| Operation |
Data |
Completion |
Time |
| Section loaded |
Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress:
7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid
|
success or wait |
1579573038 |
| Section loaded |
Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 260000 Size: 90112
Protection: readonly Mapped to pid: own pid
|
success or wait |
1579603962 |
| Section loaded |
Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 280000 Size: 266240
Protection: readonly Mapped to pid: own pid
|
success or wait |
1579608010 |
| Section loaded |
Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 2D0000
Size: 266240 Protection: readonly Mapped to pid: own pid
|
success or wait |
1579610396 |
| Section loaded |
Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 320000 Size: 24576
Protection: readonly Mapped to pid: own pid
|
success or wait |
1579611762 |
| Section loaded |
Path: \KnownDlls\MSVCRT.dll Access: write and read and execute Type: image Baseaddress:
77C10000 Size: 360448 Protection: read write Mapped to pid: own pid
|
success or wait |
1579624672 |
| Section loaded |
Path: C:\WINDOWS\system32\psapi.dll Access: query and write and read and execute Type:
image Baseaddress: 76BF0000 Size: 45056 Protection: read write Mapped to pid: own
pid
|
success or wait |
1579640028 |
| Section loaded |
Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress:
7E410000 Size: 593920 Protection: read write Mapped to pid: own pid
|
success or wait |
1579682499 |
| Section loaded |
Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress:
77F10000 Size: 299008 Protection: read write Mapped to pid: own pid
|
success or wait |
1579686097 |
| Section loaded |
Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress:
77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid
|
success or wait |
1579709670 |
| Section loaded |
Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress:
77E70000 Size: 602112 Protection: read write Mapped to pid: own pid
|
success or wait |
1579717399 |
| Section loaded |
Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress:
77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid
|
success or wait |
1579726115 |
| Section loaded |
Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 340000 Size: 12288
Protection: readonly Mapped to pid: own pid
|
success or wait |
1579753181 |
| Section loaded |
Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit
Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid
|
success or wait |
1579778166 |
| Section loaded |
Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit
Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid
|
success or wait |
1579784519 |
| Section loaded |
Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type:
image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own
pid
|
success or wait |
1579789095 |
| Memory attributes changed |
PID: 992 Path: C:\bb5511a6586ba04335712e6c65e83671.exe Base: 400000 Length: 1000 New
Protection: page execute and read and write New Protection: page readonly
|
success or wait |
1579930551 |
| Memory attributes changed |
PID: 992 Path: C:\bb5511a6586ba04335712e6c65e83671.exe Base: 401000 Length: 2000 New
Protection: page execute and read and write New Protection: page execute read
|
success or wait |
1579931262 |
| Memory attributes changed |
PID: 992 Path: C:\bb5511a6586ba04335712e6c65e83671.exe Base: 403000 Length: 1000 New
Protection: page execute and read and write New Protection: page readonly
|
success or wait |
1579931965 |
| Memory attributes changed |
PID: 992 Path: C:\bb5511a6586ba04335712e6c65e83671.exe Base: 404000 Length: 1000 New
Protection: page execute and read and write New Protection: page write copy
|
success or wait |
1579932625 |
| Memory attributes changed |
PID: 992 Path: C:\bb5511a6586ba04335712e6c65e83671.exe Base: 405000 Length: 1D000
New Protection: page execute and read and write New Protection: page readonly
|
success or wait |
1579934256 |
| System info queried |
Type: ProcessInformation |
success or wait |
1579940116 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579952641 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579953619 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579956134 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579958453 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579959424 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579960371 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579961296 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579962243 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579963427 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579964378 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579965619 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579966982 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579968449 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579969689 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579970928 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579972286 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579973536 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579975217 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579976467 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579981482 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579982777 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579984018 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579987951 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579989344 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1579990895 |
| System info queried |
Type: ProcessInformation |
success or wait |
1579992432 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580004928 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580005882 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580008243 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580009221 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580010164 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580011250 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580012233 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580013175 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580014114 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580015307 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580016558 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580017796 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580019033 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580020267 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580021610 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580022851 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580024087 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580025720 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580027047 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580028286 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580029523 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580030898 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580032211 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580033468 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580037668 |
| File created |
Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFE0F5.tmp Access: read data or list directory
and write data or add file and append data or add subdirectory or create pipe instance
and read ea and write ea and execute or traverse and delete child and read attributes
and write attributes and delete and read control and write dac and write owner and
synchronize Options: synchronous io non alert and non directory file Attributes: none
Content Overwritten: false
|
success or wait |
1580061630 |
| File write |
Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFE0F5.tmp Offset: none Length: 5632 Value:
4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 D8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70
72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65
|
success or wait |
1580162013 |
| File moved |
New path: C:\WINDOWS\system32\drivers\bios.sys Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFE0F5.tmp |
success or wait |
1580193352 |
| File opened |
Path: MyDeviceDriver Access: read attributes and synchronize and generic read and
generic write Options: synchronous io non alert and non directory file Attributes:
normal Content Overwritten: false
|
12FAD0 |
1580270320 |
| System info queried |
Type: ProcessInformation |
success or wait |
1580271835 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580308470 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580309433 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580315644 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580329429 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580330431 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 370000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580331377 |
| System info queried |
Type: ProcessInformation |
success or wait |
1580399536 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580411952 |
| Section loaded |
Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size:
12288 Protection: read write Mapped to pid: own pid
|
success or wait |
1580415034 |
| File moved |
New path: C:\WINDOWS\system32\drivers\beep.sys.bak Path: C:\WINDOWS\system32\drivers\beep.sys |
success or wait |
1580543455 |
| File copied |
From: C:\WINDOWS\system32\drivers\bios.sys to: C:\WINDOWS\system32\drivers\bios.sys1 |
success or wait |
1580720313 |
| Section loaded |
Path: C:\WINDOWS\system32\drivers\bios.sys Access: query and write and read and execute
and extend size Type: commit Baseaddress: 370000 Size: 8192 Protection: readonly Mapped
to pid: own pid
|
success or wait |
1580846748 |
| File copied |
From: C:\WINDOWS\system32\drivers\bios.sys to: C:\WINDOWS\system32\drivers\bios.sys2 |
success or wait |
1580907938 |
| Section loaded |
Path: C:\WINDOWS\system32\drivers\bios.sys Access: query and write and read and execute
and extend size Type: commit Baseaddress: 370000 Size: 8192 Protection: readonly Mapped
to pid: own pid
|
success or wait |
1581020003 |
| File moved |
New path: C:\WINDOWS\system32\drivers\beep.sys Path: C:\WINDOWS\system32\drivers\bios.sys1 |
success or wait |
1581134316 |
| File moved |
New path: C:\WINDOWS\system32\dllcache\beep.sysba Path: C:\WINDOWS\system32\drivers\bios.sys2 |
success or wait |
1586413102 |
| File deleted |
Path: C:\WINDOWS\system32\drivers\beep.sys |
success or wait |
1587000305 |
| File moved |
New path: C:\WINDOWS\system32\drivers\beep.sys Path: C:\WINDOWS\system32\drivers\beep.sys.bak |
success or wait |
1587020174 |
| File deleted |
Path: C:\WINDOWS\system32\drivers\bios.sys |
success or wait |
1587050490 |
| File opened |
Path: Bios Access: read attributes and synchronize and generic read and generic write
Options: synchronous io non alert and non directory file Attributes: normal Content
Overwritten: true
|
success or wait |
1587068014 |
| File created |
Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFE0F5.tmp Access: read data or list directory
and write data or add file and append data or add subdirectory or create pipe instance
and read ea and write ea and execute or traverse and delete child and read attributes
and write attributes and delete and read control and write dac and write owner and
synchronize Options: synchronous io non alert and non directory file Attributes: none
Content Overwritten: false
|
success or wait |
1587069173 |
| File write |
Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFE0F5.tmp Offset: none Length: 2688 Value:
4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 C8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70
72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65
|
success or wait |
1587100717 |
| File copied |
From: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFE0F5.tmp to: c:\my.sys |
success or wait |
1587105830 |
| Section loaded |
Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFE0F5.tmp Access: query and write and read
and execute and extend size Type: commit Baseaddress: 370000 Size: 4096 Protection:
readonly Mapped to pid: own pid
|
success or wait |
1587128843 |
| File deleted |
Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFE0F5.tmp |
success or wait |
1587133981 |
| File created |
Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFE0F5.tmp Access: read data or list directory
and write data or add file and append data or add subdirectory or create pipe instance
and read ea and write ea and execute or traverse and delete child and read attributes
and write attributes and delete and read control and write dac and write owner and
synchronize Options: synchronous io non alert and non directory file Attributes: none
Content Overwritten: false
|
success or wait |
1587144908 |
| File write |
Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFE0F5.tmp Offset: none Length: 7680 Value:
55 AA 0F E9 4E 00 00 00 00 00 00 00 00 6A 00 00 00 00 00 00 00 00 00 00 1C 00 34 00
50 43 49 52 EC 10 39 81 00 00 18 00 00 02 00 00 08 00 01 02 00 80 00 00 24 50 6E 50
01 02 00 00 00 65 00 00 00 00 00 00 00 00 02 00 00 64 00 00 00 00 00 00 00 00 00 00
9C 66 60 06 1E FC E8 00 1C 33 C0 8E D0 BC 00 7C
|
success or wait |
1587160482 |
| File moved |
New path: C:\WINDOWS\system32\drivers\bios.sys Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFE0F5.tmp |
success or wait |
1587165822 |
| File opened |
Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hook.rom Access: read attributes and synchronize
and generic read and generic write Options: synchronous io non alert and non directory
file Attributes: normal Content Overwritten: false
|
success or wait |
1587172943 |
| File read |
Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hook.rom Offset: none Length: 7680 Value:
55 AA 0F E9 4E 00 00 00 00 00 00 00 00 6A 00 00 00 00 00 00 00 00 00 00 1C 00 34 00
50 43 49 52 EC 10 39 81 00 00 18 00 00 02 00 00 08 00 01 02 00 80 00 00 24 50 6E 50
01 02 00 00 00 65 00 00 00 00 00 00 00 00 02 00 00 64 00 00 00 00 00 00 00 00 00 00
9C 66 60 06 1E FC E8 00 1C 33 C0 8E D0 BC 00 7C
|
success or wait |
1587173897 |
| Privilege adjusted |
Privilege: Security On or off: on |
success or wait |
1587187516 |
| File opened |
Path: PHYSICALDRIVE0 Access: read attributes and synchronize and generic read and
generic write Options: synchronous io non alert and non directory file Attributes:
none Content Overwritten: false
|
success or wait |
1587187729 |
| File other operation |
Disposition: PositionInformation Data : Offset: 0 Path: \Device\Harddisk0\DR0 |
success or wait |
1587193961 |
| File read |
Path: \Device\Harddisk0\DR0 Offset: none Length: 512 Value: 33 C0 8E D0 BC 00 7C FB
50 07 50 1F FC BE 1B 7C BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04 38 6E 00 7C
09 75 13 83 C5 10 E2 F4 CD 18 8B F5 83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B
F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88 4E 10 E8 46 00 73 2A FE 46 10 80 7E
04 0B 74 0B 80 7E 04 0C
|
success or wait |
1587195636 |
| File other operation |
Disposition: PositionInformation Data : Offset: 0 Path: \Device\Harddisk0\DR0 |
success or wait |
1587196869 |
| File write |
Path: \Device\Harddisk0\DR0 Offset: none Length: 7168 Value: 33 C0 8E D0 BC 00 7C
FB 50 07 50 1F FC 50 BE 00 7C BF 00 06 B9 00 02 F3 A4 BF 1E 06 57 CB B4 41 B2 80 BB
AA 55 CD 13 81 FB 55 AA 75 30 F6 C1 01 74 2B BE 00 08 C7 04 10 00 C7 44 02 06 00 C7
44 04 00 7C C7 44 06 00 00 C6 44 08 01 B9 07 00 BF 09 08 C6 05 00 47 E2 FA B8 00 42
EB 0B B8 06 02 BB 00 7C B9
|
success or wait |
1587200497 |
| File deleted |
Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hook.rom |
success or wait |
1587206813 |
