Windows Analysis Report apollo.exe

Yara detected Apollo Agent

Source: apollo.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: apollo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/EncryptedFileStore/obj/Release/net451/EncryptedFileStore.pdbSHA256w source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/ApolloInterop/obj/Release/net451/ApolloInterop.pdbSHA256 source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Process/obj/Release/net451/Process.pdbSHA256( source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/KerberosTickets/obj/Release/net451/KerberosTickets.pdbSHA256 source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/PSKCrypto/obj/Release/net451/PSKCryptography.pdbSHA256t source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/SimpleResolver/obj/Release/net451/SimpleResolver.pdbSHA256 source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Process/obj/Release/net451/Process.pdb source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/PSKCrypto/obj/Release/net451/PSKCryptography.pdb source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/ApolloInterop/obj/Release/net451/ApolloInterop.pdb source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Injection/obj/Release/net451/Injection.pdb source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Injection/obj/Release/net451/Injection.pdbSHA256 source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/HttpProfile/obj/Release/net451/HttpProfile.pdbSHA256 source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/SimpleResolver/obj/Release/net451/SimpleResolver.pdb source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/KerberosTickets/obj/Release/net451/KerberosTickets.pdb source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/HttpProfile/obj/Release/net451/HttpProfile.pdb source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Apollo/obj/Release/net451/Apollo.pdb source: apollo.exe
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/EncryptedFileStore/obj/Release/net451/EncryptedFileStore.pdb source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp

Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/ApolloInterop.Structs.MythicStructs
Source: apollo.exe, 00000000.00000002.4215687848.0000015246668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: apollo.exe	String found in binary or memory: https://192.168.1.217
Source: apollo.exe, 00000000.00000002.4215687848.000001524675D000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.00000152467C6000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.000001524677C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://192.168.1.217(
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.00000152467C6000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.000001524677C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://192.168.1.217/dato
Source: apollo.exe, 00000000.00000002.4218250603.000001525F005000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://192.168.1.217/to
Source: apollo.exe, 00000000.00000002.4215687848.0000015246668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://192.168.1.217:4
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.00000152467C6000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.000001524677C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://192.168.1.217:443
Source: apollo.exe, 00000000.00000002.4215687848.0000015246668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://192.168.1.217:4432

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

System Summary

Source: Yara match	File source: 0.2.apollo.exe.15244f30000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.apollo.exe.15244f30000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: apollo.exe PID: 7556, type: MEMORYSTR

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\apollo.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\apollo.exe	Code function: 0_2_00007FFD9B70D1D0	0_2_00007FFD9B70D1D0
Source: C:\Users\user\Desktop\apollo.exe	Code function: 0_2_00007FFD9B70BF4E	0_2_00007FFD9B70BF4E
Source: C:\Users\user\Desktop\apollo.exe	Code function: 0_2_00007FFD9B70D2ED	0_2_00007FFD9B70D2ED
Source: C:\Users\user\Desktop\apollo.exe	Code function: 0_2_00007FFD9B704521	0_2_00007FFD9B704521

Sample file is different than original file name gathered from version info

Source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEncryptedFileStore.dllF vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEncryptedFileStore.dllF vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameInjection.dll4 vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameKerberosTickets.dll@ vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleResolver.dll> vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameHttpProfile.dll8 vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePSKCryptography.dll@ vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameProcess.dll0 vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEncryptedFileStore.dllF vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameEncryptedFileStore.dllF vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameApolloInterop.dll< vs apollo.exe

Source: apollo.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: apollo.exe, TaskManager.cs	Task registration methods: 'CreateTaskingMessage'
Source: 0.2.apollo.exe.15256805a10.13.raw.unpack, load.cs	Task registration methods: 'CreateTasking'
Source: 0.2.apollo.exe.15256629ac0.14.raw.unpack, load.cs	Task registration methods: 'CreateTasking'

Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, QueueUserAPC.cs	Suspicious method names: .QueueUserAPC.Inject
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs	Suspicious method names: .NtCreateThreadEx.Inject
Source: 0.2.apollo.exe.15244e60000.1.raw.unpack, SacrificialProcess.cs	Suspicious method names: .SacrificialProcess.Inject
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs	Suspicious method names: .CreateRemoteThread.Inject
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs	Suspicious method names: .InjectionManager.GetCurrentTechnique
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs	Suspicious method names: .InjectionManager.SetTechnique
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs	Suspicious method names: .InjectionManager.LoadTechnique
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs	Suspicious method names: .InjectionManager.GetTechniques
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs	Suspicious method names: .InjectionManager.CreateInstance

Source: classification engine

Classification label: mal84.troj.evad.winEXE@2/0@0/1

Source: C:\Users\user\Desktop\apollo.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03

Source: apollo.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: apollo.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\apollo.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: apollo.exe	ReversingLabs: Detection: 44%
Source: apollo.exe	Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\apollo.exe "C:\Users\user\Desktop\apollo.exe"
Source: C:\Users\user\Desktop\apollo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\apollo.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\apollo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\apollo.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

.NET source code contains potential unpacker

Source: apollo.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: apollo.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: apollo.exe

Static file information: File size 2095616 > 1048576

Source: apollo.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1ff000

Source: apollo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: apollo.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/EncryptedFileStore/obj/Release/net451/EncryptedFileStore.pdbSHA256w source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/ApolloInterop/obj/Release/net451/ApolloInterop.pdbSHA256 source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Process/obj/Release/net451/Process.pdbSHA256( source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/KerberosTickets/obj/Release/net451/KerberosTickets.pdbSHA256 source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/PSKCrypto/obj/Release/net451/PSKCryptography.pdbSHA256t source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/SimpleResolver/obj/Release/net451/SimpleResolver.pdbSHA256 source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Process/obj/Release/net451/Process.pdb source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/PSKCrypto/obj/Release/net451/PSKCryptography.pdb source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/ApolloInterop/obj/Release/net451/ApolloInterop.pdb source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Injection/obj/Release/net451/Injection.pdb source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Injection/obj/Release/net451/Injection.pdbSHA256 source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/HttpProfile/obj/Release/net451/HttpProfile.pdbSHA256 source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/SimpleResolver/obj/Release/net451/SimpleResolver.pdb source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/KerberosTickets/obj/Release/net451/KerberosTickets.pdb source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/HttpProfile/obj/Release/net451/HttpProfile.pdb source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Apollo/obj/Release/net451/Apollo.pdb source: apollo.exe
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/EncryptedFileStore/obj/Release/net451/EncryptedFileStore.pdb source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

Source: apollo.exe, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: apollo.exe, TaskManager.cs	.Net Code: LoadTaskModule System.Reflection.Assembly.Load(byte[])
Source: 0.2.apollo.exe.15256805a10.13.raw.unpack, wmiexecute.cs	.Net Code: Start
Source: 0.2.apollo.exe.15256805a10.13.raw.unpack, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs	.Net Code: LoadTechnique System.Reflection.Assembly.Load(byte[])
Source: 0.2.apollo.exe.15256629ac0.14.raw.unpack, wmiexecute.cs	.Net Code: Start
Source: 0.2.apollo.exe.15256629ac0.14.raw.unpack, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: apollo.exe, type: SAMPLE
Source: Yara match	File source: 0.2.apollo.exe.1525edf0000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.apollo.exe.15256629ac0.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.apollo.exe.15256805a10.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.apollo.exe.15256805a10.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.apollo.exe.15256629ac0.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.apollo.exe.1525edf0000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.apollo.exe.15244780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4217866938.000001525EDF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4216733237.0000015256621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4216733237.00000152567D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1755800170.0000015244782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: apollo.exe PID: 7556, type: MEMORYSTR

Binary contains a suspicious time stamp

Source: apollo.exe

Static PE information: 0x8F692F2D [Fri Mar 30 15:07:25 2046 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\apollo.exe	Code function: 0_2_00007FFD9B716B12 pushad ; ret		0_2_00007FFD9B716BCD
Source: C:\Users\user\Desktop\apollo.exe	Code function: 0_2_00007FFD9B7000AD pushad ; iretd		0_2_00007FFD9B7000C1

Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\apollo.exe	Memory allocated: 15244E50000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Memory allocated: 1525E620000 memory reserve \| memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597900	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596592	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595062	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\apollo.exe	Window / User API: threadDelayed 1698	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Window / User API: threadDelayed 435	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Window / User API: threadDelayed 7669	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\apollo.exe TID: 7636	Thread sleep time: -43500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597900s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596592s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595062s >= -30000s	Jump to behavior

Potential time zone aware malware

Source: C:\Users\user\Desktop\apollo.exe

System information queried: CurrentTimeZoneInformation

Sample execution stops while process was sleeping (likely an evasion)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597900	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596592	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595062	Jump to behavior

Source: apollo.exe, 00000000.00000002.4218250603.000001525F005000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\apollo.exe

Process information queried: ProcessInformation

Found potential dummy code loops (likely to delay analysis)

Anti Debugging

Source: C:\Users\user\Desktop\apollo.exe

Process Stats: CPU usage > 42% for more than 60s

Enables debug privileges

Source: C:\Users\user\Desktop\apollo.exe

Process token adjusted: Debug

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\apollo.exe

Memory allocated: page read and write | page guard

.NET source code contains process injector

HIPS / PFW / Operating System Protection Evasion

Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs	.Net Code: GetFunctionPointers contains injection code
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs	.Net Code: Inject contains injection code
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs	.Net Code: Setup contains injection code
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs	.Net Code: Inject contains injection code

.NET source code references suspicious native API functions

Source: apollo.exe, IdentityManager.cs	Reference to suspicious API methods: _OpenProcessToken(handle, 983551u, out _originalPrimaryToken)
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs	Reference to suspicious API methods: base._agent.GetApi().GetLibraryFunction<VirtualAllocEx>(Library.KERNEL32, "VirtualAllocEx", true, true)
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs	Reference to suspicious API methods: base._agent.GetApi().GetLibraryFunction<WriteProcessMemory>(Library.KERNEL32, "WriteProcessMemory", true, true)
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs	Reference to suspicious API methods: base._agent.GetApi().GetLibraryFunction<CRT>(Library.KERNEL32, "CreateRemoteThread", true, true)
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs	Reference to suspicious API methods: base._agent.GetApi().GetLibraryFunction<VirtualProtectEx>(Library.KERNEL32, "VirtualProtectEx", true, true)
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs	Reference to suspicious API methods: _syscall.MarshalNtSyscall<NtAllocateVirtualMemory>("NtAllocateVirtualMemory")
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs	Reference to suspicious API methods: _syscall.MarshalNtSyscall<NtProtectVirtualMemory>("NtProtectVirtualMemory")
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs	Reference to suspicious API methods: _syscall.MarshalNtSyscall<NtCreateThreadExDelegate>("NtCreateThreadEx")
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs	Reference to suspicious API methods: _syscall.MarshalNtSyscall<NtWriteVirtualMemory>("NtWriteVirtualMemory")

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\apollo.exe	Queries volume information: C:\Users\user\Desktop\apollo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\apollo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Multi AV Scanner detection for submitted file

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.1.217

AV Detection

Source: apollo.exe	ReversingLabs: Detection: 44%
Source: apollo.exe	Virustotal: Detection: 41%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: apollo.exe

Joe Sandbox ML: detected

Yara detected Apollo Agent

Source: apollo.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: apollo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/EncryptedFileStore/obj/Release/net451/EncryptedFileStore.pdbSHA256w source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/ApolloInterop/obj/Release/net451/ApolloInterop.pdbSHA256 source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Process/obj/Release/net451/Process.pdbSHA256( source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/KerberosTickets/obj/Release/net451/KerberosTickets.pdbSHA256 source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/PSKCrypto/obj/Release/net451/PSKCryptography.pdbSHA256t source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/SimpleResolver/obj/Release/net451/SimpleResolver.pdbSHA256 source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Process/obj/Release/net451/Process.pdb source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/PSKCrypto/obj/Release/net451/PSKCryptography.pdb source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/ApolloInterop/obj/Release/net451/ApolloInterop.pdb source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Injection/obj/Release/net451/Injection.pdb source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Injection/obj/Release/net451/Injection.pdbSHA256 source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/HttpProfile/obj/Release/net451/HttpProfile.pdbSHA256 source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/SimpleResolver/obj/Release/net451/SimpleResolver.pdb source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/KerberosTickets/obj/Release/net451/KerberosTickets.pdb source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/HttpProfile/obj/Release/net451/HttpProfile.pdb source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Apollo/obj/Release/net451/Apollo.pdb source: apollo.exe
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/EncryptedFileStore/obj/Release/net451/EncryptedFileStore.pdb source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp

Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/ApolloInterop.Structs.MythicStructs
Source: apollo.exe, 00000000.00000002.4215687848.0000015246668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: apollo.exe	String found in binary or memory: https://192.168.1.217
Source: apollo.exe, 00000000.00000002.4215687848.000001524675D000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.00000152467C6000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.000001524677C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://192.168.1.217(
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.00000152467C6000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.000001524677C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://192.168.1.217/dato
Source: apollo.exe, 00000000.00000002.4218250603.000001525F005000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://192.168.1.217/to
Source: apollo.exe, 00000000.00000002.4215687848.0000015246668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://192.168.1.217:4
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.00000152467C6000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.000001524677C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://192.168.1.217:443
Source: apollo.exe, 00000000.00000002.4215687848.0000015246668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://192.168.1.217:4432

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

System Summary

Source: Yara match	File source: 0.2.apollo.exe.15244f30000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.apollo.exe.15244f30000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: apollo.exe PID: 7556, type: MEMORYSTR

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\apollo.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\apollo.exe	Code function: 0_2_00007FFD9B70D1D0	0_2_00007FFD9B70D1D0
Source: C:\Users\user\Desktop\apollo.exe	Code function: 0_2_00007FFD9B70BF4E	0_2_00007FFD9B70BF4E
Source: C:\Users\user\Desktop\apollo.exe	Code function: 0_2_00007FFD9B70D2ED	0_2_00007FFD9B70D2ED
Source: C:\Users\user\Desktop\apollo.exe	Code function: 0_2_00007FFD9B704521	0_2_00007FFD9B704521

Sample file is different than original file name gathered from version info

Source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEncryptedFileStore.dllF vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEncryptedFileStore.dllF vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameInjection.dll4 vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameKerberosTickets.dll@ vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleResolver.dll> vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameHttpProfile.dll8 vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePSKCryptography.dll@ vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameProcess.dll0 vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEncryptedFileStore.dllF vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameEncryptedFileStore.dllF vs apollo.exe
Source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameApolloInterop.dll< vs apollo.exe

Source: apollo.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: apollo.exe, TaskManager.cs	Task registration methods: 'CreateTaskingMessage'
Source: 0.2.apollo.exe.15256805a10.13.raw.unpack, load.cs	Task registration methods: 'CreateTasking'
Source: 0.2.apollo.exe.15256629ac0.14.raw.unpack, load.cs	Task registration methods: 'CreateTasking'

Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, QueueUserAPC.cs	Suspicious method names: .QueueUserAPC.Inject
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs	Suspicious method names: .NtCreateThreadEx.Inject
Source: 0.2.apollo.exe.15244e60000.1.raw.unpack, SacrificialProcess.cs	Suspicious method names: .SacrificialProcess.Inject
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs	Suspicious method names: .CreateRemoteThread.Inject
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs	Suspicious method names: .InjectionManager.GetCurrentTechnique
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs	Suspicious method names: .InjectionManager.SetTechnique
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs	Suspicious method names: .InjectionManager.LoadTechnique
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs	Suspicious method names: .InjectionManager.GetTechniques
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs	Suspicious method names: .InjectionManager.CreateInstance

Source: classification engine

Classification label: mal84.troj.evad.winEXE@2/0@0/1

Source: C:\Users\user\Desktop\apollo.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03

Source: apollo.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: apollo.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\apollo.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: apollo.exe	ReversingLabs: Detection: 44%
Source: apollo.exe	Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\apollo.exe "C:\Users\user\Desktop\apollo.exe"
Source: C:\Users\user\Desktop\apollo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\apollo.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\apollo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\apollo.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

.NET source code contains potential unpacker

Source: apollo.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: apollo.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: apollo.exe

Static file information: File size 2095616 > 1048576

Source: apollo.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1ff000

Source: apollo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: apollo.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/EncryptedFileStore/obj/Release/net451/EncryptedFileStore.pdbSHA256w source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/ApolloInterop/obj/Release/net451/ApolloInterop.pdbSHA256 source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Process/obj/Release/net451/Process.pdbSHA256( source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/KerberosTickets/obj/Release/net451/KerberosTickets.pdbSHA256 source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/PSKCrypto/obj/Release/net451/PSKCryptography.pdbSHA256t source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/SimpleResolver/obj/Release/net451/SimpleResolver.pdbSHA256 source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Process/obj/Release/net451/Process.pdb source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/PSKCrypto/obj/Release/net451/PSKCryptography.pdb source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/ApolloInterop/obj/Release/net451/ApolloInterop.pdb source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Injection/obj/Release/net451/Injection.pdb source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Injection/obj/Release/net451/Injection.pdbSHA256 source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/HttpProfile/obj/Release/net451/HttpProfile.pdbSHA256 source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/SimpleResolver/obj/Release/net451/SimpleResolver.pdb source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/KerberosTickets/obj/Release/net451/KerberosTickets.pdb source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/HttpProfile/obj/Release/net451/HttpProfile.pdb source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Apollo/obj/Release/net451/Apollo.pdb source: apollo.exe
Source:	Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/EncryptedFileStore/obj/Release/net451/EncryptedFileStore.pdb source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

Source: apollo.exe, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: apollo.exe, TaskManager.cs	.Net Code: LoadTaskModule System.Reflection.Assembly.Load(byte[])
Source: 0.2.apollo.exe.15256805a10.13.raw.unpack, wmiexecute.cs	.Net Code: Start
Source: 0.2.apollo.exe.15256805a10.13.raw.unpack, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs	.Net Code: LoadTechnique System.Reflection.Assembly.Load(byte[])
Source: 0.2.apollo.exe.15256629ac0.14.raw.unpack, wmiexecute.cs	.Net Code: Start
Source: 0.2.apollo.exe.15256629ac0.14.raw.unpack, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: apollo.exe, type: SAMPLE
Source: Yara match	File source: 0.2.apollo.exe.1525edf0000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.apollo.exe.15256629ac0.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.apollo.exe.15256805a10.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.apollo.exe.15256805a10.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.apollo.exe.15256629ac0.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.apollo.exe.1525edf0000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.apollo.exe.15244780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4217866938.000001525EDF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4216733237.0000015256621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4216733237.00000152567D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1755800170.0000015244782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: apollo.exe PID: 7556, type: MEMORYSTR

Binary contains a suspicious time stamp

Source: apollo.exe

Static PE information: 0x8F692F2D [Fri Mar 30 15:07:25 2046 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\apollo.exe	Code function: 0_2_00007FFD9B716B12 pushad ; ret		0_2_00007FFD9B716BCD
Source: C:\Users\user\Desktop\apollo.exe	Code function: 0_2_00007FFD9B7000AD pushad ; iretd		0_2_00007FFD9B7000C1

Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\apollo.exe	Memory allocated: 15244E50000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Memory allocated: 1525E620000 memory reserve \| memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597900	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596592	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595062	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\apollo.exe	Window / User API: threadDelayed 1698	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Window / User API: threadDelayed 435	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Window / User API: threadDelayed 7669	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\apollo.exe TID: 7636	Thread sleep time: -43500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597900s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596592s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -596046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe TID: 8148	Thread sleep time: -595062s >= -30000s	Jump to behavior

Potential time zone aware malware

Source: C:\Users\user\Desktop\apollo.exe

System information queried: CurrentTimeZoneInformation

Sample execution stops while process was sleeping (likely an evasion)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597900	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596592	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Thread delayed: delay time: 595062	Jump to behavior

Source: apollo.exe, 00000000.00000002.4218250603.000001525F005000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\apollo.exe

Process information queried: ProcessInformation

Found potential dummy code loops (likely to delay analysis)

Anti Debugging

Source: C:\Users\user\Desktop\apollo.exe

Process Stats: CPU usage > 42% for more than 60s

Enables debug privileges

Source: C:\Users\user\Desktop\apollo.exe

Process token adjusted: Debug

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\apollo.exe

Memory allocated: page read and write | page guard

.NET source code contains process injector

HIPS / PFW / Operating System Protection Evasion

Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs	.Net Code: GetFunctionPointers contains injection code
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs	.Net Code: Inject contains injection code
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs	.Net Code: Setup contains injection code
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs	.Net Code: Inject contains injection code

.NET source code references suspicious native API functions

Source: apollo.exe, IdentityManager.cs	Reference to suspicious API methods: _OpenProcessToken(handle, 983551u, out _originalPrimaryToken)
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs	Reference to suspicious API methods: base._agent.GetApi().GetLibraryFunction<VirtualAllocEx>(Library.KERNEL32, "VirtualAllocEx", true, true)
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs	Reference to suspicious API methods: base._agent.GetApi().GetLibraryFunction<WriteProcessMemory>(Library.KERNEL32, "WriteProcessMemory", true, true)
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs	Reference to suspicious API methods: base._agent.GetApi().GetLibraryFunction<CRT>(Library.KERNEL32, "CreateRemoteThread", true, true)
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs	Reference to suspicious API methods: base._agent.GetApi().GetLibraryFunction<VirtualProtectEx>(Library.KERNEL32, "VirtualProtectEx", true, true)
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs	Reference to suspicious API methods: _syscall.MarshalNtSyscall<NtAllocateVirtualMemory>("NtAllocateVirtualMemory")
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs	Reference to suspicious API methods: _syscall.MarshalNtSyscall<NtProtectVirtualMemory>("NtProtectVirtualMemory")
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs	Reference to suspicious API methods: _syscall.MarshalNtSyscall<NtCreateThreadExDelegate>("NtCreateThreadEx")
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs	Reference to suspicious API methods: _syscall.MarshalNtSyscall<NtWriteVirtualMemory>("NtWriteVirtualMemory")

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\apollo.exe	Queries volume information: C:\Users\user\Desktop\apollo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\apollo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\apollo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid