```plantuml @startuml hide empty description [*] --> CreateFile CreateFile --> FileHandle FileHandle --> Write FileHandle --> NtCreateSection Write -[hidden]-> NtCreateSection NtCreateSection --> SectionHandle SectionHandle --> NtCreateProcessEx FileHandle --> Modify NtCreateProcessEx -[hidden]-> Modify NtCreateProcessEx --> NtCreateThreadEx Modify -[hidden]-> NtCreateThreadEx NtCreateThreadEx --> [*] FileHandle --> CloseFile NtCreateThreadEx -[hidden]-> CloseFile NtCreateThreadEx --> PspCallProcessNotifyRoutines PspCallProcessNotifyRoutines -[hidden]-> [*] CloseFile --> IRP_MJ_CLEANUP IRP_MJ_CLEANUP -[hidden]-> [*] PspCallProcessNotifyRoutines --> Inspect PspCallProcessNotifyRoutines -[hidden]-> CloseFile IRP_MJ_CLEANUP --> Inspect Inspect -[hidden]-> [*] CreateFile : Create target file, keep handle open. Write : Write source payload into target file. Modify : Obscure the file on disk. NtCreateSection : Create section using file handle. NtCreateProcessEx : Image section for process is mapped and cached in file object. NtCreateThreadEx : The cached section is used. NtCreateThreadEx : Process notify routines fire in kernel. Inspect : The contents on disk do not match what was executed. Inspect : Inspection of the file at this point will result in incorrect attribution. @enduml ```