Hermes.exe
Windows Exe (x86-32)
Created at 2019-05-24T16:55:00
Remarks
(0x200000c): The maximum memory dump size was exceeded. Some dumps may be missing in the report.
Monitored Processes
Behavior Information - Sequential View
Process #1: hermes.exe
1564
1107
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\fd1hvy\desktop\hermes.exe |
| Command Line | "C:\Users\FD1HVy\Desktop\Hermes.exe" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:22, Reason: Self Terminated |
| Monitor Duration | 00:01:43 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf4c |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F30
0x
37C
0x
368
0x
D20
0x
DB0
0x
8E8
0x
9FC
0x
DB4
0x
C48
0x
DC8
0x
F9C
0x
EB0
0x
F80
0x
E90
0x
FD4
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| hermes.exe | 0x00400000 | 0x00CCCFFF | Relevant Image | - | 32-bit | - |
|
|
|
| buffer | 0x001E0000 | 0x001E0FFF | Marked Executable | - | 32-bit | - |
|
|
|
| buffer | 0x001F0000 | 0x001F0FFF | Marked Executable | - | 32-bit | 0x001F0015 |
|
|
|
| buffer | 0x00DE0000 | 0x00DE0FFF | Marked Executable | - | 32-bit | - |
|
|
|
| buffer | 0x00E10000 | 0x00E10FFF | Marked Executable | - | 32-bit | - |
|
|
|
| buffer | 0x00E20000 | 0x00E20FFF | Marked Executable | - | 32-bit | - |
|
|
|
| buffer | 0x00F40000 | 0x00F40FFF | Marked Executable | - | 32-bit | - |
|
|
|
| buffer | 0x028F0000 | 0x028F0FFF | First Execution | - | 32-bit | 0x028F000F |
|
|
|
| buffer | 0x02900000 | 0x02900FFF | Marked Executable | - | 32-bit | - |
|
|
|
| system.ni.dll | 0x71DD0000 | 0x727AEFFF | Content Changed | - | 32-bit | 0x71F0D4A8, 0x71F8CDE0, ... |
|
|
|
| system.ni.dll | 0x71DD0000 | 0x727AEFFF | Content Changed | - | 32-bit | 0x71F0D2C0, 0x71F483B4 |
|
|
|
| system.ni.dll | 0x71DD0000 | 0x727AEFFF | Content Changed | - | 32-bit | 0x71FECE60 |
|
|
|
| system.ni.dll | 0x71DD0000 | 0x727AEFFF | Content Changed | - | 32-bit | 0x71F13D60, 0x71F0E7D0 |
|
|
|
| system.ni.dll | 0x71DD0000 | 0x727AEFFF | Content Changed | - | 32-bit | 0x71FE9374, 0x71F13D60 |
|
|
|
| system.ni.dll | 0x71DD0000 | 0x727AEFFF | Content Changed | - | 32-bit | 0x71FED000 |
|
|
|
| system.ni.dll | 0x71DD0000 | 0x727AEFFF | Content Changed | - | 32-bit | 0x71F8D254 |
|
|
|
| system.ni.dll | 0x71DD0000 | 0x727AEFFF | Content Changed | - | 32-bit | 0x71F0BBA0 |
|
|
|
Dropped Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\FD1HVy\Desktop\Hermes.exe | 5.38 MB |
MD5:
834ff8a44652ebeb620bffe8a945de03
SHA1: 97e2f8ae51c63baaf9340776666d9bed272db38f SHA256: 7558b47e44541d2417d91ce9308ada497f41fb2f550d9bc43231634fe2c1d5b9 SSDeep: 98304:QzHoxAJ5v1XlxuRSptA3mz9CKfHGFUWWsgkSeL2wmidHHoWv/heIY:42Ar1VxuRSptUmz9J3kSeLCAH3/RY |
|
|
| C:\Users\FD1HVy\Desktop\-t3hSggSt8.csv | 68.95 KB |
MD5:
ad6c1f2a6cdd381ef1a13d3af369d118
SHA1: 33eb70333eedac9888111b1bd449171c56fcc2c4 SHA256: b01e060a3d7781da924fb6e4fd4eab6a5b09345e7be82a8958bc8f770e7a3294 SSDeep: 1536:qj3IKacgmlAQLDH6OeTeKGV6JOsiF5b+27IyxBTqXTH5t63Ye:q0vHQLebT506J385bBLaXTZt6oe |
|
|
| C:\Users\FD1HVy\Desktop\-wiWbBcmoqutvw1S.odt | 26.84 KB |
MD5:
b78a35a6bd521d114a8a6e2380cd9c6b
SHA1: ec757667040dffd51a1469874a23627bf60c60c4 SHA256: 963368c18a93bd27937a1bc74ff6f071a372cd732651a8ce9ffc50964da37993 SSDeep: 768:I75uZUfiRELgRi3kv14eLTsj7E05fzSZu5:I7kKqyLgRoKSg0sI |
|
|
| C:\Users\FD1HVy\Desktop\NwrDTZ.docx | 9.89 KB |
MD5:
0b7811a107f951b464151c5d1a44584c
SHA1: d3a413a3eacb7a8f8ae3aba7511e4b31e8fc6901 SHA256: 18d8a6599ea1fe6d4c4eba5a6f990ad971d780a371d5db13d4e191549307b997 SSDeep: 192:KsoyJ/lZGucLKNCWQ/LGj2dhXnyCDlndl2OVJHuIx79OyL6MoUE49Z:KfmZqLKNnQ/c2DyCxn/56Ix5B6/UjZ |
|
|
| C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\4Mx7zT82zOjgkV9spUg.png | 26.38 KB |
MD5:
57c90fd4575a333df65481cb5fbde5ea
SHA1: 83d4afc2810d7914b222da748d624aa12501472d SHA256: bd8eea59a031641a32cdcba0997a1098df6d3d1e9a1db8ba46d5cd053ecacaa9 SSDeep: 768:lguEWlTIdsLBts4i336GMS9Zj9PTRBd6bcpOz:oWRbBq4i3kS9l9rYOC |
|
|
| C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\teY6IrO7ujB.jpg | 43.30 KB |
MD5:
2ba3444b16eb9089d30cea6c9a027c5b
SHA1: e8bebf538637c0c603bab60df123c5c230ba2170 SHA256: c61394c3380630708d5444c153777cf6a172c6d96c879ac2074b48c9bfe1ee98 SSDeep: 768:TCfGdOdx4IWvqBLB0vX/6rjiM9pzIFwlpb65R+PmjMh9VCuGuBrxLx0:e8bvqlWXWjb9OFwlpb65RWPzXBt10 |
|
|
| C:\Users\FD1HVy\Documents\1v32WDK.pptx | 21.83 KB |
MD5:
366ef990393cfd047c49a40abf6796f1
SHA1: d6755cfabbe4d6c235e6fe01e9dfe434ca31b23f SHA256: 1cf1863f1f108e20967657f0d62408bb8d39af087a3ec80dfef25a864b6c2669 SSDeep: 384:WOHIpAh+ICHTiaLxR2bfVUN5Btwgkj44bVCMBtelMg+UD4/mF9+Gm9a1dLSz0J:WOHIShRiLmbfVUHBWjfPeny+3m9aXT |
|
|
| C:\Users\FD1HVy\Documents\4z4 82v.xlsx | 85.00 KB |
MD5:
d5e0238a22f7bc784abfce03c9f95cd8
SHA1: 27686f68136c4715bbbfa9e4f9ab0e7a3fca2278 SHA256: 3ecba9d88d232d0585b2add438bc5e51880f8a112bbfb96f9ce5f7fc3da1e412 SSDeep: 1536:GObYmhDd8qOQvjon4omiI5YRE+xuEpVxbxdU+WMw7WiyB9hxbVIHkw7RVN1MB+:ZDhd8QFomkRE8umVx2/9W3B9hXINDMB+ |
|
|
| C:\Users\FD1HVy\Documents\9dHCFyZ_.odt | 87.84 KB |
MD5:
2ceb8c12ade85aa392ced42ceeab6b06
SHA1: 5f0e03816044369d1ff5e0d50af5c4d3dafb9b31 SHA256: aa2835f26ddccbfcf46a036c0e166d74c4f896adfca7e5ce73e42b082a7e0c77 SSDeep: 1536:IiJ1lJ6BXof7gm+rI0+fhxwyfBON6wueixk/6qDQOr1aJ2ihJEPW0xDjmXoakAIo:aVSMm+EHhxfBO0i+/koJ2e05mYZDc |
|
|
| C:\Users\FD1HVy\Documents\BZh3 QA3w.xlsx | 59.31 KB |
MD5:
304fbb23542e95c7e1ddf7f96fa92f18
SHA1: a8017643f3db2db54f5333cc9d6f3f73c3335286 SHA256: 81eb3ba9c4d9c2ea6768fc978a8f52c7085439d3b4ef1f5c44397da4cf7a1c61 SSDeep: 1536:q7H0iibmbRO1e93YrDkkTdxMSuPX9gV7+DFkjjrOKIbNIFz:q7UiiKFOE9YD3TXcPG7KFkfrIu |
|
|
| C:\Users\FD1HVy\Documents\IDj9.docx | 69.11 KB |
MD5:
f9f0de41922094a98aa6eb1069bd71f1
SHA1: 312a14d8c0fe53b8e3a50d21bd9be623e8317b6d SHA256: 1e7b3980e03e94b51f523a1cfbe993c560db00e7fddbe3eaecc946736d9cb5eb SSDeep: 1536:9jSYA2iTywJIRZTYYlhjt8gB0tmr0fg43NTwWaGBnK:9jSD2zwSrNR8Vk0fnTdaqK |
|
|
| C:\Users\FD1HVy\Documents\oK6_.pptx | 72.27 KB |
MD5:
c100d596d86f2114cb136b36e8dfe4b7
SHA1: 0b6d33ddca29af40800a5e6d621646c8fd81dd1e SHA256: eb969b956f0864474d6ccf5e7c588bdc14e3223d759f43fa2855be7da7bc3ca0 SSDeep: 1536:WBr87ww8P6O++j6nuNVlrIuY/fCqrEjTIEYbtWFu:WVuf8PWnEVllYiZjTInRp |
|
|
| C:\Users\FD1HVy\Documents\X7xxXdVkKAI.pptx | 10.56 KB |
MD5:
7fa4252827c5ce4266e99697db5e9d27
SHA1: 481a0a4ecf152d1a0cf3c587dfdb65ed00797403 SHA256: 04e016d28a310ed0b51b34c9b2130624d67e636205e96d7e12b96e175f220cd2 SSDeep: 192:WRxd11WHI1MFw6Mcxo99wdSnkvvTbWNzpBQBau7k1K2tH+/k7VRzMxjdEc/j:Wfd1II1ItXo9Wdi+qQV7OH+kRzYx//j |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\RwxQrbJr.rtf | 54.62 KB |
MD5:
bdd278c06d2e1fbcbad8df10434f0450
SHA1: 4c3e06a2ad03f46af3fe420502327715c46c5ff7 SHA256: f73aa083e539ea8d2e0b31e5f8ed8844bdfa3ce116f5ad759261ae24f7dc40dd SSDeep: 1536:SEkovkSLYdgbXJ37WBOfcmVS8LRA5Jy2asOPTIp7D:rLvkSEgdqEftjkYTsOEpn |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\Hi Fm0SkJi.pdf | 33.14 KB |
MD5:
7b5f427a11038c7a1ccbbf4436fb6148
SHA1: 146342583d1b834c83f5b569c10661ebfcc925c2 SHA256: 4bb3a93a52aa7bdd457c15450106cdf844f54a4080b2f32e8bd008fa64fec2f2 SSDeep: 768:c7qHOQN0jA2JOQYZM6xgbOj/kvvWHZLLzjY4b/DLpt:t3zGy+0gKkvvWhL |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\pjQnM18Yq7so0m2EOvAa.csv | 11.45 KB |
MD5:
10674ff65d0458ae63ac252946501ec0
SHA1: 4971ae16efc2fc4d0056e70ed7acafe5160c6468 SHA256: c51b202f25adde4e7e8acae0728cb2b7a603645861d2e4a4b6c4b43907f663fd SSDeep: 192:KGF9HF98MTgUzv6pRO5R/jOtNXJkSIidDINv5pJ0se9at1ObabHVmnmPdvk:KGPHFUev6OTOtNXJHIitIDpOiwYHVmV |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\6Py75SwYl1UPRzmW_N.csv | 17.34 KB |
MD5:
b80a04cef20a574c1f0c92b52bf7a621
SHA1: bc616a3697ae5a954b633720238076a6fcd38ed1 SHA256: 77de2ebe414ed7b281c366209404251a72448871bddbddff89505f3c3835f1db SSDeep: 384:1D1vIoJN4DdGq1LlZYOKS9UARo+UyTyE7vu4Qb+ko73kzPbc/:1D5PsGxEbU0yQQyobc/ |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\jDPo.xls | 30.67 KB |
MD5:
84637d6d31a2206fbd784535d330764b
SHA1: 847de053198eb5b1fd861567d5499699d8a7ce9b SHA256: b00a7ce3b99600b6b4f23198d3c7f6faf09b84a9c0c0c9801d9fb38459d19db9 SSDeep: 768:mxY+kU13M5cxdb4itx0EylrYhwnE6txjfIJw:EXkU13M5md0GylUgbOw |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\oKefxkUyIL.xls | 57.12 KB |
MD5:
a8a045af2595eded55949b5a276ca2ca
SHA1: 2e4986af90dbeb18b3bc2ea06bc8095833e81b8f SHA256: 98484109bda2d2726cbbd4409f157718a5a5a5b87dd6710b6a8bee6a4b64ddd7 SSDeep: 1536:FKwZ/D9d4Z374f057rW39+Tnlj5MMZYra7qV:FK2/fWUFulyMer1V |
|
|
| C:\Users\FD1HVy\Desktop\0YuVxzeY9-b4MF.avi | 90.09 KB |
MD5:
300442a9a89a5f8b978098fed807cd5e
SHA1: 2296f3c499647d976c1be2712b816f000958cbad SHA256: 6d4293cf6ba2cc8a104d855eff28f1d03babe7de6c05f0100529bcf47b5cbe74 SSDeep: 1536:N+Euki973khdes3qfwpVoqy+5psAqCcspvDl14Q8DFB379BMeV274zt:N+E+EaEWql5JNvB2QQFB3hBMKzt |
|
|
| C:\Users\FD1HVy\Desktop\dudTlSq3.mp3 | 16.64 KB |
MD5:
43b15ad65e87ca0632e61021bb8f68ee
SHA1: 8ab9d5854a5eede6a4f62f04a87d3f58451285ee SHA256: 2d585eac99897efa1d9a9f764519a9aa2ac2c0c10fb689f78556e7b4b0e3d1b6 SSDeep: 384:SPf3ZHYibDeRZvv0uOX+j2ad44Kx69Fo0eHYPj+YEPmrP/md:SPf1t+5cubR1oCK0D6bP8g |
|
|
| C:\Users\FD1HVy\Desktop\du_y8ZA.bmp | 96.30 KB |
MD5:
0f03002dbc4a9bf37d0625fbbe0c85de
SHA1: 10e0bd709431adde0b9fa22b663ae1914b0e4719 SHA256: cac907691955d5339837066f5012ffccfacc74ed3addee6ed4c056cc789c0327 SSDeep: 3072:8fG177ozcQMxSJMXeuVwfA0NNZ6NkpfedV84:b1ozNGOEo5ZHpfo84 |
|
|
| C:\Users\FD1HVy\Desktop\hIJHv_tpsSRLGQkXt1.mkv | 33.86 KB |
MD5:
dc72854cfcfba3763062e99665002cca
SHA1: 3f9e667c9b1e8d6544a8c8a9c2cedd14df327a78 SHA256: 0cf21a70e18f6107e43894b3ec74863afc276ee70b22b26951d3ac94784a2bfc SSDeep: 768:ZkAgYgDI+6xZQJfW9UOc+So6SCB1+R+B8DmqR0QbU:KAgYgDyqfWTcc6jBsDmqR03 |
|
|
| C:\Users\FD1HVy\Desktop\kXyvY.bmp | 1.19 KB |
MD5:
6f7ae2f77556f78d581979d239755aeb
SHA1: 2e8fb0f37373c03c0be194f1534e404b403b9459 SHA256: 1c6ef441941b96f802886f0ef1870f95401c400aa47a9205077213cecfff457b SSDeep: 24:nqp9DKCgq7vr4V/XPPTZt4joYc3Gs5lEfOKGAuU8foFtxJjlI:qp9DKCg6+XPrZeBsM2KcRoznZI |
|
|
| C:\Users\FD1HVy\Desktop\ljwNeYj.avi | 83.36 KB |
MD5:
0cc3f7044a0974ae8e55a0a556ab024a
SHA1: cdcd40620345b68644361cc7336615706ca05df5 SHA256: 11d541d432ff0138f9dee36173018affcae89605c97ee2d8361c353c35604a24 SSDeep: 1536:QGsmgim2roTF5kZa060i4nOMyiXH2e8D4CHfsCJwT86/VuvhLx:ZsmZmfTAZ16ZLMjQICJ8kht |
|
|
| C:\Users\FD1HVy\Desktop\mJmzsgIR.avi | 3.98 KB |
MD5:
9db6eedcbaae78df2f408c22c6b1efac
SHA1: 761f93169388981a21fdb15f9d80926eb85bf0a9 SHA256: 02ba7929c08ecd5b916342021264d75ab843b4cbd93f5a5907ef201c2b1ecac9 SSDeep: 96:jWOmKed29CoDHdYeRMiXBE2D1T9vCxl5Z8G1lM1H4ttZI:iOmHI9CoDHdYMM8jfC71Tq |
|
|
| C:\Users\FD1HVy\Desktop\OZa1OvHSiPZtGYMnr.avi | 99.98 KB |
MD5:
270e3e3895e9225381076e35bf63e3ac
SHA1: 19dd8d92f375167f6aa1450ed0288ba7b10ea204 SHA256: 837b823b656ce295236edfb274fc166d8d9adc8cb3d18d3980787fd51322ca60 SSDeep: 3072:OCqq9c0ms4eW5u3fKQNVJRrZwQe2zSUs6d:pR9c+4Xu3i62p206d |
|
|
| C:\Users\FD1HVy\Desktop\RSUbGrWMOv90jjgcKmCA.jpg | 57.09 KB |
MD5:
2f290342d3f473eeb5e6bc114c6858d5
SHA1: 7871e7f09559351a78990ee2a7502898affd9d33 SHA256: 4b190f44d90a8154c38af4a2f5b54b126264cfd094c2a9acd7eb06b180bbf8d7 SSDeep: 1536:3iXsyx8zbaRS0Ba3pfy2wLVnZtHHTNay1d5UMfzfTh4CZeOYWsjID:axIWRlsMBHpFU47ThoObsjE |
|
|
| C:\Users\FD1HVy\Desktop\uy _qJUK.mp3 | 53.23 KB |
MD5:
6ce21db449e33d185bb5780d72f4e91b
SHA1: 1de59bcec508b398a33a53535eeccc93c9e3f8ae SHA256: cf4c6842fa3c0b1b33bd55247bf1c47c4b8e816363d3cf42a665659c39c9774d SSDeep: 768:gdgawE4GSM2+M4ONyfyJYKBZ9u9wGc/j2K2wKFr0OUiVxibjIFWDk+LfZYjiot5v:Laf4Xx1yYYKBZMkCPwKFAjAikuotsW |
|
|
| C:\Users\FD1HVy\Desktop\Vmnx49O7kGj.png | 60.89 KB |
MD5:
376641291ef5532bea940b8fbfb5ce45
SHA1: 68ecf05d9cc3e78e839ba85fc4ae39c64fcce1d2 SHA256: 4e01a38c408073353ce8ef7ee521d46630f1b53659c641d7c5ef780df88c09a4 SSDeep: 768:mxfLYbjWF72LQ6z/6v0LQJi2Jq87QUXG1UxLO33yX1crbwSi88kIHFGbF+MkPI/Z:m5ei4/6vOV2E8G+OyXifwL8JozoPaY |
|
|
| C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\K6Z4SfIpaB.mkv | 88.98 KB |
MD5:
bc9240710eba1af58a5d8fbd1249d6c2
SHA1: 06f46229ecd3cde887d6d0ab9c2d2f526a1c0994 SHA256: 5a4b6f2d01ec8660f7d3672bc1c83d5d998f29738282500b0e2bf8c1d75c5155 SSDeep: 1536:tG8PHfeAQjL6bERPhynZJN7+lUJ1oMuc9jnVToHnZLIQc4QllMKg:j2D7iElIFFVToHFHc4Qal |
|
|
| C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\TfNW1f m7CX1OiM.xls | 23.77 KB |
MD5:
aa6c986a3eaffe463a64b0d155a8bf54
SHA1: 8fbb656cd9064b56b9f54cee7aa9fd8c0b7b1df8 SHA256: e9acdc34703a1af5da3e1433a584b734707559a04cb1fcf19805368a1e61bd88 SSDeep: 384:qHYPu1fDzvfu3vCniktGlqYCnV+GRgqSr9foCQy7Z+kjyk6c0Qhe/Hc:iX1PfuKni0RgdJoI7ZDjy6ZhH |
|
|
| C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\nVeBdFzvpwwtXC.mp3 | 61.80 KB |
MD5:
60e0c2d3e9ce3be37d8ca6ad7bd5f982
SHA1: 8b05ff300e33446a9fbda6cf28211ea06e47fbc0 SHA256: 1e1028c91fe8c80941537dcc5b0411a02d1bcc4a008a9bd54814b1217d33c708 SSDeep: 1536:RuQPLIGxDKH6Yz9MTi+bu7cwhh8AK6XVyQ0wte/z:RuQPFQR9MTAgwrK6kbF/z |
|
|
| C:\Users\FD1HVy\Documents\--8WWFRhf0b.pptx | 82.61 KB |
MD5:
486ced9e938878bca51b1e2dc2ee8d7c
SHA1: 4f75e4862795b5b3bcf22fb357cff5ba8c52e15a SHA256: 67baf1c785f8caa1927f07ba9a7af7d587754d01a7cb222b7f8536a729e4b899 SSDeep: 1536:Wpv6ciiVuNMJbJIoZHXSafAUZslo5oTZzvW08H7aQMZYuWmZJeg+HdAyEmp:Wpv6MAN4zHXVdMZz0uQDmZYg+H+yp |
|
|
| C:\Users\FD1HVy\Documents\6jL9GY5.xlsx | 18.45 KB |
MD5:
f5336f7e6541beb4e482029dbc039a52
SHA1: 4c89a858ed9d4b67087594b3f06f1b602a4497d1 SHA256: 06fc27a6a86c813e348ea53ad2b418f5dcdce09ea511929acd1275d3ab375232 SSDeep: 384:RvwbNXKC4j5ADwiOjYATes/x+6qnhZfx69wiFaj71N0gPKj7s8LzaT:JSXK1akZHT5/kVnnxiw5n1/PUdzaT |
|
|
| C:\Users\FD1HVy\Documents\Am2R.docx | 5.69 KB |
MD5:
ad83c7ddbf84d4dd29177646127e6637
SHA1: f759c00158fa64897ea08f84e58754b25b411a3d SHA256: 41a51b0170e52d75b97abb476372c951429fb4dd4e3c2e68657881761d986942 SSDeep: 96:/1FvLRO3ggJ3tqsNod7XiILlr6yL97sSkSl6Roa9yBJUOufMzUVxPF/+QFXpWKLK:/1FvLROwg/Rod7XiKPaSxlvKyvlsr/1W |
|
|
| C:\Users\FD1HVy\Documents\ayhyoBKV0xMLiy.docx | 88.20 KB |
MD5:
e9337169b25a54ce1c58b630681cbc3b
SHA1: 3875577a5f749cad374272652d1b3d9842445d35 SHA256: 25c0c77fafa9823cd8fe46e5b9b6ef207523dc3b7ec220a312f920fb3403078c SSDeep: 1536:S8okpScRRPHIJ3dfuyfxm/4urpuWqpmytxkQyqgZ9ZhOH+IPALDB4k09JTgVwZyO:SsScalZm/VZqRyQSfhgvgBVFgZ |
|
|
| C:\Users\FD1HVy\Documents\pFdPoLW.docx | 48.47 KB |
MD5:
30910d740468f2cbf1d312ba1ff7032a
SHA1: 47f751dea73b9314de45339b9048e80481838f3b SHA256: f9c55b2af5f8f0aee1758e8509e083993ccfd5a6b611709ad68f792c303f1e2d SSDeep: 768:RHjmDKnUOrgyoXvrdJANLUyDDz/uzE1l6jCfqBeCDn2WLK/7Pnwki/hLgcheDOCJ:dSWnUXv/zyDD7bSCfq9n7ObwkOL9O |
|
|
| C:\Users\FD1HVy\Documents\uZFTfGR0J-cG.pptx | 85.69 KB |
MD5:
7a04b76148ba0ca4a7e3b016b8edfce7
SHA1: 6455b3f3c688bd7bb185241ac4c005946f833b9a SHA256: 1c3a8f6b6cdaa00f882ca69ac674cbfbf88bf550524034154988e01a262db467 SSDeep: 1536:WwAMj8Yqn5hQvkJbB4LbH+B26MhY8r7Uk/4vFl9e/lqToS2I/55bN1oRHo+DE:W0j8YqnLMWYbeBrghqToMRPMJY |
|
|
| C:\Users\FD1HVy\Documents\v2OWp_Gc8AHT3d4nGyy.docx | 3.38 KB |
MD5:
fc717b83436043a47f821d9919ac439d
SHA1: d76e9af83137a789eda026553f0873a5100878dd SHA256: 4c7228432c013cc3bea3f01e92227d3bda4f7b7e7eb9482eff0f53eb28deeeff SSDeep: 96:bGpMEY2PMxKBsAtGaI25LvESyOEfzRAmBbukgMCMrlO:bs7PPMxKmJaBLDzELmmB1gilO |
|
|
| C:\Users\FD1HVy\Documents\V_Zl34r.xlsx | 32.36 KB |
MD5:
e450aabe898c9e7cdcf192d843bdfd01
SHA1: 90d9c472db6ac06e3bfb699caee1df70c44feb7a SHA256: 19138d0e4afa0d02467dce098a12a76954703316c65da47bd0bc89dfca0fb80e SSDeep: 768:mpG7X0Nx+jxsLGOOZRVO820AFxz3DgEcn2LPdOS6cqGj:xENxKOLGO0o820Ar3Q2LPHbqGj |
|
|
| C:\Users\FD1HVy\Documents\xpmGmPcch3uV.xlsx | 52.30 KB |
MD5:
2db4bc800d041e580307450c01e34261
SHA1: a68e0dc21efdbf73647d6d4c303f3d750344d37c SHA256: 91a5078d5e767040460382600bddf188e81b85d1e6a32cedf185bd7b3fe2f458 SSDeep: 1536:mzkv4hlTAmUgw5DvIzr4Be2BW/tLBL6aCDN4sXNu5APOwwbr:mzP7lXYDkrWjo/tLJCDtw096r |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\5hwK.doc | 29.95 KB |
MD5:
5a987f72bbfe5c3a17d8626871485ae9
SHA1: a40ecbd6dbfc699506c41528d883aee5d285b0ee SHA256: e392fc5def55e12dbcfeee41ef89fa3d04d89038ff49bee421a232f0834d95e2 SSDeep: 384:6PQ0jRYVmVzP8nx5BtIy9YVaLycdMAvBXvbMuyPbun7okHe1EJmxhN2:svRtjeXBSyiV+DvJDuaLHlWhN2 |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\NeCh.csv | 52.03 KB |
MD5:
f6f6b4471c5e52dabb7620fbbed0c918
SHA1: ab83fb48454ebc097c612ea1440b0be35d5ad943 SHA256: 8aaa925da5de86d326c413181ab5fc042aaef1ac33c16237fa05a67cb75f6bf1 SSDeep: 768:Ws21iTRFdPIsEDnjy41aeidjvEQbTaExJvAn5+fFnl337hwNUDLxaFl5qKq9Zfc:igPIz1aeAvfFxNbfv3KQtR9Zfc |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\47y8mp0s.csv | 56.70 KB |
MD5:
19092c0a6199adfc03ebe06b39b8d261
SHA1: d669a8d152df12ee228da0c0ea040e8e867da038 SHA256: a3207751b5980a2d6e42b7d6dad785b5d11cdd119cf8663991422ddb06c37117 SSDeep: 1536:uYGrlliN6z6FJs1NpbHt3XtpUrY67TgTCYt0n:rGrls0W8pbN3XtahUmYtm |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\hy UYGYQM9MBJYSeMTx.ppt | 94.34 KB |
MD5:
be6b90ef3f6d22765dd209f3b481c09a
SHA1: 72dd2b567cd96df526554db5bda7efa04abf50a8 SHA256: 1c8acc2281743befc7bf32f7edd18460fb2ff6befb0650274c4b35537a97e139 SSDeep: 1536:ki5MqEsbZNdbZdr7XHbKecolmS0RcflizYrJ/uubIyZ7JYWOJF3S6GSAkANDP:7Gq5ZXZdHLKecIzW0l0YV7aWOHS6G8Ah |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\pFzSit0y49o.odt | 38.69 KB |
MD5:
b198fe00ce4f73292036900d13334381
SHA1: e8f5b8ddf18fc121f67a2641e6fd3e928da8d5f2 SHA256: 82dabd555f0da734113827ee2f180926ebb389689d317b984c8e0f67608f8b3f SSDeep: 768:IDMInmaon6Udd5cenEA9TcM3tw4viaiY+HsIqm8u+rAJEawgjdrXQ:IDHnmaE7pce3TcM3piaR+HCmv6awgZU |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\So7sQ6gpKdfTrbp.ppt | 22.56 KB |
MD5:
1ac791d2b4d119deef09d170a48e27d4
SHA1: 162eadbbfc74c8022008074b0f2421d28a3cd80e SHA256: cdde47d23ea0294c729634d667d46bb692a884593cfae3613932efd13a48a555 SSDeep: 384:d4z/5dxa6zr4UtBEr9wJTntpmyhBE5PiEcacOnC9E5rjt+/:d4z/5dxdptBErEnjmyX2jm6SEjA |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\43Z39pBBrj.pptx | 72.45 KB |
MD5:
b569732fe900f88590e3cef9ca70becd
SHA1: 7210de7df3aa0f35a8fb48f94dcdc7e0863d70b6 SHA256: 305dc4520b397bf53908a29822e6b2e4170c715dc3ca151566d77d73e0a6e82c SSDeep: 1536:W+iSxOznr5lNxI9XU9M1w2E26Rea6oFbwfL0JEipmfoWvsIrM+KMat7IPLG84:WJ02r5lKXU9FYaJFUfLeEAWkIrMtMaJ3 |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\kryOh-FNUXNCWUA.xls | 86.12 KB |
MD5:
ea492cad22e779812b3774fc0650cf9d
SHA1: 4c0f0f99c49fe1788bb4893b707da4df5711e480 SHA256: 6c4660e64ca11bdb91a87baf01af1404a4fbd69dc9b7c834f5e83609dbfd82da SSDeep: 1536:WOusoGWE8XyAHvebGzeIZMh8o6K2tBioA6Sz9Tn3GHWX+nXYVo7kQ:VloGgJHGb+Dmn+BioA6Sz9Tn3eWunoOR |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\yOtj RSlDnhyJi.xlsx | 80.62 KB |
MD5:
302c75e59b647def6274b26763079b0a
SHA1: 885bf0f4a424de9e88e79a821d6d67227d7bf54c SHA256: 1b511995adc16faea282cfa6c50651a95dc857cc129281c0cabc9e334204e35d SSDeep: 1536:5Hza5JRyP04/DxLl+HrHC1wO5qCRyIDWaaC+eNS2a4skXYSJ6WmiztpEyJJwO:uAxL4HDqwO5qCJNNBah3S4tiz7 |
|
|
| C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt | 620 bytes |
MD5:
1e2d18a6f5b7f885e4a9ec114165f481
SHA1: d855e6ba02ea5fae55cd15ee9c25dc3c418fd9c4 SHA256: 8f6815293e3569e6dfe5a5703e64c9d1e121d73fff205fb3a3bb800956f01590 SSDeep: 12:gqin7cS8CVyN6mzkei2FbDBRDrW6VAJNmF8RN0avcOwEXsMcD3Qv:gqUcSPyN5nfDr/kNzRN0a0OQZDK |
|
|
Downloaded Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\FD1HVy\Hermes-decrypter-new.exe | 5.35 MB |
MD5:
3b85f5b34325130e39ef0d3e6c4487da
SHA1: 519fadc8b74bbb130cc033d229ab6f7835f102a6 SHA256: a98b84e4b28eac459445b957298b2ca219236732f2fee71599b1ce0bb619fe1c SSDeep: 98304:4SzyuEiYKN963Hj5Tv/dZa2PLKBFxiPusJTtVPeShRnsIgwutgKln:fYu9kHj5bdZ/zKxVwTtVrhFwtf |
|
|
| C:\FD1HVy\ransom.jpg | 100.35 KB |
MD5:
be0c08c7b656758b59a0e8095ac46500
SHA1: 05a32f45639bdfc10b514b38e94c11476d0db706 SHA256: af22fb32dd5cd4409c1f176d097ad7fe662e64261e8aaf6d2f0a06bd21ad22c5 SSDeep: 3072:07SpgOL+ZJXVRxxS6118nXd0V1Bm67Z3XbA7:0upgOkJTxxZ8XdMXm43Xs7 |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\FD1HVy\Desktop\-t3hSggSt8.csv | 68.95 KB |
MD5:
ad6c1f2a6cdd381ef1a13d3af369d118
SHA1: 33eb70333eedac9888111b1bd449171c56fcc2c4 SHA256: b01e060a3d7781da924fb6e4fd4eab6a5b09345e7be82a8958bc8f770e7a3294 SSDeep: 1536:qj3IKacgmlAQLDH6OeTeKGV6JOsiF5b+27IyxBTqXTH5t63Ye:q0vHQLebT506J385bBLaXTZt6oe |
|
|
| C:\Users\FD1HVy\Desktop\-wiWbBcmoqutvw1S.odt | 26.84 KB |
MD5:
b78a35a6bd521d114a8a6e2380cd9c6b
SHA1: ec757667040dffd51a1469874a23627bf60c60c4 SHA256: 963368c18a93bd27937a1bc74ff6f071a372cd732651a8ce9ffc50964da37993 SSDeep: 768:I75uZUfiRELgRi3kv14eLTsj7E05fzSZu5:I7kKqyLgRoKSg0sI |
|
|
| C:\Users\FD1HVy\Desktop\NwrDTZ.docx | 9.89 KB |
MD5:
0b7811a107f951b464151c5d1a44584c
SHA1: d3a413a3eacb7a8f8ae3aba7511e4b31e8fc6901 SHA256: 18d8a6599ea1fe6d4c4eba5a6f990ad971d780a371d5db13d4e191549307b997 SSDeep: 192:KsoyJ/lZGucLKNCWQ/LGj2dhXnyCDlndl2OVJHuIx79OyL6MoUE49Z:KfmZqLKNnQ/c2DyCxn/56Ix5B6/UjZ |
|
|
| C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\4Mx7zT82zOjgkV9spUg.png | 26.38 KB |
MD5:
57c90fd4575a333df65481cb5fbde5ea
SHA1: 83d4afc2810d7914b222da748d624aa12501472d SHA256: bd8eea59a031641a32cdcba0997a1098df6d3d1e9a1db8ba46d5cd053ecacaa9 SSDeep: 768:lguEWlTIdsLBts4i336GMS9Zj9PTRBd6bcpOz:oWRbBq4i3kS9l9rYOC |
|
|
| C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\teY6IrO7ujB.jpg | 43.30 KB |
MD5:
2ba3444b16eb9089d30cea6c9a027c5b
SHA1: e8bebf538637c0c603bab60df123c5c230ba2170 SHA256: c61394c3380630708d5444c153777cf6a172c6d96c879ac2074b48c9bfe1ee98 SSDeep: 768:TCfGdOdx4IWvqBLB0vX/6rjiM9pzIFwlpb65R+PmjMh9VCuGuBrxLx0:e8bvqlWXWjb9OFwlpb65RWPzXBt10 |
|
|
| C:\Users\FD1HVy\Documents\1v32WDK.pptx | 21.83 KB |
MD5:
366ef990393cfd047c49a40abf6796f1
SHA1: d6755cfabbe4d6c235e6fe01e9dfe434ca31b23f SHA256: 1cf1863f1f108e20967657f0d62408bb8d39af087a3ec80dfef25a864b6c2669 SSDeep: 384:WOHIpAh+ICHTiaLxR2bfVUN5Btwgkj44bVCMBtelMg+UD4/mF9+Gm9a1dLSz0J:WOHIShRiLmbfVUHBWjfPeny+3m9aXT |
|
|
| C:\Users\FD1HVy\Documents\4z4 82v.xlsx | 85.00 KB |
MD5:
d5e0238a22f7bc784abfce03c9f95cd8
SHA1: 27686f68136c4715bbbfa9e4f9ab0e7a3fca2278 SHA256: 3ecba9d88d232d0585b2add438bc5e51880f8a112bbfb96f9ce5f7fc3da1e412 SSDeep: 1536:GObYmhDd8qOQvjon4omiI5YRE+xuEpVxbxdU+WMw7WiyB9hxbVIHkw7RVN1MB+:ZDhd8QFomkRE8umVx2/9W3B9hXINDMB+ |
|
|
| C:\Users\FD1HVy\Documents\9dHCFyZ_.odt | 87.84 KB |
MD5:
2ceb8c12ade85aa392ced42ceeab6b06
SHA1: 5f0e03816044369d1ff5e0d50af5c4d3dafb9b31 SHA256: aa2835f26ddccbfcf46a036c0e166d74c4f896adfca7e5ce73e42b082a7e0c77 SSDeep: 1536:IiJ1lJ6BXof7gm+rI0+fhxwyfBON6wueixk/6qDQOr1aJ2ihJEPW0xDjmXoakAIo:aVSMm+EHhxfBO0i+/koJ2e05mYZDc |
|
|
| C:\Users\FD1HVy\Documents\BZh3 QA3w.xlsx | 59.31 KB |
MD5:
304fbb23542e95c7e1ddf7f96fa92f18
SHA1: a8017643f3db2db54f5333cc9d6f3f73c3335286 SHA256: 81eb3ba9c4d9c2ea6768fc978a8f52c7085439d3b4ef1f5c44397da4cf7a1c61 SSDeep: 1536:q7H0iibmbRO1e93YrDkkTdxMSuPX9gV7+DFkjjrOKIbNIFz:q7UiiKFOE9YD3TXcPG7KFkfrIu |
|
|
| C:\Users\FD1HVy\Documents\IDj9.docx | 69.11 KB |
MD5:
f9f0de41922094a98aa6eb1069bd71f1
SHA1: 312a14d8c0fe53b8e3a50d21bd9be623e8317b6d SHA256: 1e7b3980e03e94b51f523a1cfbe993c560db00e7fddbe3eaecc946736d9cb5eb SSDeep: 1536:9jSYA2iTywJIRZTYYlhjt8gB0tmr0fg43NTwWaGBnK:9jSD2zwSrNR8Vk0fnTdaqK |
|
|
| C:\Users\FD1HVy\Documents\oK6_.pptx | 72.27 KB |
MD5:
c100d596d86f2114cb136b36e8dfe4b7
SHA1: 0b6d33ddca29af40800a5e6d621646c8fd81dd1e SHA256: eb969b956f0864474d6ccf5e7c588bdc14e3223d759f43fa2855be7da7bc3ca0 SSDeep: 1536:WBr87ww8P6O++j6nuNVlrIuY/fCqrEjTIEYbtWFu:WVuf8PWnEVllYiZjTInRp |
|
|
| C:\Users\FD1HVy\Documents\X7xxXdVkKAI.pptx | 10.56 KB |
MD5:
7fa4252827c5ce4266e99697db5e9d27
SHA1: 481a0a4ecf152d1a0cf3c587dfdb65ed00797403 SHA256: 04e016d28a310ed0b51b34c9b2130624d67e636205e96d7e12b96e175f220cd2 SSDeep: 192:WRxd11WHI1MFw6Mcxo99wdSnkvvTbWNzpBQBau7k1K2tH+/k7VRzMxjdEc/j:Wfd1II1ItXo9Wdi+qQV7OH+kRzYx//j |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\RwxQrbJr.rtf | 54.62 KB |
MD5:
bdd278c06d2e1fbcbad8df10434f0450
SHA1: 4c3e06a2ad03f46af3fe420502327715c46c5ff7 SHA256: f73aa083e539ea8d2e0b31e5f8ed8844bdfa3ce116f5ad759261ae24f7dc40dd SSDeep: 1536:SEkovkSLYdgbXJ37WBOfcmVS8LRA5Jy2asOPTIp7D:rLvkSEgdqEftjkYTsOEpn |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\Hi Fm0SkJi.pdf | 33.14 KB |
MD5:
7b5f427a11038c7a1ccbbf4436fb6148
SHA1: 146342583d1b834c83f5b569c10661ebfcc925c2 SHA256: 4bb3a93a52aa7bdd457c15450106cdf844f54a4080b2f32e8bd008fa64fec2f2 SSDeep: 768:c7qHOQN0jA2JOQYZM6xgbOj/kvvWHZLLzjY4b/DLpt:t3zGy+0gKkvvWhL |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\pjQnM18Yq7so0m2EOvAa.csv | 11.45 KB |
MD5:
10674ff65d0458ae63ac252946501ec0
SHA1: 4971ae16efc2fc4d0056e70ed7acafe5160c6468 SHA256: c51b202f25adde4e7e8acae0728cb2b7a603645861d2e4a4b6c4b43907f663fd SSDeep: 192:KGF9HF98MTgUzv6pRO5R/jOtNXJkSIidDINv5pJ0se9at1ObabHVmnmPdvk:KGPHFUev6OTOtNXJHIitIDpOiwYHVmV |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\6Py75SwYl1UPRzmW_N.csv | 17.34 KB |
MD5:
b80a04cef20a574c1f0c92b52bf7a621
SHA1: bc616a3697ae5a954b633720238076a6fcd38ed1 SHA256: 77de2ebe414ed7b281c366209404251a72448871bddbddff89505f3c3835f1db SSDeep: 384:1D1vIoJN4DdGq1LlZYOKS9UARo+UyTyE7vu4Qb+ko73kzPbc/:1D5PsGxEbU0yQQyobc/ |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\jDPo.xls | 30.67 KB |
MD5:
84637d6d31a2206fbd784535d330764b
SHA1: 847de053198eb5b1fd861567d5499699d8a7ce9b SHA256: b00a7ce3b99600b6b4f23198d3c7f6faf09b84a9c0c0c9801d9fb38459d19db9 SSDeep: 768:mxY+kU13M5cxdb4itx0EylrYhwnE6txjfIJw:EXkU13M5md0GylUgbOw |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\oKefxkUyIL.xls | 57.12 KB |
MD5:
a8a045af2595eded55949b5a276ca2ca
SHA1: 2e4986af90dbeb18b3bc2ea06bc8095833e81b8f SHA256: 98484109bda2d2726cbbd4409f157718a5a5a5b87dd6710b6a8bee6a4b64ddd7 SSDeep: 1536:FKwZ/D9d4Z374f057rW39+Tnlj5MMZYra7qV:FK2/fWUFulyMer1V |
|
|
| C:\Users\FD1HVy\Desktop\0YuVxzeY9-b4MF.avi | 90.09 KB |
MD5:
300442a9a89a5f8b978098fed807cd5e
SHA1: 2296f3c499647d976c1be2712b816f000958cbad SHA256: 6d4293cf6ba2cc8a104d855eff28f1d03babe7de6c05f0100529bcf47b5cbe74 SSDeep: 1536:N+Euki973khdes3qfwpVoqy+5psAqCcspvDl14Q8DFB379BMeV274zt:N+E+EaEWql5JNvB2QQFB3hBMKzt |
|
|
| C:\Users\FD1HVy\Desktop\dudTlSq3.mp3 | 16.64 KB |
MD5:
43b15ad65e87ca0632e61021bb8f68ee
SHA1: 8ab9d5854a5eede6a4f62f04a87d3f58451285ee SHA256: 2d585eac99897efa1d9a9f764519a9aa2ac2c0c10fb689f78556e7b4b0e3d1b6 SSDeep: 384:SPf3ZHYibDeRZvv0uOX+j2ad44Kx69Fo0eHYPj+YEPmrP/md:SPf1t+5cubR1oCK0D6bP8g |
|
|
| C:\Users\FD1HVy\Desktop\du_y8ZA.bmp | 96.30 KB |
MD5:
0f03002dbc4a9bf37d0625fbbe0c85de
SHA1: 10e0bd709431adde0b9fa22b663ae1914b0e4719 SHA256: cac907691955d5339837066f5012ffccfacc74ed3addee6ed4c056cc789c0327 SSDeep: 3072:8fG177ozcQMxSJMXeuVwfA0NNZ6NkpfedV84:b1ozNGOEo5ZHpfo84 |
|
|
| C:\Users\FD1HVy\Desktop\hIJHv_tpsSRLGQkXt1.mkv | 33.86 KB |
MD5:
dc72854cfcfba3763062e99665002cca
SHA1: 3f9e667c9b1e8d6544a8c8a9c2cedd14df327a78 SHA256: 0cf21a70e18f6107e43894b3ec74863afc276ee70b22b26951d3ac94784a2bfc SSDeep: 768:ZkAgYgDI+6xZQJfW9UOc+So6SCB1+R+B8DmqR0QbU:KAgYgDyqfWTcc6jBsDmqR03 |
|
|
| C:\Users\FD1HVy\Desktop\kXyvY.bmp | 1.19 KB |
MD5:
6f7ae2f77556f78d581979d239755aeb
SHA1: 2e8fb0f37373c03c0be194f1534e404b403b9459 SHA256: 1c6ef441941b96f802886f0ef1870f95401c400aa47a9205077213cecfff457b SSDeep: 24:nqp9DKCgq7vr4V/XPPTZt4joYc3Gs5lEfOKGAuU8foFtxJjlI:qp9DKCg6+XPrZeBsM2KcRoznZI |
|
|
| C:\Users\FD1HVy\Desktop\ljwNeYj.avi | 83.36 KB |
MD5:
0cc3f7044a0974ae8e55a0a556ab024a
SHA1: cdcd40620345b68644361cc7336615706ca05df5 SHA256: 11d541d432ff0138f9dee36173018affcae89605c97ee2d8361c353c35604a24 SSDeep: 1536:QGsmgim2roTF5kZa060i4nOMyiXH2e8D4CHfsCJwT86/VuvhLx:ZsmZmfTAZ16ZLMjQICJ8kht |
|
|
| C:\Users\FD1HVy\Desktop\mJmzsgIR.avi | 3.98 KB |
MD5:
9db6eedcbaae78df2f408c22c6b1efac
SHA1: 761f93169388981a21fdb15f9d80926eb85bf0a9 SHA256: 02ba7929c08ecd5b916342021264d75ab843b4cbd93f5a5907ef201c2b1ecac9 SSDeep: 96:jWOmKed29CoDHdYeRMiXBE2D1T9vCxl5Z8G1lM1H4ttZI:iOmHI9CoDHdYMM8jfC71Tq |
|
|
| C:\Users\FD1HVy\Desktop\OZa1OvHSiPZtGYMnr.avi | 99.98 KB |
MD5:
270e3e3895e9225381076e35bf63e3ac
SHA1: 19dd8d92f375167f6aa1450ed0288ba7b10ea204 SHA256: 837b823b656ce295236edfb274fc166d8d9adc8cb3d18d3980787fd51322ca60 SSDeep: 3072:OCqq9c0ms4eW5u3fKQNVJRrZwQe2zSUs6d:pR9c+4Xu3i62p206d |
|
|
| C:\Users\FD1HVy\Desktop\RSUbGrWMOv90jjgcKmCA.jpg | 57.09 KB |
MD5:
2f290342d3f473eeb5e6bc114c6858d5
SHA1: 7871e7f09559351a78990ee2a7502898affd9d33 SHA256: 4b190f44d90a8154c38af4a2f5b54b126264cfd094c2a9acd7eb06b180bbf8d7 SSDeep: 1536:3iXsyx8zbaRS0Ba3pfy2wLVnZtHHTNay1d5UMfzfTh4CZeOYWsjID:axIWRlsMBHpFU47ThoObsjE |
|
|
| C:\Users\FD1HVy\Desktop\uy _qJUK.mp3 | 53.23 KB |
MD5:
6ce21db449e33d185bb5780d72f4e91b
SHA1: 1de59bcec508b398a33a53535eeccc93c9e3f8ae SHA256: cf4c6842fa3c0b1b33bd55247bf1c47c4b8e816363d3cf42a665659c39c9774d SSDeep: 768:gdgawE4GSM2+M4ONyfyJYKBZ9u9wGc/j2K2wKFr0OUiVxibjIFWDk+LfZYjiot5v:Laf4Xx1yYYKBZMkCPwKFAjAikuotsW |
|
|
| C:\Users\FD1HVy\Desktop\Vmnx49O7kGj.png | 60.89 KB |
MD5:
376641291ef5532bea940b8fbfb5ce45
SHA1: 68ecf05d9cc3e78e839ba85fc4ae39c64fcce1d2 SHA256: 4e01a38c408073353ce8ef7ee521d46630f1b53659c641d7c5ef780df88c09a4 SSDeep: 768:mxfLYbjWF72LQ6z/6v0LQJi2Jq87QUXG1UxLO33yX1crbwSi88kIHFGbF+MkPI/Z:m5ei4/6vOV2E8G+OyXifwL8JozoPaY |
|
|
| C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\K6Z4SfIpaB.mkv | 88.98 KB |
MD5:
bc9240710eba1af58a5d8fbd1249d6c2
SHA1: 06f46229ecd3cde887d6d0ab9c2d2f526a1c0994 SHA256: 5a4b6f2d01ec8660f7d3672bc1c83d5d998f29738282500b0e2bf8c1d75c5155 SSDeep: 1536:tG8PHfeAQjL6bERPhynZJN7+lUJ1oMuc9jnVToHnZLIQc4QllMKg:j2D7iElIFFVToHFHc4Qal |
|
|
| C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\TfNW1f m7CX1OiM.xls | 23.77 KB |
MD5:
aa6c986a3eaffe463a64b0d155a8bf54
SHA1: 8fbb656cd9064b56b9f54cee7aa9fd8c0b7b1df8 SHA256: e9acdc34703a1af5da3e1433a584b734707559a04cb1fcf19805368a1e61bd88 SSDeep: 384:qHYPu1fDzvfu3vCniktGlqYCnV+GRgqSr9foCQy7Z+kjyk6c0Qhe/Hc:iX1PfuKni0RgdJoI7ZDjy6ZhH |
|
|
| C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\nVeBdFzvpwwtXC.mp3 | 61.80 KB |
MD5:
60e0c2d3e9ce3be37d8ca6ad7bd5f982
SHA1: 8b05ff300e33446a9fbda6cf28211ea06e47fbc0 SHA256: 1e1028c91fe8c80941537dcc5b0411a02d1bcc4a008a9bd54814b1217d33c708 SSDeep: 1536:RuQPLIGxDKH6Yz9MTi+bu7cwhh8AK6XVyQ0wte/z:RuQPFQR9MTAgwrK6kbF/z |
|
|
| C:\Users\FD1HVy\Documents\--8WWFRhf0b.pptx | 82.61 KB |
MD5:
486ced9e938878bca51b1e2dc2ee8d7c
SHA1: 4f75e4862795b5b3bcf22fb357cff5ba8c52e15a SHA256: 67baf1c785f8caa1927f07ba9a7af7d587754d01a7cb222b7f8536a729e4b899 SSDeep: 1536:Wpv6ciiVuNMJbJIoZHXSafAUZslo5oTZzvW08H7aQMZYuWmZJeg+HdAyEmp:Wpv6MAN4zHXVdMZz0uQDmZYg+H+yp |
|
|
| C:\Users\FD1HVy\Documents\6jL9GY5.xlsx | 18.45 KB |
MD5:
f5336f7e6541beb4e482029dbc039a52
SHA1: 4c89a858ed9d4b67087594b3f06f1b602a4497d1 SHA256: 06fc27a6a86c813e348ea53ad2b418f5dcdce09ea511929acd1275d3ab375232 SSDeep: 384:RvwbNXKC4j5ADwiOjYATes/x+6qnhZfx69wiFaj71N0gPKj7s8LzaT:JSXK1akZHT5/kVnnxiw5n1/PUdzaT |
|
|
| C:\Users\FD1HVy\Documents\Am2R.docx | 5.69 KB |
MD5:
ad83c7ddbf84d4dd29177646127e6637
SHA1: f759c00158fa64897ea08f84e58754b25b411a3d SHA256: 41a51b0170e52d75b97abb476372c951429fb4dd4e3c2e68657881761d986942 SSDeep: 96:/1FvLRO3ggJ3tqsNod7XiILlr6yL97sSkSl6Roa9yBJUOufMzUVxPF/+QFXpWKLK:/1FvLROwg/Rod7XiKPaSxlvKyvlsr/1W |
|
|
| C:\Users\FD1HVy\Documents\ayhyoBKV0xMLiy.docx | 88.20 KB |
MD5:
e9337169b25a54ce1c58b630681cbc3b
SHA1: 3875577a5f749cad374272652d1b3d9842445d35 SHA256: 25c0c77fafa9823cd8fe46e5b9b6ef207523dc3b7ec220a312f920fb3403078c SSDeep: 1536:S8okpScRRPHIJ3dfuyfxm/4urpuWqpmytxkQyqgZ9ZhOH+IPALDB4k09JTgVwZyO:SsScalZm/VZqRyQSfhgvgBVFgZ |
|
|
| C:\Users\FD1HVy\Documents\pFdPoLW.docx | 48.47 KB |
MD5:
30910d740468f2cbf1d312ba1ff7032a
SHA1: 47f751dea73b9314de45339b9048e80481838f3b SHA256: f9c55b2af5f8f0aee1758e8509e083993ccfd5a6b611709ad68f792c303f1e2d SSDeep: 768:RHjmDKnUOrgyoXvrdJANLUyDDz/uzE1l6jCfqBeCDn2WLK/7Pnwki/hLgcheDOCJ:dSWnUXv/zyDD7bSCfq9n7ObwkOL9O |
|
|
| C:\Users\FD1HVy\Documents\uZFTfGR0J-cG.pptx | 85.69 KB |
MD5:
7a04b76148ba0ca4a7e3b016b8edfce7
SHA1: 6455b3f3c688bd7bb185241ac4c005946f833b9a SHA256: 1c3a8f6b6cdaa00f882ca69ac674cbfbf88bf550524034154988e01a262db467 SSDeep: 1536:WwAMj8Yqn5hQvkJbB4LbH+B26MhY8r7Uk/4vFl9e/lqToS2I/55bN1oRHo+DE:W0j8YqnLMWYbeBrghqToMRPMJY |
|
|
| C:\Users\FD1HVy\Documents\v2OWp_Gc8AHT3d4nGyy.docx | 3.38 KB |
MD5:
fc717b83436043a47f821d9919ac439d
SHA1: d76e9af83137a789eda026553f0873a5100878dd SHA256: 4c7228432c013cc3bea3f01e92227d3bda4f7b7e7eb9482eff0f53eb28deeeff SSDeep: 96:bGpMEY2PMxKBsAtGaI25LvESyOEfzRAmBbukgMCMrlO:bs7PPMxKmJaBLDzELmmB1gilO |
|
|
| C:\Users\FD1HVy\Documents\V_Zl34r.xlsx | 32.36 KB |
MD5:
e450aabe898c9e7cdcf192d843bdfd01
SHA1: 90d9c472db6ac06e3bfb699caee1df70c44feb7a SHA256: 19138d0e4afa0d02467dce098a12a76954703316c65da47bd0bc89dfca0fb80e SSDeep: 768:mpG7X0Nx+jxsLGOOZRVO820AFxz3DgEcn2LPdOS6cqGj:xENxKOLGO0o820Ar3Q2LPHbqGj |
|
|
| C:\Users\FD1HVy\Documents\xpmGmPcch3uV.xlsx | 52.30 KB |
MD5:
2db4bc800d041e580307450c01e34261
SHA1: a68e0dc21efdbf73647d6d4c303f3d750344d37c SHA256: 91a5078d5e767040460382600bddf188e81b85d1e6a32cedf185bd7b3fe2f458 SSDeep: 1536:mzkv4hlTAmUgw5DvIzr4Be2BW/tLBL6aCDN4sXNu5APOwwbr:mzP7lXYDkrWjo/tLJCDtw096r |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\5hwK.doc | 29.95 KB |
MD5:
5a987f72bbfe5c3a17d8626871485ae9
SHA1: a40ecbd6dbfc699506c41528d883aee5d285b0ee SHA256: e392fc5def55e12dbcfeee41ef89fa3d04d89038ff49bee421a232f0834d95e2 SSDeep: 384:6PQ0jRYVmVzP8nx5BtIy9YVaLycdMAvBXvbMuyPbun7okHe1EJmxhN2:svRtjeXBSyiV+DvJDuaLHlWhN2 |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\NeCh.csv | 52.03 KB |
MD5:
f6f6b4471c5e52dabb7620fbbed0c918
SHA1: ab83fb48454ebc097c612ea1440b0be35d5ad943 SHA256: 8aaa925da5de86d326c413181ab5fc042aaef1ac33c16237fa05a67cb75f6bf1 SSDeep: 768:Ws21iTRFdPIsEDnjy41aeidjvEQbTaExJvAn5+fFnl337hwNUDLxaFl5qKq9Zfc:igPIz1aeAvfFxNbfv3KQtR9Zfc |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\47y8mp0s.csv | 56.70 KB |
MD5:
19092c0a6199adfc03ebe06b39b8d261
SHA1: d669a8d152df12ee228da0c0ea040e8e867da038 SHA256: a3207751b5980a2d6e42b7d6dad785b5d11cdd119cf8663991422ddb06c37117 SSDeep: 1536:uYGrlliN6z6FJs1NpbHt3XtpUrY67TgTCYt0n:rGrls0W8pbN3XtahUmYtm |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\hy UYGYQM9MBJYSeMTx.ppt | 94.34 KB |
MD5:
be6b90ef3f6d22765dd209f3b481c09a
SHA1: 72dd2b567cd96df526554db5bda7efa04abf50a8 SHA256: 1c8acc2281743befc7bf32f7edd18460fb2ff6befb0650274c4b35537a97e139 SSDeep: 1536:ki5MqEsbZNdbZdr7XHbKecolmS0RcflizYrJ/uubIyZ7JYWOJF3S6GSAkANDP:7Gq5ZXZdHLKecIzW0l0YV7aWOHS6G8Ah |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\pFzSit0y49o.odt | 38.69 KB |
MD5:
b198fe00ce4f73292036900d13334381
SHA1: e8f5b8ddf18fc121f67a2641e6fd3e928da8d5f2 SHA256: 82dabd555f0da734113827ee2f180926ebb389689d317b984c8e0f67608f8b3f SSDeep: 768:IDMInmaon6Udd5cenEA9TcM3tw4viaiY+HsIqm8u+rAJEawgjdrXQ:IDHnmaE7pce3TcM3piaR+HCmv6awgZU |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\So7sQ6gpKdfTrbp.ppt | 22.56 KB |
MD5:
1ac791d2b4d119deef09d170a48e27d4
SHA1: 162eadbbfc74c8022008074b0f2421d28a3cd80e SHA256: cdde47d23ea0294c729634d667d46bb692a884593cfae3613932efd13a48a555 SSDeep: 384:d4z/5dxa6zr4UtBEr9wJTntpmyhBE5PiEcacOnC9E5rjt+/:d4z/5dxdptBErEnjmyX2jm6SEjA |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\43Z39pBBrj.pptx | 72.45 KB |
MD5:
b569732fe900f88590e3cef9ca70becd
SHA1: 7210de7df3aa0f35a8fb48f94dcdc7e0863d70b6 SHA256: 305dc4520b397bf53908a29822e6b2e4170c715dc3ca151566d77d73e0a6e82c SSDeep: 1536:W+iSxOznr5lNxI9XU9M1w2E26Rea6oFbwfL0JEipmfoWvsIrM+KMat7IPLG84:WJ02r5lKXU9FYaJFUfLeEAWkIrMtMaJ3 |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\kryOh-FNUXNCWUA.xls | 86.12 KB |
MD5:
ea492cad22e779812b3774fc0650cf9d
SHA1: 4c0f0f99c49fe1788bb4893b707da4df5711e480 SHA256: 6c4660e64ca11bdb91a87baf01af1404a4fbd69dc9b7c834f5e83609dbfd82da SSDeep: 1536:WOusoGWE8XyAHvebGzeIZMh8o6K2tBioA6Sz9Tn3GHWX+nXYVo7kQ:VloGgJHGb+Dmn+BioA6Sz9Tn3eWunoOR |
|
|
| C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\yOtj RSlDnhyJi.xlsx | 80.62 KB |
MD5:
302c75e59b647def6274b26763079b0a
SHA1: 885bf0f4a424de9e88e79a821d6d67227d7bf54c SHA256: 1b511995adc16faea282cfa6c50651a95dc857cc129281c0cabc9e334204e35d SSDeep: 1536:5Hza5JRyP04/DxLl+HrHC1wO5qCRyIDWaaC+eNS2a4skXYSJ6WmiztpEyJJwO:uAxL4HDqwO5qCJNNBah3S4tiz7 |
|
|
Threads
Thread 0xf30
1550
1097
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77bb0000 |
|
1 | |
| Debug | Check for Presence | c:\users\fd1hvy\desktop\hermes.exe |
|
1 | |
| Debug | Check for Presence | c:\users\fd1hvy\desktop\hermes.exe |
|
1 | |
| Debug | Check for Presence | c:\users\fd1hvy\desktop\hermes.exe |
|
1 | |
| Debug | Hide | c:\users\fd1hvy\desktop\hermes.exe |
|
1 | |
| System | Get Info | type = SYSTEM_MODULE_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_MODULE_INFORMATION |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\Users\FD1HVy\Desktop\Hermes.exe, size = 254 |
|
1 | |
| File | Open | filename = \??\C:\Users\FD1HVy\Desktop\Hermes.exe, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Module | Create Mapping | protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Module | Map | process_name = c:\users\fd1hvy\desktop\hermes.exe, address_out = 0x0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77bb0000 |
|
6 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ole32.dll, base_address = 0x77920000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\oleaut32.dll, base_address = 0x75bb0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\wtsapi32.dll, base_address = 0x742b0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77bb0000 |
|
7 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x74b70000 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
4 | |
| System | Get Time | type = System Time, time = 2019-05-24 16:56:10 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 134453 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 13448684662 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x75ea4ae0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x75ea4b20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x75ea4b40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x75ea4b00 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\Users\FD1HVy\Desktop\Hermes.exe, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77bb0000 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x74b70000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernelbase.dll, base_address = 0x74ea0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77bb0000 |
|
1 | |
| System | Get Time | type = System Time, time = 2019-05-24 16:56:11 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 135984 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 13601859239 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x75ea4ae0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x75ea4b20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x75ea4b40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x75ea4b00 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\Users\FD1HVy\Desktop\Hermes.exe, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x75ea5960 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\hermes.exe, base_address = 0x400000 |
|
1 | |
| Module | Load | module_name = mscoree.dll, base_address = 0x744c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\mscoree.dll, function = CLRCreateInstance, address_out = 0x744d5000 |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Module | Get Filename | module_name = c:\users\fd1hvy\desktop\hermes.exe, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\Users\FD1HVy\Desktop\Hermes.exe, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\users\fd1hvy\desktop\hermes.exe, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\Users\FD1HVy\Desktop\Hermes.exe, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\SYSTEM32\ntdll.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\kernel32.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\KERNEL32.DLL, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\kernelbase.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\KERNELBASE.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\SYSTEM32\apphelp.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ole32.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\ole32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\combase.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\ucrtbase.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\RPCRT4.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\SspiCli.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\CRYPTBASE.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\bcryptPrimitives.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\sechost.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\GDI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\gdi32full.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\msvcp_win.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\user32.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\USER32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\win32u.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\oleaut32.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\OLEAUT32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\wtsapi32.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\SYSTEM32\WTSAPI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\msvcrt.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\IMM32.DLL, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\kernel.appcore.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\system32\uxtheme.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\mscoree.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\SYSTEM32\mscoree.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\ADVAPI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\SHLWAPI.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\SYSTEM32\MSVCR120_CLR0400.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\f12799647dc4f4abd2f0f17790337f04\mscorlib.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\SYSTEM32\CRYPTSP.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\system32\rsaenh.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\SYSTEM32\bcrypt.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\fcfb8bac8ea9a0e69d72c350b22f8e3f\System.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\5b307e2b9719b21749a8c73127ab5f45\System.Drawing.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\02d3b6022cc1ee466eb660dedcff59aa\System.Windows.Forms.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\psapi.dll, size = 2048 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll, type = file_attributes |
|
1 | |
| Module | Load | module_name = mscorjit.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = clrjit.dll, base_address = 0x727b0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll, function = getJit, address_out = 0x72803d60 |
|
1 | |
| Module | Get Filename | module_name = c:\users\fd1hvy\desktop\hermes.exe, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\Users\FD1HVy\Desktop\Hermes.exe, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\SYSTEM32\ntdll.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\kernel32.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\KERNEL32.DLL, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\kernelbase.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\KERNELBASE.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\SYSTEM32\apphelp.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ole32.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\ole32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\combase.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\ucrtbase.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\RPCRT4.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\SspiCli.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\CRYPTBASE.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\bcryptPrimitives.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\sechost.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\GDI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\gdi32full.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\msvcp_win.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\user32.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\USER32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\win32u.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\oleaut32.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\OLEAUT32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\wtsapi32.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\SYSTEM32\WTSAPI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\msvcrt.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\IMM32.DLL, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\kernel.appcore.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\system32\uxtheme.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\mscoree.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\SYSTEM32\mscoree.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\ADVAPI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\SHLWAPI.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\SYSTEM32\MSVCR120_CLR0400.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\f12799647dc4f4abd2f0f17790337f04\mscorlib.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\SYSTEM32\CRYPTSP.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\system32\rsaenh.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\SYSTEM32\bcrypt.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\fcfb8bac8ea9a0e69d72c350b22f8e3f\System.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\5b307e2b9719b21749a8c73127ab5f45\System.Drawing.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\02d3b6022cc1ee466eb660dedcff59aa\System.Windows.Forms.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\System32\psapi.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\WINDOWS\SYSTEM32\version.dll, size = 2048 |
|
1 | |
| User | Get Username | user_name_out = FD1HVy |
|
1 | |
| System | Get Computer Name | result_out = NQDPDE |
|
1 | |
| Module | Get Filename | module_name = mscorjit.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\Users\FD1HVy\Desktop\Hermes.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, size = 4096, size_out = 4096 |
|
8 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, size = 4096, size_out = 3215 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, size = 4096, size_out = 0 |
|
1 | |
| Module | Get Filename | module_name = mscorjit.dll, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\Users\FD1HVy\Desktop\Hermes.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\Hermes.exe.config, type = file_attributes |
|
2 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x6eb70000 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x6e960000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x74b70000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x74600140 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\hermes.exe, base_address = 0x400000 |
|
2 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework, value_name = DbgJITDebugLaunchSetting, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework, value_name = DbgManagedDebugger, type = REG_NONE |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 88689294 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_55bc94a37c2a2854\comctl32.dll, base_address = 0x6eb70000 |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\Hermes.exe.config, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_55bc94a37c2a2854\comctl32.dll, base_address = 0x6eb70000 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6e960000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\hermes.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = hidden tear, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = hidden tear, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Window | Set Attribute | window_name = hidden tear, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 88689374 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\hermes.exe, base_address = 0x400000 |
|
2 | |
| Window | Create | window_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, class_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = hidden tear, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -8, new_long = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6e960000 |
|
1 | |
| System | Get window text | window_text = 1698852 |
|
2 | |
| Window | Set Attribute | window_name = hidden tear, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -16, new_long = 47120384 |
|
1 | |
| Window | Set Attribute | window_name = hidden tear, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -20, new_long = 327808 |
|
1 | |
| System | Get window text | window_text = 1698068 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6e960000 |
|
1 | |
| System | Get window text | window_text = 1697684 |
|
2 | |
| Window | Set Attribute | window_name = hidden tear, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -16, new_long = 315555840 |
|
1 | |
| Window | Set Attribute | window_name = hidden tear, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -20, new_long = 852096 |
|
1 | |
| System | Get window text | window_text = 1696784 |
|
1 | |
| Window | Set Attribute | index = -8, new_long = 0 |
|
1 | |
| System | Get window text | window_text = 1696660 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6e960000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\hermes.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = hidden tear, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = hidden tear, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Window | Set Attribute | window_name = hidden tear, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 88689574 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\hermes.exe, base_address = 0x400000 |
|
2 | |
| Window | Create | class_name = WindowsForms10.Window.0.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.0.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.0.app.0.141b42a_r11_ad1, index = -4, new_long = 88689654 |
|
1 | |
| Window | Set Attribute | window_name = hidden tear, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -8, new_long = 393294 |
|
1 | |
| System | Get window text | window_text = 1696456 |
|
1 | |
| System | Get window text | window_text = 1695240 |
|
1 | |
| Window | Set Attribute | window_name = hidden tear, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -8, new_long = 393294 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6e960000 |
|
1 | |
| System | Get window text | window_text = 1697528 |
|
2 | |
| Window | Set Attribute | window_name = hidden tear, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -16, new_long = 315555840 |
|
1 | |
| Window | Set Attribute | window_name = hidden tear, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -20, new_long = 589952 |
|
1 | |
| System | Get window text | window_text = 1696632 |
|
1 | |
| Window | Set Attribute | index = -8, new_long = 458798 |
|
1 | |
| File | Get Info | filename = C:\FD1HVy\Systems, type = file_attributes |
|
3 | |
| File | Get Info | filename = C:\FD1HVy, type = file_attributes |
|
1 | |
| File | Create Directory | C:\FD1HVy |
|
1 | |
| File | Create Directory | C:\FD1HVy\Systems |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\Hermes.exe, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\Hermes.exe, destination_filename = C:\FD1HVy\Systems\local.exe |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\-t3hSggSt8.csv, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\-t3hSggSt8.csv, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\-t3hSggSt8.csv, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\-t3hSggSt8.csv, size = 70595, size_out = 70595 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\-t3hSggSt8.csv, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\-t3hSggSt8.csv, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\-t3hSggSt8.csv, size = 70608 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\-t3hSggSt8.csv, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\-t3hSggSt8.csv, destination_filename = C:\Users\FD1HVy\Desktop\-t3hSggSt8.csv.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\-wiWbBcmoqutvw1S.odt, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\-wiWbBcmoqutvw1S.odt, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\-wiWbBcmoqutvw1S.odt, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\-wiWbBcmoqutvw1S.odt, size = 27475, size_out = 27475 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\-wiWbBcmoqutvw1S.odt, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\-wiWbBcmoqutvw1S.odt, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\-wiWbBcmoqutvw1S.odt, size = 27488 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\-wiWbBcmoqutvw1S.odt, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\-wiWbBcmoqutvw1S.odt, destination_filename = C:\Users\FD1HVy\Desktop\-wiWbBcmoqutvw1S.odt.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\0YuVxzeY9-b4MF.avi, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\0YuVxzeY9-b4MF.avi, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\0YuVxzeY9-b4MF.avi, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\0YuVxzeY9-b4MF.avi, size = 92248, size_out = 92248 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\0YuVxzeY9-b4MF.avi, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\0YuVxzeY9-b4MF.avi, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\0YuVxzeY9-b4MF.avi, size = 92256 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\0YuVxzeY9-b4MF.avi, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\0YuVxzeY9-b4MF.avi, destination_filename = C:\Users\FD1HVy\Desktop\0YuVxzeY9-b4MF.avi.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\dudTlSq3.mp3, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\dudTlSq3.mp3, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\dudTlSq3.mp3, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\dudTlSq3.mp3, size = 17030, size_out = 17030 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\dudTlSq3.mp3, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\dudTlSq3.mp3, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\dudTlSq3.mp3, size = 17040 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\dudTlSq3.mp3, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\dudTlSq3.mp3, destination_filename = C:\Users\FD1HVy\Desktop\dudTlSq3.mp3.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\du_y8ZA.bmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\du_y8ZA.bmp, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\du_y8ZA.bmp, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\du_y8ZA.bmp, size = 98593, size_out = 98593 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\du_y8ZA.bmp, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\du_y8ZA.bmp, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\du_y8ZA.bmp, size = 98608 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\du_y8ZA.bmp, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\du_y8ZA.bmp, destination_filename = C:\Users\FD1HVy\Desktop\du_y8ZA.bmp.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\hIJHv_tpsSRLGQkXt1.mkv, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\hIJHv_tpsSRLGQkXt1.mkv, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\hIJHv_tpsSRLGQkXt1.mkv, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\hIJHv_tpsSRLGQkXt1.mkv, size = 34656, size_out = 34656 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\hIJHv_tpsSRLGQkXt1.mkv, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\hIJHv_tpsSRLGQkXt1.mkv, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\hIJHv_tpsSRLGQkXt1.mkv, size = 34672 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\hIJHv_tpsSRLGQkXt1.mkv, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\hIJHv_tpsSRLGQkXt1.mkv, destination_filename = C:\Users\FD1HVy\Desktop\hIJHv_tpsSRLGQkXt1.mkv.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\kXyvY.bmp, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kXyvY.bmp, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kXyvY.bmp, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\kXyvY.bmp, size = 4096, size_out = 1215 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\kXyvY.bmp, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kXyvY.bmp, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\kXyvY.bmp, size = 1216 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kXyvY.bmp, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\kXyvY.bmp, destination_filename = C:\Users\FD1HVy\Desktop\kXyvY.bmp.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\ljwNeYj.avi, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\ljwNeYj.avi, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\ljwNeYj.avi, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\ljwNeYj.avi, size = 85354, size_out = 85354 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\ljwNeYj.avi, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\ljwNeYj.avi, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\ljwNeYj.avi, size = 85360 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\ljwNeYj.avi, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\ljwNeYj.avi, destination_filename = C:\Users\FD1HVy\Desktop\ljwNeYj.avi.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\mJmzsgIR.avi, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\mJmzsgIR.avi, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\mJmzsgIR.avi, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\mJmzsgIR.avi, size = 4096, size_out = 4072 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\mJmzsgIR.avi, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\mJmzsgIR.avi, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\mJmzsgIR.avi, size = 4080 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\mJmzsgIR.avi, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\mJmzsgIR.avi, destination_filename = C:\Users\FD1HVy\Desktop\mJmzsgIR.avi.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\NwrDTZ.docx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\NwrDTZ.docx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\NwrDTZ.docx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\NwrDTZ.docx, size = 10116, size_out = 10116 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\NwrDTZ.docx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\NwrDTZ.docx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\NwrDTZ.docx, size = 10128 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\NwrDTZ.docx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\NwrDTZ.docx, destination_filename = C:\Users\FD1HVy\Desktop\NwrDTZ.docx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\OZa1OvHSiPZtGYMnr.avi, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\OZa1OvHSiPZtGYMnr.avi, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\OZa1OvHSiPZtGYMnr.avi, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\OZa1OvHSiPZtGYMnr.avi, size = 102377, size_out = 102377 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\OZa1OvHSiPZtGYMnr.avi, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\OZa1OvHSiPZtGYMnr.avi, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\OZa1OvHSiPZtGYMnr.avi, size = 102384 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\OZa1OvHSiPZtGYMnr.avi, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\OZa1OvHSiPZtGYMnr.avi, destination_filename = C:\Users\FD1HVy\Desktop\OZa1OvHSiPZtGYMnr.avi.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\RSUbGrWMOv90jjgcKmCA.jpg, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\RSUbGrWMOv90jjgcKmCA.jpg, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\RSUbGrWMOv90jjgcKmCA.jpg, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\RSUbGrWMOv90jjgcKmCA.jpg, size = 58462, size_out = 58462 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\RSUbGrWMOv90jjgcKmCA.jpg, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\RSUbGrWMOv90jjgcKmCA.jpg, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\RSUbGrWMOv90jjgcKmCA.jpg, size = 58464 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\RSUbGrWMOv90jjgcKmCA.jpg, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\RSUbGrWMOv90jjgcKmCA.jpg, destination_filename = C:\Users\FD1HVy\Desktop\RSUbGrWMOv90jjgcKmCA.jpg.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\uy _qJUK.mp3, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\uy _qJUK.mp3, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\uy _qJUK.mp3, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\uy _qJUK.mp3, size = 54506, size_out = 54506 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\uy _qJUK.mp3, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\uy _qJUK.mp3, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\uy _qJUK.mp3, size = 54512 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\uy _qJUK.mp3, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\uy _qJUK.mp3, destination_filename = C:\Users\FD1HVy\Desktop\uy _qJUK.mp3.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\Vmnx49O7kGj.png, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\Vmnx49O7kGj.png, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\Vmnx49O7kGj.png, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\Vmnx49O7kGj.png, size = 62349, size_out = 62349 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\Vmnx49O7kGj.png, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\Vmnx49O7kGj.png, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\Vmnx49O7kGj.png, size = 62352 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\Vmnx49O7kGj.png, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\Vmnx49O7kGj.png, destination_filename = C:\Users\FD1HVy\Desktop\Vmnx49O7kGj.png.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\K6Z4SfIpaB.mkv, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\K6Z4SfIpaB.mkv, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\K6Z4SfIpaB.mkv, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\K6Z4SfIpaB.mkv, size = 91116, size_out = 91116 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\K6Z4SfIpaB.mkv, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\K6Z4SfIpaB.mkv, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\K6Z4SfIpaB.mkv, size = 91120 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\K6Z4SfIpaB.mkv, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\K6Z4SfIpaB.mkv, destination_filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\K6Z4SfIpaB.mkv.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\TfNW1f m7CX1OiM.xls, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\TfNW1f m7CX1OiM.xls, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\TfNW1f m7CX1OiM.xls, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\TfNW1f m7CX1OiM.xls, size = 24326, size_out = 24326 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\TfNW1f m7CX1OiM.xls, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\TfNW1f m7CX1OiM.xls, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\TfNW1f m7CX1OiM.xls, size = 24336 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\TfNW1f m7CX1OiM.xls, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\TfNW1f m7CX1OiM.xls, destination_filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\TfNW1f m7CX1OiM.xls.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\4Mx7zT82zOjgkV9spUg.png, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\4Mx7zT82zOjgkV9spUg.png, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\4Mx7zT82zOjgkV9spUg.png, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\4Mx7zT82zOjgkV9spUg.png, size = 26993, size_out = 26993 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\4Mx7zT82zOjgkV9spUg.png, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\4Mx7zT82zOjgkV9spUg.png, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\4Mx7zT82zOjgkV9spUg.png, size = 27008 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\4Mx7zT82zOjgkV9spUg.png, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\4Mx7zT82zOjgkV9spUg.png, destination_filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\4Mx7zT82zOjgkV9spUg.png.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\nVeBdFzvpwwtXC.mp3, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\nVeBdFzvpwwtXC.mp3, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\nVeBdFzvpwwtXC.mp3, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\nVeBdFzvpwwtXC.mp3, size = 63275, size_out = 63275 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\nVeBdFzvpwwtXC.mp3, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\nVeBdFzvpwwtXC.mp3, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\nVeBdFzvpwwtXC.mp3, size = 63280 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\nVeBdFzvpwwtXC.mp3, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\nVeBdFzvpwwtXC.mp3, destination_filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\nVeBdFzvpwwtXC.mp3.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\teY6IrO7ujB.jpg, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\teY6IrO7ujB.jpg, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\teY6IrO7ujB.jpg, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\teY6IrO7ujB.jpg, size = 44332, size_out = 44332 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\teY6IrO7ujB.jpg, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\teY6IrO7ujB.jpg, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\teY6IrO7ujB.jpg, size = 44336 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\teY6IrO7ujB.jpg, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\teY6IrO7ujB.jpg, destination_filename = C:\Users\FD1HVy\Desktop\kUVq_ b-BGEv YRT\fhdgh_AfpkHHBB9_QqtI\Yzb93Q82DMI82wO\teY6IrO7ujB.jpg.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\--8WWFRhf0b.pptx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\--8WWFRhf0b.pptx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\--8WWFRhf0b.pptx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\--8WWFRhf0b.pptx, size = 84584, size_out = 84584 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\--8WWFRhf0b.pptx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\--8WWFRhf0b.pptx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\--8WWFRhf0b.pptx, size = 84592 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\--8WWFRhf0b.pptx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\--8WWFRhf0b.pptx, destination_filename = C:\Users\FD1HVy\Documents\--8WWFRhf0b.pptx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\1v32WDK.pptx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\1v32WDK.pptx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\1v32WDK.pptx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\1v32WDK.pptx, size = 22351, size_out = 22351 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\1v32WDK.pptx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\1v32WDK.pptx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\1v32WDK.pptx, size = 22352 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\1v32WDK.pptx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\1v32WDK.pptx, destination_filename = C:\Users\FD1HVy\Documents\1v32WDK.pptx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\4z4 82v.xlsx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\4z4 82v.xlsx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\4z4 82v.xlsx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\4z4 82v.xlsx, size = 87025, size_out = 87025 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\4z4 82v.xlsx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\4z4 82v.xlsx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\4z4 82v.xlsx, size = 87040 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\4z4 82v.xlsx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\4z4 82v.xlsx, destination_filename = C:\Users\FD1HVy\Documents\4z4 82v.xlsx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\6jL9GY5.xlsx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\6jL9GY5.xlsx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\6jL9GY5.xlsx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\6jL9GY5.xlsx, size = 18894, size_out = 18894 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\6jL9GY5.xlsx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\6jL9GY5.xlsx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\6jL9GY5.xlsx, size = 18896 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\6jL9GY5.xlsx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\6jL9GY5.xlsx, destination_filename = C:\Users\FD1HVy\Documents\6jL9GY5.xlsx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\9dHCFyZ_.odt, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\9dHCFyZ_.odt, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\9dHCFyZ_.odt, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\9dHCFyZ_.odt, size = 89949, size_out = 89949 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\9dHCFyZ_.odt, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\9dHCFyZ_.odt, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\9dHCFyZ_.odt, size = 89952 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\9dHCFyZ_.odt, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\9dHCFyZ_.odt, destination_filename = C:\Users\FD1HVy\Documents\9dHCFyZ_.odt.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\Am2R.docx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\Am2R.docx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\Am2R.docx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\Am2R.docx, size = 5811, size_out = 5811 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\Am2R.docx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\Am2R.docx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\Am2R.docx, size = 5824 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\Am2R.docx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\Am2R.docx, destination_filename = C:\Users\FD1HVy\Documents\Am2R.docx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\ayhyoBKV0xMLiy.docx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\ayhyoBKV0xMLiy.docx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\ayhyoBKV0xMLiy.docx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\ayhyoBKV0xMLiy.docx, size = 90307, size_out = 90307 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\ayhyoBKV0xMLiy.docx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\ayhyoBKV0xMLiy.docx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\ayhyoBKV0xMLiy.docx, size = 90320 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\ayhyoBKV0xMLiy.docx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\ayhyoBKV0xMLiy.docx, destination_filename = C:\Users\FD1HVy\Documents\ayhyoBKV0xMLiy.docx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\BZh3 QA3w.xlsx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\BZh3 QA3w.xlsx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\BZh3 QA3w.xlsx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\BZh3 QA3w.xlsx, size = 60731, size_out = 60731 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\BZh3 QA3w.xlsx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\BZh3 QA3w.xlsx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\BZh3 QA3w.xlsx, size = 60736 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\BZh3 QA3w.xlsx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\BZh3 QA3w.xlsx, destination_filename = C:\Users\FD1HVy\Documents\BZh3 QA3w.xlsx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\IDj9.docx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\IDj9.docx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\IDj9.docx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\IDj9.docx, size = 70762, size_out = 70762 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\IDj9.docx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\IDj9.docx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\IDj9.docx, size = 70768 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\IDj9.docx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\IDj9.docx, destination_filename = C:\Users\FD1HVy\Documents\IDj9.docx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\oK6_.pptx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\oK6_.pptx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\oK6_.pptx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\oK6_.pptx, size = 73997, size_out = 73997 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\oK6_.pptx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\oK6_.pptx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\oK6_.pptx, size = 74000 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\oK6_.pptx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\oK6_.pptx, destination_filename = C:\Users\FD1HVy\Documents\oK6_.pptx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\pFdPoLW.docx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\pFdPoLW.docx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\pFdPoLW.docx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\pFdPoLW.docx, size = 49625, size_out = 49625 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\pFdPoLW.docx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\pFdPoLW.docx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\pFdPoLW.docx, size = 49632 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\pFdPoLW.docx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\pFdPoLW.docx, destination_filename = C:\Users\FD1HVy\Documents\pFdPoLW.docx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\uZFTfGR0J-cG.pptx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\uZFTfGR0J-cG.pptx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\uZFTfGR0J-cG.pptx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\uZFTfGR0J-cG.pptx, size = 87729, size_out = 87729 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\uZFTfGR0J-cG.pptx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\uZFTfGR0J-cG.pptx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\uZFTfGR0J-cG.pptx, size = 87744 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\uZFTfGR0J-cG.pptx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\uZFTfGR0J-cG.pptx, destination_filename = C:\Users\FD1HVy\Documents\uZFTfGR0J-cG.pptx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\v2OWp_Gc8AHT3d4nGyy.docx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\v2OWp_Gc8AHT3d4nGyy.docx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\v2OWp_Gc8AHT3d4nGyy.docx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\v2OWp_Gc8AHT3d4nGyy.docx, size = 4096, size_out = 3443 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\v2OWp_Gc8AHT3d4nGyy.docx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\v2OWp_Gc8AHT3d4nGyy.docx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\v2OWp_Gc8AHT3d4nGyy.docx, size = 3456 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\v2OWp_Gc8AHT3d4nGyy.docx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\v2OWp_Gc8AHT3d4nGyy.docx, destination_filename = C:\Users\FD1HVy\Documents\v2OWp_Gc8AHT3d4nGyy.docx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\V_Zl34r.xlsx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\V_Zl34r.xlsx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\V_Zl34r.xlsx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\V_Zl34r.xlsx, size = 33130, size_out = 33130 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\V_Zl34r.xlsx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\V_Zl34r.xlsx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\V_Zl34r.xlsx, size = 33136 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\V_Zl34r.xlsx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\V_Zl34r.xlsx, destination_filename = C:\Users\FD1HVy\Documents\V_Zl34r.xlsx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\X7xxXdVkKAI.pptx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\X7xxXdVkKAI.pptx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\X7xxXdVkKAI.pptx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\X7xxXdVkKAI.pptx, size = 10804, size_out = 10804 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\X7xxXdVkKAI.pptx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\X7xxXdVkKAI.pptx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\X7xxXdVkKAI.pptx, size = 10816 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\X7xxXdVkKAI.pptx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\X7xxXdVkKAI.pptx, destination_filename = C:\Users\FD1HVy\Documents\X7xxXdVkKAI.pptx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\xpmGmPcch3uV.xlsx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\xpmGmPcch3uV.xlsx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\xpmGmPcch3uV.xlsx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\xpmGmPcch3uV.xlsx, size = 53539, size_out = 53539 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\xpmGmPcch3uV.xlsx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\xpmGmPcch3uV.xlsx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\xpmGmPcch3uV.xlsx, size = 53552 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\xpmGmPcch3uV.xlsx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\xpmGmPcch3uV.xlsx, destination_filename = C:\Users\FD1HVy\Documents\xpmGmPcch3uV.xlsx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\5hwK.doc, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\5hwK.doc, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\5hwK.doc, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\5hwK.doc, size = 30665, size_out = 30665 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\5hwK.doc, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\5hwK.doc, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\5hwK.doc, size = 30672 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\5hwK.doc, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\5hwK.doc, destination_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\5hwK.doc.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\NeCh.csv, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\NeCh.csv, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\NeCh.csv, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\NeCh.csv, size = 53275, size_out = 53275 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\NeCh.csv, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\NeCh.csv, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\NeCh.csv, size = 53280 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\NeCh.csv, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\NeCh.csv, destination_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\NeCh.csv.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\RwxQrbJr.rtf, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\RwxQrbJr.rtf, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\RwxQrbJr.rtf, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\RwxQrbJr.rtf, size = 55932, size_out = 55932 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\RwxQrbJr.rtf, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\RwxQrbJr.rtf, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\RwxQrbJr.rtf, size = 55936 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\RwxQrbJr.rtf, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\RwxQrbJr.rtf, destination_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\RwxQrbJr.rtf.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\47y8mp0s.csv, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\47y8mp0s.csv, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\47y8mp0s.csv, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\47y8mp0s.csv, size = 58056, size_out = 58056 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\47y8mp0s.csv, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\47y8mp0s.csv, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\47y8mp0s.csv, size = 58064 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\47y8mp0s.csv, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\47y8mp0s.csv, destination_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\47y8mp0s.csv.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\Hi Fm0SkJi.pdf, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\Hi Fm0SkJi.pdf, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\Hi Fm0SkJi.pdf, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\Hi Fm0SkJi.pdf, size = 33933, size_out = 33933 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\Hi Fm0SkJi.pdf, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\Hi Fm0SkJi.pdf, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\Hi Fm0SkJi.pdf, size = 33936 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\Hi Fm0SkJi.pdf, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\Hi Fm0SkJi.pdf, destination_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\Hi Fm0SkJi.pdf.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\pjQnM18Yq7so0m2EOvAa.csv, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\pjQnM18Yq7so0m2EOvAa.csv, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\pjQnM18Yq7so0m2EOvAa.csv, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\pjQnM18Yq7so0m2EOvAa.csv, size = 11717, size_out = 11717 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\pjQnM18Yq7so0m2EOvAa.csv, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\pjQnM18Yq7so0m2EOvAa.csv, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\pjQnM18Yq7so0m2EOvAa.csv, size = 11728 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\pjQnM18Yq7so0m2EOvAa.csv, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\pjQnM18Yq7so0m2EOvAa.csv, destination_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\77bIp480yHDf0\pjQnM18Yq7so0m2EOvAa.csv.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\6Py75SwYl1UPRzmW_N.csv, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\6Py75SwYl1UPRzmW_N.csv, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\6Py75SwYl1UPRzmW_N.csv, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\6Py75SwYl1UPRzmW_N.csv, size = 17749, size_out = 17749 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\6Py75SwYl1UPRzmW_N.csv, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\6Py75SwYl1UPRzmW_N.csv, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\6Py75SwYl1UPRzmW_N.csv, size = 17760 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\6Py75SwYl1UPRzmW_N.csv, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\6Py75SwYl1UPRzmW_N.csv, destination_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\6Py75SwYl1UPRzmW_N.csv.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\hy UYGYQM9MBJYSeMTx.ppt, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\hy UYGYQM9MBJYSeMTx.ppt, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\hy UYGYQM9MBJYSeMTx.ppt, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\hy UYGYQM9MBJYSeMTx.ppt, size = 96596, size_out = 96596 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\hy UYGYQM9MBJYSeMTx.ppt, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\hy UYGYQM9MBJYSeMTx.ppt, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\hy UYGYQM9MBJYSeMTx.ppt, size = 96608 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\hy UYGYQM9MBJYSeMTx.ppt, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\hy UYGYQM9MBJYSeMTx.ppt, destination_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\hy UYGYQM9MBJYSeMTx.ppt.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\pFzSit0y49o.odt, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\pFzSit0y49o.odt, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\pFzSit0y49o.odt, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\pFzSit0y49o.odt, size = 39600, size_out = 39600 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\pFzSit0y49o.odt, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\pFzSit0y49o.odt, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\pFzSit0y49o.odt, size = 39616 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\pFzSit0y49o.odt, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\pFzSit0y49o.odt, destination_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\pFzSit0y49o.odt.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\So7sQ6gpKdfTrbp.ppt, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\So7sQ6gpKdfTrbp.ppt, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\So7sQ6gpKdfTrbp.ppt, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\So7sQ6gpKdfTrbp.ppt, size = 23102, size_out = 23102 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\So7sQ6gpKdfTrbp.ppt, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\So7sQ6gpKdfTrbp.ppt, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\So7sQ6gpKdfTrbp.ppt, size = 23104 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\So7sQ6gpKdfTrbp.ppt, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\So7sQ6gpKdfTrbp.ppt, destination_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\HhXhtU9gOiLGZ\So7sQ6gpKdfTrbp.ppt.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\43Z39pBBrj.pptx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\43Z39pBBrj.pptx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\43Z39pBBrj.pptx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\43Z39pBBrj.pptx, size = 74185, size_out = 74185 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\43Z39pBBrj.pptx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\43Z39pBBrj.pptx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\43Z39pBBrj.pptx, size = 74192 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\43Z39pBBrj.pptx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\43Z39pBBrj.pptx, destination_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\43Z39pBBrj.pptx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\jDPo.xls, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\jDPo.xls, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\jDPo.xls, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\jDPo.xls, size = 31393, size_out = 31393 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\jDPo.xls, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\jDPo.xls, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\jDPo.xls, size = 31408 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\jDPo.xls, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\jDPo.xls, destination_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\jDPo.xls.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\kryOh-FNUXNCWUA.xls, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\kryOh-FNUXNCWUA.xls, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\kryOh-FNUXNCWUA.xls, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\kryOh-FNUXNCWUA.xls, size = 88186, size_out = 88186 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\kryOh-FNUXNCWUA.xls, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\kryOh-FNUXNCWUA.xls, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\kryOh-FNUXNCWUA.xls, size = 88192 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\kryOh-FNUXNCWUA.xls, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\kryOh-FNUXNCWUA.xls, destination_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\kryOh-FNUXNCWUA.xls.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\oKefxkUyIL.xls, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\oKefxkUyIL.xls, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\oKefxkUyIL.xls, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\oKefxkUyIL.xls, size = 58491, size_out = 58491 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\oKefxkUyIL.xls, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\oKefxkUyIL.xls, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\oKefxkUyIL.xls, size = 58496 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\oKefxkUyIL.xls, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\oKefxkUyIL.xls, destination_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\oKefxkUyIL.xls.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\yOtj RSlDnhyJi.xlsx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\yOtj RSlDnhyJi.xlsx, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\yOtj RSlDnhyJi.xlsx, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\yOtj RSlDnhyJi.xlsx, size = 82557, size_out = 82557 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\yOtj RSlDnhyJi.xlsx, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\yOtj RSlDnhyJi.xlsx, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\yOtj RSlDnhyJi.xlsx, size = 82560 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\yOtj RSlDnhyJi.xlsx, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\yOtj RSlDnhyJi.xlsx, destination_filename = C:\Users\FD1HVy\Documents\kqnw_pPQeZHhvh\iPxRamNOgEfL6vt-WkOO\PVOgT\yOtj RSlDnhyJi.xlsx.Hermes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\My Shapes\_private\folder.ico, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\My Shapes\_private\folder.ico, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Documents\My Shapes\_private\folder.ico, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\FD1HVy\Documents\My Shapes\_private\folder.ico, size = 29926, size_out = 29926 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt.Marozka, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Documents\My Shapes\_private\folder.ico, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Create | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt, type = file_type |
|
2 | |
| File | Write | filename = C:\Users\FD1HVy\Desktop\HOW TO DECRYPT FILES.txt, size = 620 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 17951423187 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework, value_name = LegacyWPADSupport, type = REG_NONE |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, flags = WINHTTP_FLAG_SYNC |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.HttpWebRequest_Disabled |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.HttpWebRequest_MinCount |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = TZI, type = REG_BINARY |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Display, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Display, data = @tzres.dll,-320, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Std, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Std, data = @tzres.dll,-322, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Dlt, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Dlt, data = @tzres.dll,-321, type = REG_SZ |
|
1 | |
| Module | Load | module_name = C:\WINDOWS\system32\en-US\tzres.dll.mui, base_address = 0x8260001 |
|
3 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.Connection_Disabled |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.Connection_MinCount |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| DNS | Resolve Name | host = www.google.com, address_out = 172.217.22.36 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| System | Get Network Adapter Info | - |
|
1 | |
| System | Get Network Adapter Info | - |
|
1 | |
| Socket | Connect | remote_address = 172.217.22.36, remote_port = 443 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319, value_name = HWRPortReuseOnSocketBind, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319, value_name = SchUseStrongCrypto, type = REG_NONE |
|
1 | |
| Module | Get Filename | module_name = c:\users\fd1hvy\desktop\hermes.exe, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\Users\FD1HVy\Desktop\Hermes.exe, size = 2048 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319, value_name = SchSendAuxRecord, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319, value_name = SystemDefaultTlsVersions, type = REG_NONE |
|
1 | |
| Module | Get Filename | module_name = c:\users\fd1hvy\desktop\hermes.exe, process_name = c:\users\fd1hvy\desktop\hermes.exe, file_name_orig = C:\Users\FD1HVy\Desktop\Hermes.exe, size = 2048 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319, value_name = RequireCertificateEKUs, type = REG_NONE |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = AppPolicyGetClrCompat, address_out = 0x74f768b0 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 122, size_out = 122 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 63, size_out = 63 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2112, size_out = 2112 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 112, size_out = 112 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4, size_out = 4 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 101, size_out = 101 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 228, size_out = 228 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 48, size_out = 48 |
|
1 | |
| System | Open Certificate Store | encoding_type = 65537, flags = 8708 |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.SslStream_Disabled |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.SslStream_MinCount |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.SslStream_Disabled |
|
1 | |
| Environment | Get Environment String | name = PinnableBufferCache_System.Net.SslStream_MinCount |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 138, size_out = 138 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18574953262 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18574959973 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18575033856 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18575062697 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18575091237 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18575119420 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18575149203 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18575397230 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18575429702 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18575458778 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18575547535 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18575577421 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18575606106 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18575693727 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18575723239 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18575752640 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 976, size_out = 976 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18575828667 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 176, size_out = 176 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18575881093 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18575916108 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576062207 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576091320 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576119981 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576203635 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576232379 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576313836 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576343949 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576418515 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576447690 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576476058 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576555505 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576584030 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576612426 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576689783 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576720338 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1424, size_out = 1424 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576797612 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 976, size_out = 976 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576826058 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 32, size_out = 32 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 18576871104 |
|
1 | |
| File | Create | filename = C:\FD1HVy\ransom.jpg, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\FD1HVy\ransom.jpg, type = file_type |
|
2 | |
| System | Get Time | type = Performance Ctr, time = 18579074903 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| DNS | Resolve Name | host = h139975.s08.test-hf.su, address_out = 91.227.16.118 |
|
1 | |
| Socket | Connect | remote_address = 91.227.16.118, remote_port = 80 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 87, size_out = 87 |
|
1 | |
| Inet | Open Session | - |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = h139975.s08.test-hf.su, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /SmailFile/1.jpg |
|
1 | |
| Inet | Send HTTP Request | headers = Host: h139975.s08.test-hf.su, Connection: Keep-Alive, url = h139975.s08.test-hf.su/SmailFile/1.jpg |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 9904 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 9904 |
|
1 | |
| File | Write | filename = C:\FD1HVy\ransom.jpg, size = 4096 |
|
1 | |
| File | Write | filename = C:\FD1HVy\ransom.jpg, size = 9636 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 19600 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 19600 |
|
1 | |
| File | Write | filename = C:\FD1HVy\ransom.jpg, size = 19600 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8400 |
|
1 | |
| Inet | Read Response | size = 65536, size_out = 8400 |
|
1 | |
| File | Write | filename = C:\FD1HVy\ransom.jpg, size = 8400 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 61027, size_out = 30800 |
|
1 | |
| Inet | Read Response | size = 61027, size_out = 30800 |
|
1 | |
| File | Write | filename = C:\FD1HVy\ransom.jpg, size = 30800 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 30227, size_out = 2800 |
|
1 | |
| Inet | Read Response | size = 30227, size_out = 2800 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 27427, size_out = 27427 |
|
1 | |
| Inet | Read Response | size = 27427, size_out = 27427 |
|
1 | |
| File | Write | filename = C:\FD1HVy\ransom.jpg, size = 4096 |
|
1 | |
| File | Write | filename = C:\FD1HVy\ransom.jpg, size = 26131 |
|
1 | |
| File | Create | filename = C:\FD1HVy\Hermes-decrypter-new.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\FD1HVy\Hermes-decrypter-new.exe, type = file_type |
|
2 | |
| System | Get Time | type = Performance Ctr, time = 18729311206 |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 82, size_out = 82 |
|
1 | |
| Inet | Open Session | - |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = h139975.s08.test-hf.su, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /SmailFile/Hermes-decrypter-new.exe |
|
1 | |
| Inet | Send HTTP Request | headers = Host: h139975.s08.test-hf.su, url = h139975.s08.test-hf.su/SmailFile/Hermes-decrypter-new.exe |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 4096 |
|
1 | |
|
For performance reasons, the remaining 1449 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Thread 0xd20
13
10
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\hermes.exe, base_address = 0x400000 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x74b70000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x74600140 |
|
1 | |
| Window | Set Attribute | window_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, class_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, index = -4, new_long = 1952448832 |
|
1 | |
| Module | Unmap | process_name = c:\users\fd1hvy\desktop\hermes.exe |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| System | Sleep | duration = -1 (infinite) |
|
1 |
Thread 0xfd4
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 20 milliseconds (0.020 seconds) |
|
1 |
Process #3: hermes-decrypter-new.exe
2299
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\fd1hvy\hermes-decrypter-new.exe |
| Command Line | "C:\FD1HVy\Hermes-decrypter-new.exe" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:16, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Self Terminated |
| Monitor Duration | 00:00:43 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc14 |
| Parent PID | 0xf4c (c:\users\fd1hvy\desktop\hermes.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
390
0x
C70
0x
E40
0x
42C
0x
6C8
0x
174
0x
D6C
0x
F50
|
Threads
Thread 0x390
1972
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77bb0000 |
|
1 | |
| Debug | Check for Presence | c:\fd1hvy\hermes-decrypter-new.exe |
|
1 | |
| Debug | Check for Presence | c:\fd1hvy\hermes-decrypter-new.exe |
|
1 | |
| Debug | Check for Presence | c:\fd1hvy\hermes-decrypter-new.exe |
|
1 | |
| Debug | Hide | c:\fd1hvy\hermes-decrypter-new.exe |
|
1 | |
| System | Get Info | type = SYSTEM_MODULE_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_MODULE_INFORMATION |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\FD1HVy\Hermes-decrypter-new.exe, size = 254 |
|
1 | |
| File | Open | filename = \??\C:\FD1HVy\Hermes-decrypter-new.exe, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Module | Create Mapping | protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Module | Map | process_name = c:\fd1hvy\hermes-decrypter-new.exe, address_out = 0x0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77bb0000 |
|
6 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ole32.dll, base_address = 0x77920000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\oleaut32.dll, base_address = 0x75bb0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\wtsapi32.dll, base_address = 0x742b0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77bb0000 |
|
7 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x74b70000 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
4 | |
| System | Get Time | type = System Time, time = 2019-05-24 16:57:39 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 223312 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 22334865620 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x75ea4ae0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x75ea4b20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x75ea4b40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x75ea4b00 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\FD1HVy\Hermes-decrypter-new.exe, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77bb0000 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x74b70000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernelbase.dll, base_address = 0x74ea0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77bb0000 |
|
1 | |
| System | Get Time | type = System Time, time = 2019-05-24 16:57:40 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 224578 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 22461449032 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x75ea4ae0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x75ea4b20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x75ea4b40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x75ea4b00 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\FD1HVy\Hermes-decrypter-new.exe, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75e90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x75ea5960 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Module | Load | module_name = mscoree.dll, base_address = 0x744c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\mscoree.dll, function = CLRCreateInstance, address_out = 0x744d5000 |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Module | Get Filename | module_name = c:\fd1hvy\hermes-decrypter-new.exe, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\FD1HVy\Hermes-decrypter-new.exe, size = 2048 |
|
2 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\ntdll.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\kernel32.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\KERNEL32.DLL, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\kernelbase.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\KERNELBASE.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\apphelp.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ole32.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\ole32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\combase.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\ucrtbase.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\RPCRT4.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\SspiCli.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\CRYPTBASE.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\bcryptPrimitives.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\sechost.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\GDI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\gdi32full.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\msvcp_win.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\user32.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\USER32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\win32u.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\oleaut32.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\OLEAUT32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\wtsapi32.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\WTSAPI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\msvcrt.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\IMM32.DLL, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\kernel.appcore.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\system32\uxtheme.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\mscoree.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\mscoree.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\ADVAPI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\SHLWAPI.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\MSVCR120_CLR0400.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\f12799647dc4f4abd2f0f17790337f04\mscorlib.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\CRYPTSP.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\system32\rsaenh.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\bcrypt.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\fcfb8bac8ea9a0e69d72c350b22f8e3f\System.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\5b307e2b9719b21749a8c73127ab5f45\System.Drawing.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\02d3b6022cc1ee466eb660dedcff59aa\System.Windows.Forms.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\psapi.dll, size = 2048 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll, type = file_attributes |
|
1 | |
| Module | Load | module_name = mscorjit.dll, base_address = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll, function = getJit, address_out = 0x72803d60 |
|
1 | |
| Module | Get Filename | module_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\FD1HVy\Hermes-decrypter-new.exe, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, file_name_orig = C:\WINDOWS\SYSTEM32\ntdll.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\kernel32.dll, file_name_orig = C:\WINDOWS\System32\KERNEL32.DLL, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\kernelbase.dll, file_name_orig = C:\WINDOWS\System32\KERNELBASE.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\SYSTEM32\apphelp.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ole32.dll, file_name_orig = C:\WINDOWS\System32\ole32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\System32\combase.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\System32\ucrtbase.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\System32\RPCRT4.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\System32\SspiCli.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\System32\CRYPTBASE.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\System32\bcryptPrimitives.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\System32\sechost.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\System32\GDI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\System32\gdi32full.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\System32\msvcp_win.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\user32.dll, file_name_orig = C:\WINDOWS\System32\USER32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\System32\win32u.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\oleaut32.dll, file_name_orig = C:\WINDOWS\System32\OLEAUT32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\wtsapi32.dll, file_name_orig = C:\WINDOWS\SYSTEM32\WTSAPI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\System32\msvcrt.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\System32\IMM32.DLL, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\System32\kernel.appcore.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\system32\uxtheme.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\mscoree.dll, file_name_orig = C:\WINDOWS\SYSTEM32\mscoree.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\System32\ADVAPI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\System32\SHLWAPI.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\SYSTEM32\MSVCR120_CLR0400.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\f12799647dc4f4abd2f0f17790337f04\mscorlib.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\SYSTEM32\CRYPTSP.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\system32\rsaenh.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\SYSTEM32\bcrypt.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\fcfb8bac8ea9a0e69d72c350b22f8e3f\System.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\5b307e2b9719b21749a8c73127ab5f45\System.Drawing.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\02d3b6022cc1ee466eb660dedcff59aa\System.Windows.Forms.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\System32\psapi.dll, size = 2048 |
|
1 | |
| Module | Get Filename | file_name_orig = C:\WINDOWS\SYSTEM32\version.dll, size = 2048 |
|
1 | |
| User | Get Username | user_name_out = FD1HVy |
|
1 | |
| System | Get Computer Name | result_out = NQDPDE |
|
1 | |
| Module | Get Filename | module_name = mscorjit.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\FD1HVy\Hermes-decrypter-new.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, size = 4096, size_out = 4096 |
|
8 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, size = 4096, size_out = 3215 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, size = 4096, size_out = 0 |
|
1 | |
| Module | Get Filename | module_name = mscorjit.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\FD1HVy\Hermes-decrypter-new.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\FD1HVy\Hermes-decrypter-new.exe.config, type = file_attributes |
|
2 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x6ff00000 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x74600140 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework, value_name = DbgJITDebugLaunchSetting, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework, value_name = DbgManagedDebugger, type = REG_NONE |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 88361614 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_55bc94a37c2a2854\comctl32.dll, base_address = 0x6ff00000 |
|
29 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, class_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_55bc94a37c2a2854\comctl32.dll, base_address = 0x6ff00000 |
|
27 | |
| File | Get Info | filename = C:\FD1HVy\Hermes-decrypter-new.exe.config, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_55bc94a37c2a2854\comctl32.dll, base_address = 0x6ff00000 |
|
104 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
2 | |
| Window | Create | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Window | Set Attribute | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.141b42a_r11_ad1, index = -4, new_long = 88362414 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| System | Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_55bc94a37c2a2854\comctl32.dll, base_address = 0x6ff00000 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get Cursor | x_out = 819, y_out = 301 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Marozka Decryptor, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Marozka Decryptor, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Window | Set Attribute | window_name = Marozka Decryptor, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 88362454 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Window | Set Attribute | window_name = Marozka Decryptor, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -8, new_long = 0 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get Cursor | x_out = 819, y_out = 301 |
|
1 | |
| Window | Set Attribute | window_name = Marozka Decryptor, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -16, new_long = 33619968 |
|
1 | |
| Window | Set Attribute | window_name = Marozka Decryptor, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -20, new_long = 327808 |
|
1 | |
| System | Get window text | window_text = 1696096 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
3 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 88362494 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -12, new_long = 458830 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
2 | |
| Window | Create | window_name = knyaz@cock.li, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = knyaz@cock.li, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 1876218976 |
|
1 | |
| Window | Set Attribute | window_name = knyaz@cock.li, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 88362574 |
|
1 | |
| Window | Set Attribute | window_name = knyaz@cock.li, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -12, new_long = 262672 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
2 | |
| Window | Create | window_name = Support2:, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Support2:, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| Window | Set Attribute | window_name = Support2:, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 88362654 |
|
1 | |
| Window | Set Attribute | window_name = Support2:, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -12, new_long = 524464 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = suporthermes@cock.li, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = suporthermes@cock.li, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 1876218976 |
|
1 | |
| Window | Set Attribute | window_name = suporthermes@cock.li, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 88362694 |
|
1 | |
| Window | Set Attribute | window_name = suporthermes@cock.li, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -12, new_long = 328190 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Support1:, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Support1:, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| Window | Set Attribute | window_name = Support1:, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 88362734 |
|
1 | |
| Window | Set Attribute | window_name = Support1:, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -12, new_long = 458820 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Good day!!! All files on your computer are encrypted. Decoding files is only possible with our help !!! You need to pay within 48 hours to decrypt your files in accordance with the tariff of your country. Tariffs are indicated in the window from the left !!! And contact us after paying for your individual decryption key by contact below: If this does not happen then after 72 hours all your files will be lost. In addition, we use your computer in their illegal actions. And how much your computer is bought by you and in accordance with your legislation country is your property. And you will be criminally responsible for our actions))) Hurry to pay, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Good day!!! All files on your computer are encrypted. Decoding files is only possible with our help !!! You need to pay within 48 hours to decrypt your files in accordance with the tariff of your country. Tariffs are indicated in the window from the left !!! And contact us after paying for your individual decryption key by contact below: If this does not happen then after 72 hours all your files will be lost. In addition, we use your computer in their illegal actions. And how much your computer is bought by you and in accordance with your legislation country is your property. And you will be criminally responsible for our actions))) Hurry to pay, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 1876218976 |
|
1 | |
| Window | Set Attribute | window_name = Good day!!! All files on your computer are encrypted. Decoding files is only possible with our help !!! You need to pay within 48 hours to decrypt your files in accordance with the tariff of your country. Tariffs are indicated in the window from the left !!! And contact us after paying for your individual decryption key by contact below: If this does not happen then after 72 hours all your files will be lost. In addition, we use your computer in their illegal actions. And how much your computer is bought by you and in accordance with your legislation country is your property. And you will be criminally responsible for our actions))) Hurry to pay, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 88362774 |
|
1 | |
| Window | Set Attribute | window_name = Good day!!! All files on your computer are encrypted. Decoding files is only possible with our help !!! You need to pay within 48 hours to decrypt your files in accordance with the tariff of your country. Tariffs are indicated in the window from the left !!! And contact us after paying for your individual decryption key by contact below: If this does not happen then after 72 hours all your files will be lost. In addition, we use your computer in their illegal actions. And how much your computer is bought by you and in accordance with your legislation country is your property. And you will be criminally responsible for our actions))) Hurry to pay, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -12, new_long = 524310 |
|
1 | |
| System | Get window text | window_text = 1695396 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Buona giornata! Tutti i file sul tuo computer sono crittografati. La decodifica dei file è possibile solo con il nostro aiuto !!! Devi pagare entro 48 ore per decifrare il tuo file in conformità con la tariffa del tuo paese. Le tariffe sono indicate nella finestra da sinistra !!! E contattaci dopo aver pagato la tua chiave di decodifica individuale per contatto di seguito: Se ciò non accade, dopo 72 ore tutti i file andranno persi. Inoltre, usiamo il tuo computer nelle loro azioni illegali. E quanto il tuo computer è stato acquistato da te e in conformità con la tua legislazione il paese è di tua proprietà E sarai criminalmente responsabile delle nostre azioni))) Sbrigati a pagare, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Buona giornata! Tutti i file sul tuo computer sono crittografati. La decodifica dei file è possibile solo con il nostro aiuto !!! Devi pagare entro 48 ore per decifrare il tuo file in conformità con la tariffa del tuo paese. Le tariffe sono indicate nella finestra da sinistra !!! E contattaci dopo aver pagato la tua chiave di decodifica individuale per contatto di seguito: Se ciò non accade, dopo 72 ore tutti i file andranno persi. Inoltre, usiamo il tuo computer nelle loro azioni illegali. E quanto il tuo computer è stato acquistato da te e in conformità con la tua legislazione il paese è di tua proprietà E sarai criminalmente responsabile delle nostre azioni))) Sbrigati a pagare, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 1876218976 |
|
1 | |
| Window | Set Attribute | window_name = Buona giornata! Tutti i file sul tuo computer sono crittografati. La decodifica dei file è possibile solo con il nostro aiuto !!! Devi pagare entro 48 ore per decifrare il tuo file in conformità con la tariffa del tuo paese. Le tariffe sono indicate nella finestra da sinistra !!! E contattaci dopo aver pagato la tua chiave di decodifica individuale per contatto di seguito: Se ciò non accade, dopo 72 ore tutti i file andranno persi. Inoltre, usiamo il tuo computer nelle loro azioni illegali. E quanto il tuo computer è stato acquistato da te e in conformità con la tua legislazione il paese è di tua proprietà E sarai criminalmente responsabile delle nostre azioni))) Sbrigati a pagare, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 88343734 |
|
1 | |
| Window | Set Attribute | window_name = Buona giornata! Tutti i file sul tuo computer sono crittografati. La decodifica dei file è possibile solo con il nostro aiuto !!! Devi pagare entro 48 ore per decifrare il tuo file in conformità con la tariffa del tuo paese. Le tariffe sono indicate nella finestra da sinistra !!! E contattaci dopo aver pagato la tua chiave di decodifica individuale per contatto di seguito: Se ciò non accade, dopo 72 ore tutti i file andranno persi. Inoltre, usiamo il tuo computer nelle loro azioni illegali. E quanto il tuo computer è stato acquistato da te e in conformità con la tua legislazione il paese è di tua proprietà E sarai criminalmente responsabile delle nostre azioni))) Sbrigati a pagare, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -12, new_long = 131598 |
|
1 | |
| System | Get window text | window_text = 1695396 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = 美好的一天! 您计算机上的所有文件都已加密。 只有在我们的帮助下才能解码文件! 您需要在48小时内付款才能解密 根据您所在国家/地区的关税文件。 从左边的窗口显示关税!!! 通过以下联系方式支付您的个人解密密钥后,请与我们联系: 如果没有发生这种情况,那么72小时后您的所有文件都将丢失。 此外,我们使用您的计算机进行非法操作。 您的电脑是根据您的法律购买了多少 国家是你的财产。 你将对我们的行为承担刑事责任))) 快点付钱, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = 美好的一天! 您计算机上的所有文件都已加密。 只有在我们的帮助下才能解码文件! 您需要在48小时内付款才能解密 根据您所在国家/地区的关税文件。 从左边的窗口显示关税!!! 通过以下联系方式支付您的个人解密密钥后,请与我们联系: 如果没有发生这种情况,那么72小时后您的所有文件都将丢失。 此外,我们使用您的计算机进行非法操作。 您的电脑是根据您的法律购买了多少 国家是你的财产。 你将对我们的行为承担刑事责任))) 快点付钱, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 1876218976 |
|
1 | |
| Window | Set Attribute | window_name = 美好的一天! 您计算机上的所有文件都已加密。 只有在我们的帮助下才能解码文件! 您需要在48小时内付款才能解密 根据您所在国家/地区的关税文件。 从左边的窗口显示关税!!! 通过以下联系方式支付您的个人解密密钥后,请与我们联系: 如果没有发生这种情况,那么72小时后您的所有文件都将丢失。 此外,我们使用您的计算机进行非法操作。 您的电脑是根据您的法律购买了多少 国家是你的财产。 你将对我们的行为承担刑事责任))) 快点付钱, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 88375774 |
|
1 | |
| Window | Set Attribute | window_name = 美好的一天! 您计算机上的所有文件都已加密。 只有在我们的帮助下才能解码文件! 您需要在48小时内付款才能解密 根据您所在国家/地区的关税文件。 从左边的窗口显示关税!!! 通过以下联系方式支付您的个人解密密钥后,请与我们联系: 如果没有发生这种情况,那么72小时后您的所有文件都将丢失。 此外,我们使用您的计算机进行非法操作。 您的电脑是根据您的法律购买了多少 国家是你的财产。 你将对我们的行为承担刑事责任))) 快点付钱, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -12, new_long = 262620 |
|
1 | |
| System | Get window text | window_text = 1695396 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Guten tag Alle Dateien auf Ihrem Computer werden verschlüsselt. Das Entschlüsseln von Dateien ist nur mit unserer Hilfe möglich !!! Sie müssen innerhalb von 48 Stunden bezahlen, um Ihre Daten zu entschlüsseln Dateien in Übereinstimmung mit dem Tarif Ihres Landes. Tarife werden im Fenster von links angezeigt !!! Und kontaktieren Sie uns nach der Bezahlung Ihres individuellen Entschlüsselungsschlüssels per Kontakt: Geschieht dies nicht, gehen nach 72 Stunden alle Ihre Dateien verloren. Darüber hinaus verwenden wir Ihren Computer in ihren illegalen Handlungen. Und wie viel Ihr Computer von Ihnen gekauft wird und in Übereinstimmung mit Ihrer Gesetzgebung Land ist Ihr Eigentum. Und Sie werden für unsere Handlungen strafrechtlich verantwortlich sein))) Beeilen Sie sich zu bezahlen, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Guten tag Alle Dateien auf Ihrem Computer werden verschlüsselt. Das Entschlüsseln von Dateien ist nur mit unserer Hilfe möglich !!! Sie müssen innerhalb von 48 Stunden bezahlen, um Ihre Daten zu entschlüsseln Dateien in Übereinstimmung mit dem Tarif Ihres Landes. Tarife werden im Fenster von links angezeigt !!! Und kontaktieren Sie uns nach der Bezahlung Ihres individuellen Entschlüsselungsschlüssels per Kontakt: Geschieht dies nicht, gehen nach 72 Stunden alle Ihre Dateien verloren. Darüber hinaus verwenden wir Ihren Computer in ihren illegalen Handlungen. Und wie viel Ihr Computer von Ihnen gekauft wird und in Übereinstimmung mit Ihrer Gesetzgebung Land ist Ihr Eigentum. Und Sie werden für unsere Handlungen strafrechtlich verantwortlich sein))) Beeilen Sie sich zu bezahlen, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 1876218976 |
|
1 | |
| Window | Set Attribute | window_name = Guten tag Alle Dateien auf Ihrem Computer werden verschlüsselt. Das Entschlüsseln von Dateien ist nur mit unserer Hilfe möglich !!! Sie müssen innerhalb von 48 Stunden bezahlen, um Ihre Daten zu entschlüsseln Dateien in Übereinstimmung mit dem Tarif Ihres Landes. Tarife werden im Fenster von links angezeigt !!! Und kontaktieren Sie uns nach der Bezahlung Ihres individuellen Entschlüsselungsschlüssels per Kontakt: Geschieht dies nicht, gehen nach 72 Stunden alle Ihre Dateien verloren. Darüber hinaus verwenden wir Ihren Computer in ihren illegalen Handlungen. Und wie viel Ihr Computer von Ihnen gekauft wird und in Übereinstimmung mit Ihrer Gesetzgebung Land ist Ihr Eigentum. Und Sie werden für unsere Handlungen strafrechtlich verantwortlich sein))) Beeilen Sie sich zu bezahlen, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 88375454 |
|
1 | |
| Window | Set Attribute | window_name = Guten tag Alle Dateien auf Ihrem Computer werden verschlüsselt. Das Entschlüsseln von Dateien ist nur mit unserer Hilfe möglich !!! Sie müssen innerhalb von 48 Stunden bezahlen, um Ihre Daten zu entschlüsseln Dateien in Übereinstimmung mit dem Tarif Ihres Landes. Tarife werden im Fenster von links angezeigt !!! Und kontaktieren Sie uns nach der Bezahlung Ihres individuellen Entschlüsselungsschlüssels per Kontakt: Geschieht dies nicht, gehen nach 72 Stunden alle Ihre Dateien verloren. Darüber hinaus verwenden wir Ihren Computer in ihren illegalen Handlungen. Und wie viel Ihr Computer von Ihnen gekauft wird und in Übereinstimmung mit Ihrer Gesetzgebung Land ist Ihr Eigentum. Und Sie werden für unsere Handlungen strafrechtlich verantwortlich sein))) Beeilen Sie sich zu bezahlen, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -12, new_long = 393510 |
|
1 | |
| System | Get window text | window_text = 1695396 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
2 | |
| Window | Create | window_name = Open Decryptor, class_name = WindowsForms10.BUTTON.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Open Decryptor, class_name = WindowsForms10.BUTTON.app.0.141b42a_r11_ad1, index = -4, new_long = 1876224000 |
|
1 | |
| Window | Set Attribute | window_name = Open Decryptor, class_name = WindowsForms10.BUTTON.app.0.141b42a_r11_ad1, index = -4, new_long = 88375334 |
|
1 | |
| Window | Set Attribute | window_name = Open Decryptor, class_name = WindowsForms10.BUTTON.app.0.141b42a_r11_ad1, index = -12, new_long = 131602 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 88375214 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -12, new_long = 590346 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Next 24 hours, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Next 24 hours, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| Window | Set Attribute | window_name = Next 24 hours, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 88375014 |
|
1 | |
| Window | Set Attribute | window_name = Next 24 hours, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -12, new_long = 459276 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = $300, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = $300, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| Window | Set Attribute | window_name = $300, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 88374934 |
|
1 | |
| Window | Set Attribute | window_name = $300, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -12, new_long = 66068 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Cost of, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Cost of, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| Window | Set Attribute | window_name = Cost of, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 88375254 |
|
1 | |
| Window | Set Attribute | window_name = Cost of, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -12, new_long = 66070 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 88375054 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -12, new_long = 66072 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = first 24 hours, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = first 24 hours, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| Window | Set Attribute | window_name = first 24 hours, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 88375574 |
|
1 | |
| Window | Set Attribute | window_name = first 24 hours, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -12, new_long = 66074 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = $150, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = $150, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| Window | Set Attribute | window_name = $150, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 88375654 |
|
1 | |
| Window | Set Attribute | window_name = $150, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -12, new_long = 66076 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Cost of, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Cost of, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| Window | Set Attribute | window_name = Cost of, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 88375614 |
|
1 | |
| Window | Set Attribute | window_name = Cost of, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -12, new_long = 66078 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 88375814 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -12, new_long = 66080 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Send dollars to this address bitcoins , class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Send dollars to this address bitcoins , class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| Window | Set Attribute | window_name = Send dollars to this address bitcoins , class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 88375854 |
|
1 | |
| Window | Set Attribute | window_name = Send dollars to this address bitcoins , class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -12, new_long = 66082 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 88375414 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -12, new_long = 66084 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = 1Cm6VtFJmJGVLiaUh5WVKWau7QhJhtkj3G, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = 1Cm6VtFJmJGVLiaUh5WVKWau7QhJhtkj3G, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 1876218976 |
|
1 | |
| Window | Set Attribute | window_name = 1Cm6VtFJmJGVLiaUh5WVKWau7QhJhtkj3G, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 88375134 |
|
1 | |
| Window | Set Attribute | window_name = 1Cm6VtFJmJGVLiaUh5WVKWau7QhJhtkj3G, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -12, new_long = 66086 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Copy BTC, class_name = WindowsForms10.BUTTON.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Copy BTC, class_name = WindowsForms10.BUTTON.app.0.141b42a_r11_ad1, index = -4, new_long = 1876224000 |
|
1 | |
| Window | Set Attribute | window_name = Copy BTC, class_name = WindowsForms10.BUTTON.app.0.141b42a_r11_ad1, index = -4, new_long = 88375494 |
|
1 | |
| Window | Set Attribute | window_name = Copy BTC, class_name = WindowsForms10.BUTTON.app.0.141b42a_r11_ad1, index = -12, new_long = 66088 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Доброго времени суток!!! Все файлы на вашем компьютере зашифрованы. Расшифровать фалы возможно только при нашей помощи!!! Вам необходимо в течение 48 часов произвести оплату для расшифровки ваших файлов в соответствие с тарифом вашей страны. Тарифы указанны в окошке с лева!!! И обратиться к нам после оплаты за вашим индивидуальным ключем расшифровки по контактам ниже: Если этого не произойдет то через 72 часа все ваши файлы будут утеряны. К тому же мы используем ваш компьютер в своих не законных действиях. А по сколько ваш компьютер куплен вами и в соответствие с законодательством вашей страны является вашей собственностью. И нести уголовную ответственность за наши действия будете вы))) Поспешите произвести оплату, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Доброго времени суток!!! Все файлы на вашем компьютере зашифрованы. Расшифровать фалы возможно только при нашей помощи!!! Вам необходимо в течение 48 часов произвести оплату для расшифровки ваших файлов в соответствие с тарифом вашей страны. Тарифы указанны в окошке с лева!!! И обратиться к нам после оплаты за вашим индивидуальным ключем расшифровки по контактам ниже: Если этого не произойдет то через 72 часа все ваши файлы будут утеряны. К тому же мы используем ваш компьютер в своих не законных действиях. А по сколько ваш компьютер куплен вами и в соответствие с законодательством вашей страны является вашей собственностью. И нести уголовную ответственность за наши действия будете вы))) Поспешите произвести оплату, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 1876218976 |
|
1 | |
| Window | Set Attribute | window_name = Доброго времени суток!!! Все файлы на вашем компьютере зашифрованы. Расшифровать фалы возможно только при нашей помощи!!! Вам необходимо в течение 48 часов произвести оплату для расшифровки ваших файлов в соответствие с тарифом вашей страны. Тарифы указанны в окошке с лева!!! И обратиться к нам после оплаты за вашим индивидуальным ключем расшифровки по контактам ниже: Если этого не произойдет то через 72 часа все ваши файлы будут утеряны. К тому же мы используем ваш компьютер в своих не законных действиях. А по сколько ваш компьютер куплен вами и в соответствие с законодательством вашей страны является вашей собственностью. И нести уголовную ответственность за наши действия будете вы))) Поспешите произвести оплату, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 88375094 |
|
1 | |
| Window | Set Attribute | window_name = Доброго времени суток!!! Все файлы на вашем компьютере зашифрованы. Расшифровать фалы возможно только при нашей помощи!!! Вам необходимо в течение 48 часов произвести оплату для расшифровки ваших файлов в соответствие с тарифом вашей страны. Тарифы указанны в окошке с лева!!! И обратиться к нам после оплаты за вашим индивидуальным ключем расшифровки по контактам ниже: Если этого не произойдет то через 72 часа все ваши файлы будут утеряны. К тому же мы используем ваш компьютер в своих не законных действиях. А по сколько ваш компьютер куплен вами и в соответствие с законодательством вашей страны является вашей собственностью. И нести уголовную ответственность за наши действия будете вы))) Поспешите произвести оплату, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -12, new_long = 66090 |
|
1 | |
| System | Get window text | window_text = 1695396 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 88375694 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -12, new_long = 66092 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Sorry! Your files have been encrypted!, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Sorry! Your files have been encrypted!, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| Window | Set Attribute | window_name = Sorry! Your files have been encrypted!, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 88375734 |
|
1 | |
| Window | Set Attribute | window_name = Sorry! Your files have been encrypted!, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -12, new_long = 66094 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
2 | |
| Window | Create | window_name = English, class_name = WindowsForms10.COMBOBOX.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = English, class_name = WindowsForms10.COMBOBOX.app.0.141b42a_r11_ad1, index = -4, new_long = 1876096512 |
|
1 | |
| Window | Set Attribute | window_name = English, class_name = WindowsForms10.COMBOBOX.app.0.141b42a_r11_ad1, index = -4, new_long = 88374974 |
|
1 | |
| Window | Set Attribute | window_name = English, class_name = WindowsForms10.COMBOBOX.app.0.141b42a_r11_ad1, index = -12, new_long = 66096 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 88375294 |
|
1 | |
| System | Get window text | window_text = 1695152 |
|
1 | |
| System | Get window text | window_text = 1697844 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = 00:00:00, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = 00:00:00, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| Window | Set Attribute | window_name = 00:00:00, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 88375374 |
|
1 | |
| Window | Set Attribute | window_name = 00:00:00, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -12, new_long = 66102 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Name, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Name, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| Window | Set Attribute | window_name = Name, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 88377638 |
|
1 | |
| Window | Set Attribute | window_name = Name, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -12, new_long = 66104 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Helloy - , class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Helloy - , class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| Window | Set Attribute | window_name = Helloy - , class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 88377038 |
|
1 | |
| Window | Set Attribute | window_name = Helloy - , class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -12, new_long = 66106 |
|
1 | |
| System | Get window text | window_text = 1698040 |
|
1 | |
| Window | Set Attribute | index = -8, new_long = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = WindowsFormsParkingWindow, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = WindowsFormsParkingWindow, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Window | Set Attribute | window_name = WindowsFormsParkingWindow, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 88377358 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| System | Get window text | window_text = 1696608 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Marozka Decryptor, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Marozka Decryptor, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Window | Set Attribute | window_name = Marozka Decryptor, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 88377198 |
|
1 | |
| System | Get window text | window_text = 1693148 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1693148 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.0.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.0.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.0.app.0.141b42a_r11_ad1, index = -4, new_long = 88376998 |
|
1 | |
| Window | Set Attribute | window_name = Marozka Decryptor, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -8, new_long = 66112 |
|
1 | |
| System | Get window text | window_text = 1696404 |
|
1 | |
| Window | Set Attribute | window_name = Marozka Decryptor, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -8, new_long = 66112 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
2 | |
| System | Get window text | window_text = 1696580 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Window | Set Attribute | window_name = Marozka Decryptor, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -16, new_long = 302055424 |
|
1 | |
| Window | Set Attribute | window_name = Marozka Decryptor, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -20, new_long = 65664 |
|
1 | |
| System | Get window text | window_text = 1696580 |
|
1 | |
| System | Get window text | window_text = 1694752 |
|
1 | |
| System | Get window text | window_text = 1692924 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1692924 |
|
1 | |
| System | Get window text | window_text = 1696676 |
|
1 | |
| System | Get window text | window_text = 1696740 |
|
1 | |
| System | Get window text | window_text = 1695148 |
|
1 | |
| System | Get window text | window_text = 1695052 |
|
2 | |
| System | Get window text | window_text = 1695148 |
|
1 | |
| System | Get window text | window_text = 1695052 |
|
2 | |
| System | Get window text | window_text = 1695148 |
|
1 | |
| System | Get window text | window_text = 1695052 |
|
2 | |
| System | Get window text | window_text = 1695148 |
|
1 | |
| System | Get window text | window_text = 1695052 |
|
2 | |
| System | Get window text | window_text = 1695148 |
|
1 | |
| System | Get window text | window_text = 1695052 |
|
2 | |
| System | Get window text | window_text = 1695148 |
|
1 | |
| System | Get window text | window_text = 1695052 |
|
2 | |
| System | Get window text | window_text = 1696740 |
|
3 | |
| System | Get window text | window_text = 1695148 |
|
1 | |
| System | Get window text | window_text = 1695052 |
|
2 | |
| System | Get window text | window_text = 1695148 |
|
1 | |
| System | Get window text | window_text = 1695052 |
|
2 | |
| System | Get window text | window_text = 1696588 |
|
4 | |
| System | Get window text | window_text = 1694996 |
|
1 | |
| System | Get window text | window_text = 1694900 |
|
2 | |
| System | Get window text | window_text = 1694996 |
|
1 | |
| System | Get window text | window_text = 1694900 |
|
2 | |
| System | Get window text | window_text = 1694996 |
|
1 | |
| System | Get window text | window_text = 1694900 |
|
2 | |
| System | Get window text | window_text = 1694996 |
|
1 | |
| System | Get window text | window_text = 1694900 |
|
2 | |
| System | Get window text | window_text = 1696588 |
|
5 | |
| System | Get window text | window_text = 1696404 |
|
1 | |
| System | Get window text | window_text = 1696556 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1952448832 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = knyaz@cock.li, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = knyaz@cock.li, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 1876218976 |
|
1 | |
| System | Get window text | window_text = 1693412 |
|
1 | |
| System | Get window text | window_text = 1693316 |
|
2 | |
| System | Get window text | window_text = 1696340 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Support2:, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1876339648 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = suporthermes@cock.li, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1876218976 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Support1:, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1876339648 |
|
1 | |
| System | Get window text | window_text = 16169304 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Good day!!! All files on your computer are encrypted. Decoding files is only possible with our help !!! You need to pay within 48 hours to decrypt your files in accordance with the tariff of your country. Tariffs are indicated in the window from the left !!! And contact us after paying for your individual decryption key by contact below: If this does not happen then after 72 hours all your files will be lost. In addition, we use your computer in their illegal actions. And how much your computer is bought by you and in accordance with your legislation country is your property. And you will be criminally responsible for our actions))) Hurry to pay, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Good day!!! All files on your computer are encrypted. Decoding files is only possible with our help !!! You need to pay within 48 hours to decrypt your files in accordance with the tariff of your country. Tariffs are indicated in the window from the left !!! And contact us after paying for your individual decryption key by contact below: If this does not happen then after 72 hours all your files will be lost. In addition, we use your computer in their illegal actions. And how much your computer is bought by you and in accordance with your legislation country is your property. And you will be criminally responsible for our actions))) Hurry to pay, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 1876218976 |
|
1 | |
| System | Get window text | window_text = 1693412 |
|
1 | |
| System | Get window text | window_text = 1693316 |
|
2 | |
| System | Get window text | window_text = 1695020 |
|
1 | |
| System | Get window text | window_text = 1694924 |
|
2 | |
| System | Get window text | window_text = 1694956 |
|
1 | |
| System | Get window text | window_text = 1694860 |
|
2 | |
| System | Get window text | window_text = 1694956 |
|
1 | |
| System | Get window text | window_text = 1694860 |
|
1 | |
| System | Get window text | window_text = 16162808 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Buona giornata! Tutti i file sul tuo computer sono crittografati. La decodifica dei file è possibile solo con il nostro aiuto !!! Devi pagare entro 48 ore per decifrare il tuo file in conformità con la tariffa del tuo paese. Le tariffe sono indicate nella finestra da sinistra !!! E contattaci dopo aver pagato la tua chiave di decodifica individuale per contatto di seguito: Se ciò non accade, dopo 72 ore tutti i file andranno persi. Inoltre, usiamo il tuo computer nelle loro azioni illegali. E quanto il tuo computer è stato acquistato da te e in conformità con la tua legislazione il paese è di tua proprietà E sarai criminalmente responsabile delle nostre azioni))) Sbrigati a pagare, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Buona giornata! Tutti i file sul tuo computer sono crittografati. La decodifica dei file è possibile solo con il nostro aiuto !!! Devi pagare entro 48 ore per decifrare il tuo file in conformità con la tariffa del tuo paese. Le tariffe sono indicate nella finestra da sinistra !!! E contattaci dopo aver pagato la tua chiave di decodifica individuale per contatto di seguito: Se ciò non accade, dopo 72 ore tutti i file andranno persi. Inoltre, usiamo il tuo computer nelle loro azioni illegali. E quanto il tuo computer è stato acquistato da te e in conformità con la tua legislazione il paese è di tua proprietà E sarai criminalmente responsabile delle nostre azioni))) Sbrigati a pagare, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 1876218976 |
|
1 | |
| System | Get window text | window_text = 1693316 |
|
2 | |
| System | Get window text | window_text = 1695020 |
|
1 | |
| System | Get window text | window_text = 1694924 |
|
2 | |
| System | Get window text | window_text = 1694956 |
|
1 | |
| System | Get window text | window_text = 1694860 |
|
2 | |
| System | Get window text | window_text = 1694956 |
|
1 | |
| System | Get window text | window_text = 1694860 |
|
2 | |
| System | Get window text | window_text = 1695888 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = 美好的一天! 您计算机上的所有文件都已加密。 只有在我们的帮助下才能解码文件! 您需要在48小时内付款才能解密 根据您所在国家/地区的关税文件。 从左边的窗口显示关税!!! 通过以下联系方式支付您的个人解密密钥后,请与我们联系: 如果没有发生这种情况,那么72小时后您的所有文件都将丢失。 此外,我们使用您的计算机进行非法操作。 您的电脑是根据您的法律购买了多少 国家是你的财产。 你将对我们的行为承担刑事责任))) 快点付钱, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1876218976 |
|
1 | |
| System | Get window text | window_text = 16164296 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Guten tag Alle Dateien auf Ihrem Computer werden verschlüsselt. Das Entschlüsseln von Dateien ist nur mit unserer Hilfe möglich !!! Sie müssen innerhalb von 48 Stunden bezahlen, um Ihre Daten zu entschlüsseln Dateien in Übereinstimmung mit dem Tarif Ihres Landes. Tarife werden im Fenster von links angezeigt !!! Und kontaktieren Sie uns nach der Bezahlung Ihres individuellen Entschlüsselungsschlüssels per Kontakt: Geschieht dies nicht, gehen nach 72 Stunden alle Ihre Dateien verloren. Darüber hinaus verwenden wir Ihren Computer in ihren illegalen Handlungen. Und wie viel Ihr Computer von Ihnen gekauft wird und in Übereinstimmung mit Ihrer Gesetzgebung Land ist Ihr Eigentum. Und Sie werden für unsere Handlungen strafrechtlich verantwortlich sein))) Beeilen Sie sich zu bezahlen, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1876218976 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Open Decryptor, class_name = WindowsForms10.BUTTON.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1876224000 |
|
1 | |
| System | Get window text | window_text = 1696460 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1952448832 |
|
1 | |
| System | Get window text | window_text = 1695044 |
|
1 | |
| System | Get window text | window_text = 1696212 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Next 24 hours, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Next 24 hours, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| System | Get window text | window_text = 1696212 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = $300, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = $300, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| System | Get window text | window_text = 1696212 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Cost of, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Cost of, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| System | Get window text | window_text = 1696460 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1952448832 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = first 24 hours, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1876339648 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = $150, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1876339648 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Cost of, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1876339648 |
|
1 | |
| System | Get window text | window_text = 1694924 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1952448832 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Send dollars to this address bitcoins , class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1876339648 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1952448832 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = 1Cm6VtFJmJGVLiaUh5WVKWau7QhJhtkj3G, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1876218976 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Copy BTC, class_name = WindowsForms10.BUTTON.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1876224000 |
|
1 | |
| System | Get window text | window_text = 16173376 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Доброго времени суток!!! Все файлы на вашем компьютере зашифрованы. Расшифровать фалы возможно только при нашей помощи!!! Вам необходимо в течение 48 часов произвести оплату для расшифровки ваших файлов в соответствие с тарифом вашей страны. Тарифы указанны в окошке с лева!!! И обратиться к нам после оплаты за вашим индивидуальным ключем расшифровки по контактам ниже: Если этого не произойдет то через 72 часа все ваши файлы будут утеряны. К тому же мы используем ваш компьютер в своих не законных действиях. А по сколько ваш компьютер куплен вами и в соответствие с законодательством вашей страны является вашей собственностью. И нести уголовную ответственность за наши действия будете вы))) Поспешите произвести оплату, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Доброго времени суток!!! Все файлы на вашем компьютере зашифрованы. Расшифровать фалы возможно только при нашей помощи!!! Вам необходимо в течение 48 часов произвести оплату для расшифровки ваших файлов в соответствие с тарифом вашей страны. Тарифы указанны в окошке с лева!!! И обратиться к нам после оплаты за вашим индивидуальным ключем расшифровки по контактам ниже: Если этого не произойдет то через 72 часа все ваши файлы будут утеряны. К тому же мы используем ваш компьютер в своих не законных действиях. А по сколько ваш компьютер куплен вами и в соответствие с законодательством вашей страны является вашей собственностью. И нести уголовную ответственность за наши действия будете вы))) Поспешите произвести оплату, class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 1876218976 |
|
1 | |
| System | Get window text | window_text = 1693412 |
|
1 | |
| System | Get window text | window_text = 1693316 |
|
2 | |
| System | Get window text | window_text = 1696740 |
|
1 | |
| System | Get window text | window_text = 1696676 |
|
1 | |
| System | Get window text | window_text = 1696588 |
|
4 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1952448832 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Sorry! Your files have been encrypted!, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1876339648 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = English, class_name = WindowsForms10.COMBOBOX.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1876096512 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = 00:00:00, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1876339648 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Name, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1876339648 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Helloy - , class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = -4, new_long = 1876339648 |
|
1 | |
| Window | Set Attribute | index = -8, new_long = 66110 |
|
1 | |
| Module | Get Filename | module_name = comctl32.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\FD1HVy\Hermes-decrypter-new.exe, size = 260 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, value_name = Systems, type = REG_NONE |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, value_name = Systems, data = C:\FD1HVy\Hermes-decrypter-new.exe, size = 70, type = REG_SZ |
|
1 | |
| System | Get window text | window_text = 1697960 |
|
1 | |
| System | Get window text | window_text = 1697956 |
|
1 | |
| System | Get window text | window_text = 1697732 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1696512 |
|
1 | |
| System | Get window text | window_text = 1697792 |
|
1 | |
| System | Get window text | window_text = 1698000 |
|
1 | |
| System | Get window text | window_text = 1697940 |
|
3 | |
| System | Get window text | window_text = 1698000 |
|
1 | |
| System | Get window text | window_text = 1697716 |
|
1 | |
| System | Get window text | window_text = 1696124 |
|
1 | |
| System | Get window text | window_text = 1696028 |
|
2 | |
| System | Get window text | window_text = 1696124 |
|
1 | |
| System | Get window text | window_text = 1696028 |
|
2 | |
| System | Get window text | window_text = 1696124 |
|
1 | |
| System | Get window text | window_text = 1696028 |
|
2 | |
| System | Get window text | window_text = 1696124 |
|
1 | |
| System | Get window text | window_text = 1696028 |
|
2 | |
| System | Get window text | window_text = 1696124 |
|
1 | |
| System | Get window text | window_text = 1696028 |
|
1 | |
| System | Get window text | window_text = 1696124 |
|
1 | |
| System | Get window text | window_text = 1696028 |
|
2 | |
| System | Get window text | window_text = 1697716 |
|
3 | |
| System | Get window text | window_text = 1696124 |
|
1 | |
| System | Get window text | window_text = 1696028 |
|
2 | |
| System | Get window text | window_text = 1696124 |
|
1 | |
| System | Get window text | window_text = 1696028 |
|
2 | |
| System | Get window text | window_text = 1697716 |
|
1 | |
| System | Get window text | window_text = 1695508 |
|
1 | |
| System | Get window text | window_text = 1695412 |
|
2 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 1697900 |
|
1 | |
| System | Get window text | window_text = 1697964 |
|
1 | |
| System | Get window text | window_text = 1697900 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1697900 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1697964 |
|
1 | |
| System | Get window text | window_text = 1695516 |
|
1 | |
| System | Get window text | window_text = 1695420 |
|
2 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 1697892 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1697908 |
|
1 | |
| System | Get window text | window_text = 1697904 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1697964 |
|
1 | |
| System | Get window text | window_text = 1697888 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1697908 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1697964 |
|
1 | |
| System | Get window text | window_text = 1697840 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1697976 |
|
2 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
4 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| User | Get Username | user_name_out = FD1HVy |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
38 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Key, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Key, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
2 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| System | Get window text | window_text = 1695380 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = 100% decryption guarantee, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = 100% decryption guarantee, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 1876218976 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Password:, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Password:, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Decrypt My Files, class_name = WindowsForms10.BUTTON.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Decrypt My Files, class_name = WindowsForms10.BUTTON.app.0.141b42a_r11_ad1, index = -4, new_long = 1876224000 |
|
1 | |
| System | Get window text | window_text = 1696644 |
|
1 | |
| System | Get window text | window_text = 1696600 |
|
1 | |
| System | Get window text | window_text = 1696728 |
|
1 | |
| System | Get window text | window_text = 1697836 |
|
1 | |
| System | Get window text | window_text = 1697688 |
|
1 | |
| System | Get window text | window_text = 1697644 |
|
1 | |
| System | Get window text | window_text = 1697800 |
|
1 | |
| System | Get window text | window_text = 1698040 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 1697964 |
|
1 | |
| System | Get window text | window_text = 1697928 |
|
1 | |
| System | Get window text | window_text = 1697868 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1697976 |
|
2 | |
| System | Get window text | window_text = 1697964 |
|
1 | |
| System | Get window text | window_text = 1697900 |
|
2 | |
| System | Get window text | window_text = 1697964 |
|
1 | |
| System | Get window text | window_text = 1697840 |
|
1 | |
| System | Get window text | window_text = 1696204 |
|
1 | |
| System | Get window text | window_text = 1696108 |
|
2 | |
| System | Get window text | window_text = 1697900 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1697904 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1697900 |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = TZI, type = REG_BINARY |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Display, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Display, data = @tzres.dll,-320, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Std, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Std, data = @tzres.dll,-322, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Dlt, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time, value_name = MUI_Dlt, data = @tzres.dll,-321, type = REG_SZ |
|
1 | |
| Module | Load | module_name = C:\WINDOWS\system32\en-US\tzres.dll.mui, base_address = 0x85f0001 |
|
3 | |
| System | Get window text | window_text = 1698300 |
|
1 | |
| System | Get window text | window_text = 1697900 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1698460 |
|
1 | |
| System | Get window text | window_text = 1698456 |
|
1 | |
| System | Get window text | window_text = 1698236 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_55bc94a37c2a2854\comctl32.dll, base_address = 0x6ff00000 |
|
1 | |
| System | Get window text | window_text = 1698300 |
|
1 | |
| System | Get window text | window_text = 1697900 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1698460 |
|
1 | |
| System | Get window text | window_text = 1698456 |
|
1 | |
| System | Get window text | window_text = 1698236 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_55bc94a37c2a2854\comctl32.dll, base_address = 0x6ff00000 |
|
1 | |
| System | Get window text | window_text = 1698300 |
|
1 | |
| System | Get window text | window_text = 1697900 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| User | Get Username | user_name_out = FD1HVy |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
59 | |
| System | Get window text | window_text = 1695236 |
|
2 | |
| System | Get window text | window_text = 1697800 |
|
1 | |
| System | Get window text | window_text = 1698040 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 1698460 |
|
1 | |
| System | Get window text | window_text = 1698456 |
|
1 | |
| System | Get window text | window_text = 1698236 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_55bc94a37c2a2854\comctl32.dll, base_address = 0x6ff00000 |
|
1 | |
| System | Get window text | window_text = 1698300 |
|
1 | |
| System | Get window text | window_text = 1697900 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1698460 |
|
1 | |
| System | Get window text | window_text = 1698456 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_55bc94a37c2a2854\comctl32.dll, base_address = 0x6ff00000 |
|
1 | |
| System | Get window text | window_text = 1697900 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1698460 |
|
1 | |
| System | Get window text | window_text = 1698456 |
|
1 | |
| System | Get window text | window_text = 1698236 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_55bc94a37c2a2854\comctl32.dll, base_address = 0x6ff00000 |
|
1 | |
| System | Get window text | window_text = 1698300 |
|
1 | |
| System | Get window text | window_text = 1697900 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| User | Get Username | user_name_out = FD1HVy |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
62 | |
| System | Get window text | window_text = 1697976 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Key, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Key, class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1697764 |
|
1 | |
| System | Get window text | window_text = 1696924 |
|
1 | |
| System | Get window text | window_text = 1696888 |
|
1 | |
| System | Get window text | window_text = 1696924 |
|
1 | |
| System | Get window text | window_text = 1696888 |
|
1 | |
| System | Get window text | window_text = 1697836 |
|
1 | |
| System | Get window text | window_text = 1697688 |
|
1 | |
| System | Get window text | window_text = 1697644 |
|
1 | |
| System | Get window text | window_text = 1697688 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = 100% decryption guarantee, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = 100% decryption guarantee, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r11_ad1, index = -4, new_long = 1952448832 |
|
1 | |
| System | Get window text | window_text = 1695140 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.EDIT.app.0.141b42a_r11_ad1, index = -4, new_long = 1876218976 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Password:, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Password:, class_name = WindowsForms10.STATIC.app.0.141b42a_r11_ad1, index = -4, new_long = 1876339648 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Window | Create | window_name = Decrypt My Files, class_name = WindowsForms10.BUTTON.app.0.141b42a_r11_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Decrypt My Files, class_name = WindowsForms10.BUTTON.app.0.141b42a_r11_ad1, index = -4, new_long = 1876224000 |
|
1 | |
| System | Get window text | window_text = 1697644 |
|
1 | |
| System | Get window text | window_text = 1697800 |
|
1 | |
| System | Get window text | window_text = 1698040 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 1697964 |
|
1 | |
| System | Get window text | window_text = 1697928 |
|
1 | |
| System | Get window text | window_text = 1697868 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1697976 |
|
2 | |
| System | Get window text | window_text = 1697900 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1697928 |
|
1 | |
| System | Get window text | window_text = 1697964 |
|
1 | |
| System | Get window text | window_text = 1698460 |
|
1 | |
| System | Get window text | window_text = 1698456 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_55bc94a37c2a2854\comctl32.dll, base_address = 0x6ff00000 |
|
1 | |
| System | Get window text | window_text = 1697900 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1698460 |
|
1 | |
| System | Get window text | window_text = 1698456 |
|
1 | |
| System | Get window text | window_text = 1698236 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_55bc94a37c2a2854\comctl32.dll, base_address = 0x6ff00000 |
|
1 | |
| System | Get window text | window_text = 1698300 |
|
1 | |
| System | Get window text | window_text = 1697900 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1698460 |
|
1 | |
| System | Get window text | window_text = 1698456 |
|
1 | |
| System | Get window text | window_text = 1698236 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_55bc94a37c2a2854\comctl32.dll, base_address = 0x6ff00000 |
|
1 | |
| System | Get window text | window_text = 1698300 |
|
1 | |
| System | Get window text | window_text = 1697900 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| User | Get Username | user_name_out = FD1HVy |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
65 | |
| System | Get window text | window_text = 1695332 |
|
1 | |
| System | Get window text | window_text = 1695236 |
|
2 | |
| System | Get window text | window_text = 1697800 |
|
1 | |
| System | Get window text | window_text = 1698040 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 1698460 |
|
1 | |
| System | Get window text | window_text = 1698456 |
|
1 | |
| System | Get window text | window_text = 1698236 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_55bc94a37c2a2854\comctl32.dll, base_address = 0x6ff00000 |
|
1 | |
| System | Get window text | window_text = 1698300 |
|
1 | |
| System | Get window text | window_text = 1697900 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_6dad63fefc436da8\comctl32.dll, base_address = 0x6fcf0000 |
|
1 | |
| System | Get window text | window_text = 1698460 |
|
1 | |
| System | Get window text | window_text = 1698456 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_55bc94a37c2a2854\comctl32.dll, base_address = 0x6ff00000 |
|
1 | |
| System | Get window text | window_text = 1697900 |
|
2 | |
|
For performance reasons, the remaining 441 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Process #4: hermes-decrypter-new.exe
210
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\fd1hvy\hermes-decrypter-new.exe |
| Command Line | "C:\FD1HVy\Hermes-decrypter-new.exe" |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:04:24, Reason: Autostart |
| Unmonitor | End Time: 00:04:38, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe08 |
| Parent PID | 0x99c (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E0C
0x
E24
0x
E2C
0x
E30
|
Threads
Thread 0xe0c
210
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77260000 |
|
1 | |
| Debug | Check for Presence | c:\fd1hvy\hermes-decrypter-new.exe |
|
1 | |
| Debug | Check for Presence | c:\fd1hvy\hermes-decrypter-new.exe |
|
1 | |
| Debug | Check for Presence | c:\fd1hvy\hermes-decrypter-new.exe |
|
1 | |
| Debug | Hide | c:\fd1hvy\hermes-decrypter-new.exe |
|
1 | |
| System | Get Info | type = SYSTEM_MODULE_INFORMATION |
|
1 | |
| System | Get Info | type = SYSTEM_MODULE_INFORMATION |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\FD1HVy\Hermes-decrypter-new.exe, size = 254 |
|
1 | |
| File | Open | filename = \??\C:\FD1HVy\Hermes-decrypter-new.exe, desired_access = FILE_READ_ATTRIBUTES, SYNCHRONIZE, GENERIC_READ, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_NON_DIRECTORY_FILE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Module | Create Mapping | protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Module | Map | process_name = c:\fd1hvy\hermes-decrypter-new.exe, address_out = 0x0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77260000 |
|
6 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ole32.dll, base_address = 0x74ab0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\oleaut32.dll, base_address = 0x74e00000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\wtsapi32.dll, base_address = 0x73c70000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77260000 |
|
7 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x765c0000 |
|
1 | |
| System | Sleep | duration = 0 milliseconds (0.000 seconds) |
|
4 | |
| System | Get Time | type = System Time, time = 2019-05-24 16:59:52 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 78625 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 7865211877 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x771a4ae0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x771a4b20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x771a4b40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x771a4b00 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x772c29e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x772c29e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x772c29e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x772c29e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x772c29e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x772c29e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x772c29e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x772c1ec0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x772c1ec0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x772c29e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x772c1ec0 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\FD1HVy\Hermes-decrypter-new.exe, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77260000 |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x765c0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernelbase.dll, base_address = 0x76850000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77260000 |
|
1 | |
| System | Get Time | type = System Time, time = 2019-05-24 16:59:53 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 79515 |
|
1 | |
| System | Get Time | type = Performance Ctr, time = 7954849931 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x771a4ae0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x771a4b20 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x771a4b40 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x771a4b00 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x772c29e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x772c29e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x772c29e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x772c29e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x772c29e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x772c29e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x772c29e0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x772c1ec0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x772c1ec0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x772c29e0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x772c1ec0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\FD1HVy\Hermes-decrypter-new.exe, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x77190000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x771a5960 |
|
1 | |
| Module | Get Handle | module_name = c:\fd1hvy\hermes-decrypter-new.exe, base_address = 0x400000 |
|
1 | |
| Module | Load | module_name = mscoree.dll, base_address = 0x73b90000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\mscoree.dll, function = CLRCreateInstance, address_out = 0x73ba5000 |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Module | Get Filename | module_name = c:\fd1hvy\hermes-decrypter-new.exe, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\FD1HVy\Hermes-decrypter-new.exe, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\fd1hvy\hermes-decrypter-new.exe, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\FD1HVy\Hermes-decrypter-new.exe, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\ntdll.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\kernel32.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\KERNEL32.DLL, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\kernelbase.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\KERNELBASE.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\apphelp.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ole32.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\ole32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\combase.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\ucrtbase.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\RPCRT4.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\SspiCli.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\CRYPTBASE.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\bcryptPrimitives.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\sechost.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\GDI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\gdi32full.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\msvcp_win.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\user32.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\USER32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\win32u.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\oleaut32.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\OLEAUT32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\wtsapi32.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\WTSAPI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\msvcrt.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\IMM32.DLL, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\kernel.appcore.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\system32\uxtheme.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\mscoree.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\mscoree.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\ADVAPI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\MSVCR120_CLR0400.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\SHLWAPI.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\f12799647dc4f4abd2f0f17790337f04\mscorlib.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\CRYPTSP.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\system32\rsaenh.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\bcrypt.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\fcfb8bac8ea9a0e69d72c350b22f8e3f\System.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\5b307e2b9719b21749a8c73127ab5f45\System.Drawing.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\02d3b6022cc1ee466eb660dedcff59aa\System.Windows.Forms.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\psapi.dll, size = 2048 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll, type = file_attributes |
|
1 | |
| Module | Load | module_name = mscorjit.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = clrjit.dll, base_address = 0x71ea0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll, function = getJit, address_out = 0x71ef3d60 |
|
1 | |
| Module | Get Filename | module_name = c:\fd1hvy\hermes-decrypter-new.exe, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\FD1HVy\Hermes-decrypter-new.exe, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\ntdll.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\kernel32.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\KERNEL32.DLL, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\kernelbase.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\KERNELBASE.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\apphelp.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\ole32.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\ole32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\combase.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\ucrtbase.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\RPCRT4.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\SspiCli.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\CRYPTBASE.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\bcryptPrimitives.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\sechost.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\GDI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\gdi32full.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\msvcp_win.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\user32.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\USER32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\win32u.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\oleaut32.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\OLEAUT32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\wtsapi32.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\WTSAPI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\msvcrt.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\IMM32.DLL, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\kernel.appcore.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\system32\uxtheme.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\mscoree.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\mscoree.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\ADVAPI32.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\MSVCR120_CLR0400.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\SHLWAPI.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\f12799647dc4f4abd2f0f17790337f04\mscorlib.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\CRYPTSP.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\system32\rsaenh.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\bcrypt.dll, size = 2048 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll, process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\fcfb8bac8ea9a0e69d72c350b22f8e3f\System.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\5b307e2b9719b21749a8c73127ab5f45\System.Drawing.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\02d3b6022cc1ee466eb660dedcff59aa\System.Windows.Forms.ni.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\System32\psapi.dll, size = 2048 |
|
1 | |
| Module | Get Filename | process_name = c:\fd1hvy\hermes-decrypter-new.exe, file_name_orig = C:\WINDOWS\SYSTEM32\version.dll, size = 2048 |
|
1 |
