :1 = 0 BIT7 DELETE_CHILD :1 = 0 BIT8 READ_ATTRIBUTES :1 = 0 BIT9 WRITE_ATTRIBUTES :1 = 0 BIT10 unused1 :1 = 0 BIT11 unused2 :1 = 0 BIT12 unused3 :1 = 0 BIT13 unused4 :1 = 0 BIT14 unused5 :1 = 0 BIT15 unused6 :1 = 0 BIT16 unused9 :1 = 0 BIT17 DELETE :1 = 0 BIT18 READ_CONTROL :1 = 0 BIT19 WRITE_DAC :1 = 0 BIT20 WRITE_OWNER :1 = 0 BIT21 SYNCHRONIZE :1 = 0x1 BIT22 unused10 :1 = 0 BIT23 unused11 :1 = 0 BIT24 unused12 :1 = 0 BIT25 ACCESS_SYSTEM_SECURITY :1 = 0 BIT26 MAXIUM :1 = 0 BIT27 unused13 :1 = 0 BIT28 unused14 :1 = 0 BIT29 GENERIC_ALL :1 = 0 BIT30 GENERIC_EXECUTE :1 = 0 BIT31 GENERIC_WRITE :1 = 0 BIT32 GENERIC_READ :1 = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x4c USHORT MaximumLength = 0x4e STR Buffer = { char [256] chars = [ "\??\C:\Windows\system32\en\cmd.exe.mui" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0 } FILE_SHARE_ACCESS ShareAccess = { BIT1 FILE_SHARE_READ :1 = 0x1 BIT2 FILE_SHARE_WRITE :1 = 0 BIT3 FILE_SHARE_DELETE :1 = 0x1 } FILE_OPTIONS OpenOptions = { BIT1 DIRECTORY_FILE = 0 BIT2 WRITE_THROUGH = 0 BIT3 SEQUENTIAL_ONLY = 0 BIT4 NO_INTERMEDIATE_BUFFERING = 0 BIT5 SYNCHRONOUS_IO_ALERT = 0 BIT6 SYNCHRONOUS_IO_NONALERT = 0x1 BIT7 NON_DIRECTORY_FILE = 0x1 BIT8 CREATE_TREE_CONNECTION = 0 BIT9 COMPLETE_IF_OPLOCKED = 0 BIT10 NO_EA_KNOWLEDGE = 0 BIT11 OPEN_REMOTE_INSTANCE = 0 BIT12 RANDOM_ACCESS = 0 BIT13 DELETE_ON_CLOSE = 0 BIT14 OPEN_BY_FILE_ID = 0 BIT15 OPEN_FOR_BACKUP_INTENT = 0 BIT16 NO_COMPRESSION = 0 BIT17 OPEN_REQUIRING_OPLOCK = 0 BIT18 DISALLOW_EXCLUSIVE = 0 BIT19 SESSION_AWARE = 0 BIT20 RESERVE_OPFILTER = 0 BIT21 OPEN_REPARSE_POINT = 0 BIT22 OPEN_NO_RECALL = 0 BIT23 OPEN_FOR_FREE_SPACE_QUERY = 0 } NTSTATUS result = -1073741772 } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0 BIT3 CREATE_SUB_KEY = 0 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x94 USHORT MaximumLength = 0x200 STR Buffer = { char [256] chars = [ "\Registry\Machine\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = -1073741772 } }struct NtOpenFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenFile csyscall = { PHANDLE FileHandle = 0x124 ACCESS_MASK_FILE DesiredAccess = { BIT1 READ_DATA :1 = 0x1 BIT2 ADD_FILE :1 = 0 BIT3 APPEND_DATA :1 = 0 BIT4 READ_EA :1 = 0 BIT5 WRITE_EA :1 = 0 BIT6 EXECUTE :1 = 0 BIT7 DELETE_CHILD :1 = 0 BIT8 READ_ATTRIBUTES :1 = 0 BIT9 WRITE_ATTRIBUTES :1 = 0 BIT10 unused1 :1 = 0 BIT11 unused2 :1 = 0 BIT12 unused3 :1 = 0 BIT13 unused4 :1 = 0 BIT14 unused5 :1 = 0 BIT15 unused6 :1 = 0 BIT16 unused9 :1 = 0 BIT17 DELETE :1 = 0 BIT18 READ_CONTROL :1 = 0 BIT19 WRITE_DAC :1 = 0 BIT20 WRITE_OWNER :1 = 0 BIT21 SYNCHRONIZE :1 = 0x1 BIT22 unused10 :1 = 0 BIT23 unused11 :1 = 0 BIT24 unused12 :1 = 0 BIT25 ACCESS_SYSTEM_SECURITY :1 = 0 BIT26 MAXIUM :1 = 0 BIT27 unused13 :1 = 0 BIT28 unused14 :1 = 0 BIT29 GENERIC_ALL :1 = 0 BIT30 GENERIC_EXECUTE :1 = 0 BIT31 GENERIC_WRITE :1 = 0 BIT32 GENERIC_READ :1 = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x52 USHORT MaximumLength = 0x54 STR Buffer = { char [256] chars = [ "\??\C:\Windows\system32\en-US\cmd.exe.mui" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0x1 } FILE_SHARE_ACCESS ShareAccess = { BIT1 FILE_SHARE_READ :1 = 0x1 BIT2 FILE_SHARE_WRITE :1 = 0 BIT3 FILE_SHARE_DELETE :1 = 0x1 } FILE_OPTIONS OpenOptions = { BIT1 DIRECTORY_FILE = 0 BIT2 WRITE_THROUGH = 0 BIT3 SEQUENTIAL_ONLY = 0 BIT4 NO_INTERMEDIATE_BUFFERING = 0 BIT5 SYNCHRONOUS_IO_ALERT = 0 BIT6 SYNCHRONOUS_IO_NONALERT = 0x1 BIT7 NON_DIRECTORY_FILE = 0x1 BIT8 CREATE_TREE_CONNECTION = 0 BIT9 COMPLETE_IF_OPLOCKED = 0 BIT10 NO_EA_KNOWLEDGE = 0 BIT11 OPEN_REMOTE_INSTANCE = 0 BIT12 RANDOM_ACCESS = 0 BIT13 DELETE_ON_CLOSE = 0 BIT14 OPEN_BY_FILE_ID = 0 BIT15 OPEN_FOR_BACKUP_INTENT = 0 BIT16 NO_COMPRESSION = 0 BIT17 OPEN_REQUIRING_OPLOCK = 0 BIT18 DISALLOW_EXCLUSIVE = 0 BIT19 SESSION_AWARE = 0 BIT20 RESERVE_OPFILTER = 0 BIT21 OPEN_REPARSE_POINT = 0 BIT22 OPEN_NO_RECALL = 0 BIT23 OPEN_FOR_FREE_SPACE_QUERY = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCreateSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtCreateSection csyscall = { PHANDLE SectionHandle = 0x128 ACCESS_MASK_SECTION DesiredAccess = { BIT1 QUERY = 0x1 BIT2 MAP_WRITE = 0 BIT3 MAP_READ = 0x1 BIT4 MAP_EXECUTE = 0 BIT5 EXTEND_SIZE = 0 BIT6 MAP_EXECUTE_EXPLICIT = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0x1 BIT18 READ_CONTROL = 0x1 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } LARGE_INTEGER MaximumSize = 0 ULONG SectionPageProtection = 0x2 ULONG AllocationAttributes = 0x8000000 HANDLE FileHandle = { void *h = 0x124 STR name = { char [256] chars = [ "\??\C:\Windows\system32\en-US\cmd.exe.mui" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtMapViewOfSectionCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtMapViewOfSection csyscall = { HANDLE SectionHandle = { void *h = 0x128 STR name = { char [256] chars = [ "" ] } } HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571d0000 ULONG ZeroBits = 0 SIZE_T CommitSize = 0 LARGE_INTEGER SectionOffset = 0 SIZE_T ViewSize = 0x21000 SECTION_INHERIT InheritDisposition = ViewShare ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT WinProtect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0x1 BIT3 PAGE_READWRITE = 0 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x128 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571d0000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2e7a8 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571d0000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2e880 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571d0000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2f418 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571d0000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2f4c0 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571d0000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2f750 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571d0000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2f418 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571d0000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2f4c0 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a571d0000 MEMORY_INFORMATION_CLASS MemoryInformationClass = MemoryRegionInformation PVOID MemoryInformation = 0xf23ad2f750 SIZE_T MemoryInformationLength = 0x30 SIZE_T ReturnLength = 0 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x6c STR name = { char [256] chars = [ "\Output" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0x7ff700000000 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2fc10 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x6c STR name = { char [256] chars = [ "\Output" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0x90ba00000000 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2fc10 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x6c STR name = { char [256] chars = [ "\Output" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0x90ba00000000 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2fc10 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtFreeVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtFreeVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23ad2f958 SIZE_T RegionSize = 0x1f000 ULONG FreeType = 0x4000 NTSTATUS result = STATUS_SUCCESS } }struct NtFreeVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtFreeVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23ad2f958 SIZE_T RegionSize = 0x8000 ULONG FreeType = 0x4000 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x68 STR name = { char [256] chars = [ "\Input" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0xf200000000 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2fd40 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenThreadTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenThreadToken csyscall = { PHANDLE ThreadHandle = 0xfffffffffffffffe ACCESS_MASK_THREAD DesiredAccess = { BIT1 TERMINATE = 0 BIT2 SUSPEND_RESUME = 0 BIT3 ALERT = 0 BIT4 GET_CONTEXT = 0x1 BIT5 SET_CONTEXT = 0 BIT6 SET_INFORMATION = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 SET_LIMITED_INFORMATION = 0 BIT12 QUERY_LIMITED_INFORMATION = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } BOOLEAN OpenAsSelf = 0 PHANDLE TokenHandle = 0 NTSTATUS result = -1073741700 } }struct NtOpenProcessTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtOpenProcessToken csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0x1 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } PHANDLE TokenHandle = 0x128 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0x128 STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenElevationType PVOID TokenInformation = 0x3 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtQueryInformationTokenCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryInformationToken csyscall = { HANDLE TokenHandle = { void *h = 0x128 STR name = { char [256] chars = [ "" ] } } TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUIAccess PVOID TokenInformation = 0xa9f200000000 ULONG TokenInformationLength = 0x4 ULONG ReturnedResultLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x128 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x6c STR name = { char [256] chars = [ "\Output" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0x25a00000000 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2f880 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0x25a57441000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x1f000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x6c STR name = { char [256] chars = [ "\Output" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0xf200000000 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2f8c0 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x68 STR name = { char [256] chars = [ "\Input" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2fc00 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x68 STR name = { char [256] chars = [ "\Input" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2fc00 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryVolumeInformationFileCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtQueryVolumeInformationFile csyscall = { HANDLE FileHandle = { void *h = 0x68 STR name = { char [256] chars = [ "\Input" ] } } IO_STATUS_BLOCK IoStatusBlock = { Int32 Status = 0 void *Pointer = 0x90ba00000000 UInt64 Information = 0x8 } PVOID FsInformation = 0xf23ad2fc00 ULONG Length = 0x8 FS_INFORMATION_CLASS FsInformationClass = FileFsDeviceInformation NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0833decb080 PVOID caller = 0xfffff8069f768b70 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x1050 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0832f384080 PVOID caller = 0xfffff806850800e6 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x18d0 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationProcess csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PROCESSINFOCLASS ProcessInformationClass = ProcessThreadStackAllocation PVOID ProcessInformation = 0xffff8883d6ad6b10 ULONG ProcessInformationSize = 0x28 NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0832f384080 PVOID caller = 0xfffff80685080152 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x18d0 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23b204000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0xfc000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateVirtualMemoryCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc0832f384080 PVOID caller = 0xfffff806850801a8 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x18d0 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateVirtualMemory csyscall = { HANDLE ProcessHandle = { void *h = 0xffffffffffffffff STR name = { char [256] chars = [ "NtCurrentProcess" ] } } PVOID BaseAddress = 0xf23b201000 ULONG ZeroBits = 0 SIZE_T RegionSize = 0x3000 ALLOCATION_TYPE AllocationType = { BIT1 MEM_UNMAP_WITH_TRANSIENT_BOOST = 0 BIT2 MEM_PRESERVE_PLACEHOLDER = 0 BIT3 BIT3 = 0 BIT4 BIT4 = 0 BIT5 BIT5 = 0 BIT6 BIT6 = 0 BIT7 BIT7 = 0 BIT8 BIT8 = 0 BIT9 BIT9 = 0 BIT10 BIT10 = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 MEM_COMMIT = 0x1 BIT14 MEM_RESERVE = 0 BIT15 MEM_DECOMMIT = 0 BIT16 MEM_RELEASE = 0 BIT17 MEM_FREE = 0 BIT18 BIT18 = 0 BIT19 MEM_RESERVE_PLACEHOLDER = 0 BIT20 MEM_RESET = 0 BIT21 MEM_TOP_DOWN = 0 BIT22 MEM_WRITE_WATCH = 0 BIT23 MEM_PHYSICAL = 0 BIT24 MEM_DIFFERENT_IMAGE_BASE_OK = 0 BIT25 MEM_RESET_UNDO = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 MEM_LARGE_PAGES = 0 BIT31 BIT31 = 0 BIT32 MEM_4MB_PAGES = 0 } PAGE_PROTECT Protect = { BIT1 PAGE_NOACCESS = 0 BIT2 PAGE_READONLY = 0 BIT3 PAGE_READWRITE = 0x1 BIT4 PAGE_WRITECOPY = 0 BIT5 PAGE_EXECUTE = 0 BIT6 PAGE_EXECUTE_READ = 0 BIT7 PAGE_EXECUTE_READWRITE = 0 BIT8 PAGE_EXECUTE_WRITECOPY = 0 BIT9 PAGE_GUARD = 0x1 BIT10 PAGE_NOCACHE = 0 BIT11 PAGE_WRITECOMBINE = 0 BIT12 PAGE_GRAPHICS_NOACCESS = 0 BIT13 PAGE_GRAPHICS_READONLY = 0 BIT14 PAGE_GRAPHICS_READWRITE = 0 BIT15 PAGE_GRAPHICS_EXECUTE = 0 BIT16 PAGE_GRAPHICS_EXECUTE_READ = 0 BIT17 PAGE_GRAPHICS_EXECUTE_READWRITE = 0 BIT18 PAGE_GRAPHICS_COHERENT = 0 BIT19 PAGE_GRAPHICS_NOCACHE = 0 BIT20 BIT20 = 0 BIT21 BIT21 = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 BIT26 = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 PAGE_ENCLAVE_MASK = 0 BIT30 PAGE_ENCLAVE_UNVALIDATED = 0 BIT31 PAGE_TARGETS_NO_UPDATE = 0 BIT32 PAGE_ENCLAVE_THREAD_CONTROL = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0xfffff8069f7690de struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0 Int32 HighPart = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtSetEventCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetEvent csyscall = { HANDLE EventHandle = { void *h = 0x44 STR name = { char [256] chars = [ "" ] } } LONG PreviousState = 0x2e646d63 NTSTATUS result = STATUS_SUCCESS } }struct NtTestAlertCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTestAlert csyscall = { NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationThreadCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationThread csyscall = { HANDLE ThreadHandle = { void *h = 0 STR name = { char [256] chars = [ "" ] } } THREADINFOCLASS ThreadInformationClass = ThreadBasicInformation PVOID ThreadInformation = 0 ULONG ThreadInformationLength = 0x1f80 NTSTATUS result = STATUS_SUCCESS } }struct NtTerminateProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtTerminateProcess csyscall = { HANDLE ProcessHandle = { void *h = 0 STR name = { char [256] chars = [ "" ] } } NTSTATUS ExitStatus = -1073741510 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x104 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xfc STR name = { char [256] chars = [ "\??\C:\Windows\SYSTEM32\winbrand.dll" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationThreadCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationThread csyscall = { HANDLE ThreadHandle = { void *h = 0xfffffffffffffffe STR name = { char [256] chars = [ "NtCurrentThread" ] } } THREADINFOCLASS ThreadInformationClass = ThreadZeroTlsCell PVOID ThreadInformation = 0x1 ULONG ThreadInformationLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtSetInformationThreadCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtSetInformationThread csyscall = { HANDLE ThreadHandle = { void *h = 0xfffffffffffffffe STR name = { char [256] chars = [ "NtCurrentThread" ] } } THREADINFOCLASS ThreadInformationClass = ThreadZeroTlsCell PVOID ThreadInformation = 0x2 ULONG ThreadInformationLength = 0x4 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xd4 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xdc STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xe0 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xe4 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xe8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xf0 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xec STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xb4 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xb8 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xb0 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xac STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x54 STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings\Software\Microsoft" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x5c STR name = { char [256] chars = [ "\REGISTRY\USER\S-1-5-21-2685504809-3386703567-3639213877-1001\Software\Classes\Local Settings" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xa4 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0xa8 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection\Software\Microsoft\Ole" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x50 STR name = { char [256] chars = [ "\Sessions\1\Windows\SharedSection" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x40 STR name = { char [256] chars = [ "\KnownDlls\KnownDllPath" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x74 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = UserMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = true struct _TOKEN *token = 0xffffb002f4e91060 TOKEN_TYPE tokenType = TokenPrimary INTEGRITY_LEVEL integrity = MEDIUM struct NtClose csyscall = { HANDLE Handle = { void *h = 0x78 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = false struct _TOKEN *token = 0 TOKEN_TYPE tokenType = 0 INTEGRITY_LEVEL integrity = UNKNOWN_INTEGRITY struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0x4e BIT2 CREATE_THREAD = 0x74 BIT3 SET_SESSIONID = 0x43 BIT4 VM_OPERATION = 0x75 BIT5 VM_READ = 0x72 BIT6 VM_WRITE = 0x72 BIT7 DUP_HANDLE = 0x65 BIT8 CREATE_PROCESS = 0x6e BIT9 SET_QUOTA = 0x74 BIT10 SET_INFORMATION = 0x50 BIT11 QUERY_INFORMATION = 0x72 BIT12 SUSPEND_RESUME = 0x6f BIT13 QUERY_LIMITED_INFORMATION = 0x63 BIT14 BIT14 = 0x65 BIT15 BIT15 = 0x73 BIT16 BIT16 = 0x73 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0xfffff8069c11e884 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = false struct _TOKEN *token = 0 TOKEN_TYPE tokenType = 0 INTEGRITY_LEVEL integrity = UNKNOWN_INTEGRITY struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044d4 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0xfffff8069fd64663 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = false struct _TOKEN *token = 0 TOKEN_TYPE tokenType = 0 INTEGRITY_LEVEL integrity = UNKNOWN_INTEGRITY struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff800044d4 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0xfffff8069fd646fe struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = false struct _TOKEN *token = 0 TOKEN_TYPE tokenType = 0 INTEGRITY_LEVEL integrity = UNKNOWN_INTEGRITY struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044d4 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenProcessCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0xfffff8069c1329b3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = false struct _TOKEN *token = 0 TOKEN_TYPE tokenType = 0 INTEGRITY_LEVEL integrity = UNKNOWN_INTEGRITY struct NtOpenProcess csyscall = { PHANDLE ProcessHandle = 0xffffffff800044d4 ACCESS_MASK_PROCESS DesiredAccess = { BIT1 TERMINATE = 0 BIT2 CREATE_THREAD = 0 BIT3 SET_SESSIONID = 0 BIT4 VM_OPERATION = 0 BIT5 VM_READ = 0 BIT6 VM_WRITE = 0 BIT7 DUP_HANDLE = 0 BIT8 CREATE_PROCESS = 0 BIT9 SET_QUOTA = 0 BIT10 SET_INFORMATION = 0 BIT11 QUERY_INFORMATION = 0 BIT12 SUSPEND_RESUME = 0 BIT13 QUERY_LIMITED_INFORMATION = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0 BIT20 WRITE_OWNER = 0 BIT21 SYNCHRONIZE = 0 BIT22 BIT22 = 0 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0x1 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0 USHORT MaximumLength = 0 STR Buffer = { char [256] chars = [ "" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } CLIENT_ID ClientId = { void *UniqueProcess = 0x4814 void *UniqueThread = 0 } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0xfffff8069c11c4e0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = false struct _TOKEN *token = 0 TOKEN_TYPE tokenType = 0 INTEGRITY_LEVEL integrity = UNKNOWN_INTEGRITY struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044d4 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtOpenKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0xfffff8069a5493f0 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = false struct _TOKEN *token = 0 TOKEN_TYPE tokenType = 0 INTEGRITY_LEVEL integrity = UNKNOWN_INTEGRITY struct NtOpenKey csyscall = { PHANDLE KeyHandle = 0xffffffff800044d4 ACCESS_MASK_KEY DesiredAccess = { BIT1 QUERY_VALUE = 0x1 BIT2 SET_VALUE = 0x1 BIT3 CREATE_SUB_KEY = 0x1 BIT4 ENUMERATE_SUB_KEYS = 0x1 BIT5 NOTIFY = 0x1 BIT6 CREATE_LINK = 0x1 BIT9 WOW64_64KEY = 0 BIT10 WOW64_32KEY = 0 BIT11 BIT11 = 0 BIT12 BIT12 = 0 BIT13 BIT13 = 0 BIT14 BIT14 = 0 BIT15 BIT15 = 0 BIT16 BIT16 = 0 BIT17 DELETE = 0 BIT18 READ_CONTROL = 0 BIT19 WRITE_DAC = 0x1 BIT20 WRITE_OWNER = 0x1 BIT21 SYNCHRONIZE = 0x1 BIT22 BIT22 = 0x1 BIT23 BIT23 = 0 BIT24 BIT24 = 0 BIT25 BIT25 = 0 BIT26 MAXIMUM = 0 BIT27 BIT27 = 0 BIT28 BIT28 = 0 BIT29 BIT29 = 0 BIT30 GENERIC_EXECUTE = 0 BIT32 GENERIC_READ = 0 BIT31 GENERIC_WRITE = 0 } OBJECT_ATTRIBUTES ObjectAttributes = { ULONG Length = 0x30 HANDLE RootDirectory = { void *h = 0x80000314 STR name = { char [256] chars = [ "" ] } } UNICODE_STRING ObjectName = { USHORT Length = 0x5c USHORT MaximumLength = 0x178 STR Buffer = { char [256] chars = [ "S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } OBJECT_ATTRIBUTES_ATTRIBUTES Attributes = { BIT1 PROTECT_CLOSE = 0 BIT2 INHERIT = 0 BIT3 AUDIT_OBJECT_CLOSE = 0 BIT4 UNUSED = 0 BIT5 PERMANENT = 0 BIT6 EXCLUSIVE = 0 BIT7 CASE_INSENSITIVE = 0x1 BIT8 OPENIF = 0 BIT9 OPENLINK = 0 BIT10 KERNEL_HANDLE = 0x1 BIT11 FORCE_ACCESS_CHECK = 0 BIT12 IGNORE_IMPERSONATED_DEVICEMAP = 0 BIT13 DONT_REPARSE = 0 } SECURITY_DESCRIPTOR SecurityDescriptor = { UCHAR Revision = 0 UCHAR Sbz1 = 0 USHORT Control = 0 void *Owner = 0 void *Group = 0 void *Sacl = 0 void *Dacl = 0 } SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService = { ULONG Length = 0 enum ImpersonationLevel = Anonymous UCHAR ContextTrackingMode = 0 UCHAR EffectiveOnly = 0 } } NTSTATUS result = STATUS_SUCCESS } }struct NtQueryValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0xfffff8069a548fe9 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = false struct _TOKEN *token = 0 TOKEN_TYPE tokenType = 0 INTEGRITY_LEVEL integrity = UNKNOWN_INTEGRITY struct NtQueryValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x800044d4 STR name = { char [256] chars = [ "S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x60 USHORT MaximumLength = 0x60 STR Buffer = { char [256] chars = [ "\Device\HarddiskVolume3\Windows\System32\cmd.exe" ] } } KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass = KeyValuePartialInformation PVOID KeyValueInformation = 0x300000000 ULONG Length = 0x28 ULONG ResultLength = 0x24 NTSTATUS result = STATUS_SUCCESS } }struct NtSetValueKeyCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0xfffff8069a54934e struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = false struct _TOKEN *token = 0 TOKEN_TYPE tokenType = 0 INTEGRITY_LEVEL integrity = UNKNOWN_INTEGRITY struct NtSetValueKey csyscall = { HANDLE KeyHandle = { void *h = 0x800044d4 STR name = { char [256] chars = [ "S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } UNICODE_STRING ValueName = { USHORT Length = 0x60 USHORT MaximumLength = 0x60 STR Buffer = { char [256] chars = [ "\Device\HarddiskVolume3\Windows\System32\cmd.exe" ] } } ULONG TitleIndex = 0 ULONG Type = 0x3 PVOID Data = 0xffff8883e0ec7680 ULONG DataSize = 0x18 NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0xfffff8069a5492f7 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = false struct _TOKEN *token = 0 TOKEN_TYPE tokenType = 0 INTEGRITY_LEVEL integrity = UNKNOWN_INTEGRITY struct NtClose csyscall = { HANDLE Handle = { void *h = 0x800044d4 STR name = { char [256] chars = [ "S-1-5-21-2685504809-3386703567-3639213877-1001" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtCloseCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0xfffff8069a54eef3 struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = false struct _TOKEN *token = 0 TOKEN_TYPE tokenType = 0 INTEGRITY_LEVEL integrity = UNKNOWN_INTEGRITY struct NtClose csyscall = { HANDLE Handle = { void *h = 0x80004c44 STR name = { char [256] chars = [ "" ] } } NTSTATUS result = STATUS_SUCCESS } }struct NtAllocateLocallyUniqueIdCALL { BOOL syscallEntered = true PEPROCESS EPROCESS = 0xffffc083e93e70c0 PETHREAD ETHREAD = 0xffffc083848da540 PVOID caller = 0xfffff8069f76a2aa struct execimage imageFile = { char [15] filename = [ "cmd.exe" ] } KPROCESSOR_MODE PreviousMode = KernelMode PID pid = 0x4814 TID tid = 0x2840 BOOL impersonating = false struct _TOKEN *token = 0 TOKEN_TYPE tokenType = 0 INTEGRITY_LEVEL integrity = UNKNOWN_INTEGRITY struct NtAllocateLocallyUniqueId csyscall = { LUID Luid = { UInt32 LowPart = 0x121793fb Int32 HighPart = 0x1 } NTSTATUS result = STATUS_SUCCESS } }