FILTER 8 1 5 0 PDMProcessDead END FILTER 8 1 14 0 PDMCreateProcess PARAMS DWORD 9 processId //dont change! WSTRING 11 processName //dont change! WSTRING 35 cmdLine PVOID 71 imageHash FORMAT 3 0 processName 1 cmdLine 2 imageHash To16BytesHex END FILTER 8 1 10 0 PDMExitThread PARAMS DWORD 19 destPid DWORD 20 destTid FORMAT 2 0 destPid PidToProcessName 1 destTid END FILTER 8 0 3 0 1000000 OpenProcess PARAMS DWORD 10 processId DWORD 3 access FORMAT 3 END FILTER 8 1 7 0 1000000 CreateThread PARAMS DWORD 20 threadId FORMAT 6 4 CONSTANT 0 END FILTER 8 0 50 0 1000000 OpenThread PARAMS DWORD 10 processId DWORD 20 threadId DWORD 3 access FORMAT 3 0 processId PidToProcessName END FILTER 8 0 0 0 1000000 TerminateProcess PARAMS DWORD 10 processId FORMAT 2 0 processId ToHex END FILTER 8 0 11 0 1000000 WriteProcessMemory PARAMS DWORD 10 processId DWORD 8 addr FORMAT 5 0 processId PidToProcessName 1 addr ToHex END FILTER 8 0 4 0 1000000 CreateSection PARAMS WSTRING 11 name FORMAT 1 0 name ToDosName END FILTER 8 1 8 0 1000000 CreateRemoteThread PARAMS DWORD 10 processId DWORD 24 startAdress BYTE 23 isSuspended FORMAT 7 0 processId PidToProcessName 5 isSuspended END FILTER 8 0 40 0 1000000 SuspendThread PARAMS DWORD 19 processId DWORD 20 threadId FORMAT 1 0 processId PidToProcessName END FILTER 8 0 41 0 1000000 ResumeThread PARAMS DWORD 19 processId DWORD 20 threadId FORMAT 1 0 processId PidToProcessName END FILTER 8 0 16 0 1000000 PDMSetWindowsHookEx PARAMS DWORD 10 processId WSTRING 11 dllName DWORD 19 hookId DWORD 20 threadId FORMAT 4 0 processId PidToProcessName 2 hookId 3 dllName END FILTER 8 0 25 0 1000000 SetWinEventHook PARAMS WSTRING 11 dllName FORMAT 7 END FILTER 8 0 13 0 1000000 SetThreadContext PARAMS DWORD 19 processId DWORD 20 threadId FORMAT 2 0 processId PidToProcessName END FILTER 8 0 23 0 1000000 PostMessage PARAMS DWORD 10 processId DWORD 36 msgId FORMAT 4 0 processId PidToProcessName 1 msgId END FILTER 3 0 18 0 1000000 PDMFileAccessd PARAMS WSTRING 11 fileName DWORD 13 flags FORMAT 2 0 fileName ToDosName 1 flags ToBin END FILTER 3 0 0 0 1000000 CreateFile PARAMS WSTRING 11 fileName DWORD 13 flags FORMAT 7 0 fileName ToDosName //4 flags 6 CONSTANT 0x0 END FILTER 3 1 6 13 1000000 DeleteFile PARAMS WSTRING 11 fileName FORMAT 1 0 fileName END FILTER 1 0 9 0 1000000 PDMRegOpenKey PARAMS WSTRING 11 keyName END FILTER 1 0 10 0 1000000 PDMRegQueryKey PARAMS WSTRING 11 keyName END FILTER 1 0 12 0 1000000 PDMRegQueryValue PARAMS WSTRING 11 keyName WSTRING 17 valueName END FILTER 1 0 17 0 1000000 PDMRegSetValue PARAMS WSTRING 11 keyName WSTRING 17 valueName DYNAMIC 1 value 9 FORMAT 3 0 keyName 1 valueName 2 value END FILTER 1 0 0 0 1000000 PDMRegCreateKey PARAMS WSTRING 11 keyName END FILTER 1 0 1 0 1000000 PDMRegDeleteKey PARAMS WSTRING 11 keyName END FILTER 1 0 2 0 1000000 PDMRegDeleteValue PARAMS WSTRING 11 keyName WSTRING 17 valueName END FILTER 1 0 3 0 1000000 PDMRegEnumKeys PARAMS WSTRING 11 keyName END FILTER 1 0 4 0 1000000 PDMRegEnumValues PARAMS WSTRING 11 keyName END FILTER 1 0 7 0 1000000 PDMRegLoadKey PARAMS WSTRING 11 keyName END FILTER 1 0 13 0 1000000 PDMRegReplaceKey PARAMS WSTRING 11 keyName WSTRING 12 destKeyName END FILTER 1 0 15 0 1000000 PDMRegSaveKey PARAMS WSTRING 11 keyName WSTRING 12 fileName END FILTER 1 0 14 0 1000000 PDMRegRestoreKey PARAMS WSTRING 12 keyName WSTRING 11 fileName END FILTER 8 0 44 0 1000000 CoCreateInstance PARAMS PVOID 42 guid FORMAT 5 END FILTER 8 0 47 0 1000000 CoGetClassObject PARAMS PVOID 42 guid FORMAT 5 END FILTER 8 0 26 0 1000000 ZwLoadDriver PARAMS WSTRING 11 driverName END FILTER 8 0 31 0 1000000 PDMLoadAndCall PARAMS WSTRING 11 driverName END FILTER 8 0 37 0 1000000 PDMShutDownSystem END FILTER 8 0 19 0 1000000 PDMAccessPhysMem END FILTER 8 0 28 0 1000000 ZwSystemDebugControl PARAMS DWORD 40 command FORMAT 6 0 command END FILTER 8 0 39 0 1000000 PDMAccessFileSectors PARAMS WSTRING 11 fileName END FILTER 8 0 35 0 1000000 PDMProtectedStorage END FILTER 8 0 38 0 1000000 PDMVolumeAccess PARAMS WSTRING 21 volumeName END FILTER 8 0 27 0 1000000 PDMScreenShot END FILTER 8 0 42 0 1000000 ZwQueueApcThread PARAMS DWORD 19 processId FORMAT 5 0 processId PidToProcessName END FILTER 8 0 21 0 1000000 PDMSendInput PARAMS DWORD 45 isScreenShot END FILTER 8 0 45 0 1000000 gethostbyname PARAMS WSTRING 11 hostName END FILTER 8 0 20 0 1000000 PDMKeyLoggerDetected PARAMS WSTRING 11 driverName END FILTER 8 0 36 0 1000000 PDMRawInputDevice END FILTER 8 0 46 0 1000000 PDMIrpChangeHandler PARAMS WSTRING 11 driverName DWORD 30 irpNum END FILTER 8 0 49 0 1000000 PDMAdjustPrivilege PARAMS DWORD 29 luid FORMAT 1 0 luid END