NtQuerryInformationProcess with ProcessInformationClass = 7 = ProcessDebugPortThe presence of NtSetInformationThread with ThreadInformationClass = 0x11 = ThreadHideFromDebugger means “the debugger will stop receiving debug information or exceptions from this thread.
Malware then checks if Windows was started in Normal boot or in Fail-safe boot. If Fail-safe boot is detected, malware then attempts to reboot the operating system.
