Source: apollo.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/EncryptedFileStore/obj/Release/net451/EncryptedFileStore.pdbSHA256w source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/ApolloInterop/obj/Release/net451/ApolloInterop.pdbSHA256 source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Process/obj/Release/net451/Process.pdbSHA256( source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/KerberosTickets/obj/Release/net451/KerberosTickets.pdbSHA256 source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/PSKCrypto/obj/Release/net451/PSKCryptography.pdbSHA256t source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/SimpleResolver/obj/Release/net451/SimpleResolver.pdbSHA256 source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Process/obj/Release/net451/Process.pdb source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/PSKCrypto/obj/Release/net451/PSKCryptography.pdb source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/ApolloInterop/obj/Release/net451/ApolloInterop.pdb source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Injection/obj/Release/net451/Injection.pdb source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Injection/obj/Release/net451/Injection.pdbSHA256 source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/HttpProfile/obj/Release/net451/HttpProfile.pdbSHA256 source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/SimpleResolver/obj/Release/net451/SimpleResolver.pdb source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/KerberosTickets/obj/Release/net451/KerberosTickets.pdb source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/HttpProfile/obj/Release/net451/HttpProfile.pdb source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Apollo/obj/Release/net451/Apollo.pdb source: apollo.exe |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/EncryptedFileStore/obj/Release/net451/EncryptedFileStore.pdb source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp |
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.datacontract.org |
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.datacontract.org/2004/07/ |
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.datacontract.org/2004/07/ApolloInterop.Structs.MythicStructs |
Source: apollo.exe, 00000000.00000002.4215687848.0000015246668000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: apollo.exe |
String found in binary or memory: https://192.168.1.217 |
Source: apollo.exe, 00000000.00000002.4215687848.000001524675D000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.00000152467C6000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.000001524677C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://192.168.1.217( |
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.00000152467C6000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.000001524677C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://192.168.1.217/dato |
Source: apollo.exe, 00000000.00000002.4218250603.000001525F005000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://192.168.1.217/to |
Source: apollo.exe, 00000000.00000002.4215687848.0000015246668000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://192.168.1.217:4 |
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.00000152467C6000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.000001524677C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://192.168.1.217:443 |
Source: apollo.exe, 00000000.00000002.4215687848.0000015246668000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://192.168.1.217:4432 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49964 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 50007 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 50006 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 50007 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 50005 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49964 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 50005 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 50006 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49737 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49737 -> 443 |
Source: Yara match |
File source: 0.2.apollo.exe.15244f30000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.apollo.exe.15244f30000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: apollo.exe PID: 7556, type: MEMORYSTR |
Source: C:\Users\user\Desktop\apollo.exe |
Code function: 0_2_00007FFD9B70D1D0 |
0_2_00007FFD9B70D1D0 |
Source: C:\Users\user\Desktop\apollo.exe |
Code function: 0_2_00007FFD9B70BF4E |
0_2_00007FFD9B70BF4E |
Source: C:\Users\user\Desktop\apollo.exe |
Code function: 0_2_00007FFD9B70D2ED |
0_2_00007FFD9B70D2ED |
Source: C:\Users\user\Desktop\apollo.exe |
Code function: 0_2_00007FFD9B704521 |
0_2_00007FFD9B704521 |
Source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameEncryptedFileStore.dllF vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameEncryptedFileStore.dllF vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameInjection.dll4 vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameKerberosTickets.dll@ vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameSimpleResolver.dll> vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameHttpProfile.dll8 vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenamePSKCryptography.dll@ vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameProcess.dll0 vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameEncryptedFileStore.dllF vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameEncryptedFileStore.dllF vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameApolloInterop.dll< vs apollo.exe |
Source: apollo.exe, TaskManager.cs |
Task registration methods: 'CreateTaskingMessage' |
Source: 0.2.apollo.exe.15256805a10.13.raw.unpack, load.cs |
Task registration methods: 'CreateTasking' |
Source: 0.2.apollo.exe.15256629ac0.14.raw.unpack, load.cs |
Task registration methods: 'CreateTasking' |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, QueueUserAPC.cs |
Suspicious method names: .QueueUserAPC.Inject |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs |
Suspicious method names: .NtCreateThreadEx.Inject |
Source: 0.2.apollo.exe.15244e60000.1.raw.unpack, SacrificialProcess.cs |
Suspicious method names: .SacrificialProcess.Inject |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs |
Suspicious method names: .CreateRemoteThread.Inject |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs |
Suspicious method names: .InjectionManager.GetCurrentTechnique |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs |
Suspicious method names: .InjectionManager.SetTechnique |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs |
Suspicious method names: .InjectionManager.LoadTechnique |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs |
Suspicious method names: .InjectionManager.GetTechniques |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs |
Suspicious method names: .InjectionManager.CreateInstance |
Source: C:\Users\user\Desktop\apollo.exe |
Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03 |
Source: apollo.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: unknown |
Process created: C:\Users\user\Desktop\apollo.exe "C:\Users\user\Desktop\apollo.exe" |
Source: C:\Users\user\Desktop\apollo.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: napinsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: pnrpnsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: wshbth.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: winrnr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: rasapi32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: rasman.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: rtutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: apollo.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/EncryptedFileStore/obj/Release/net451/EncryptedFileStore.pdbSHA256w source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/ApolloInterop/obj/Release/net451/ApolloInterop.pdbSHA256 source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Process/obj/Release/net451/Process.pdbSHA256( source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/KerberosTickets/obj/Release/net451/KerberosTickets.pdbSHA256 source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/PSKCrypto/obj/Release/net451/PSKCryptography.pdbSHA256t source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/SimpleResolver/obj/Release/net451/SimpleResolver.pdbSHA256 source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Process/obj/Release/net451/Process.pdb source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/PSKCrypto/obj/Release/net451/PSKCryptography.pdb source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/ApolloInterop/obj/Release/net451/ApolloInterop.pdb source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Injection/obj/Release/net451/Injection.pdb source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Injection/obj/Release/net451/Injection.pdbSHA256 source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/HttpProfile/obj/Release/net451/HttpProfile.pdbSHA256 source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/SimpleResolver/obj/Release/net451/SimpleResolver.pdb source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/KerberosTickets/obj/Release/net451/KerberosTickets.pdb source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/HttpProfile/obj/Release/net451/HttpProfile.pdb source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Apollo/obj/Release/net451/Apollo.pdb source: apollo.exe |
Source: |
Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/EncryptedFileStore/obj/Release/net451/EncryptedFileStore.pdb source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp |
Source: apollo.exe, AssemblyLoader.cs |
.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[]) |
Source: apollo.exe, TaskManager.cs |
.Net Code: LoadTaskModule System.Reflection.Assembly.Load(byte[]) |
Source: 0.2.apollo.exe.15256805a10.13.raw.unpack, wmiexecute.cs |
.Net Code: Start |
Source: 0.2.apollo.exe.15256805a10.13.raw.unpack, AssemblyLoader.cs |
.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[]) |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs |
.Net Code: LoadTechnique System.Reflection.Assembly.Load(byte[]) |
Source: 0.2.apollo.exe.15256629ac0.14.raw.unpack, wmiexecute.cs |
.Net Code: Start |
Source: 0.2.apollo.exe.15256629ac0.14.raw.unpack, AssemblyLoader.cs |
.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[]) |
Source: Yara match |
File source: apollo.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.apollo.exe.1525edf0000.15.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.apollo.exe.15256629ac0.14.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.apollo.exe.15256805a10.13.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.apollo.exe.15256805a10.13.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.apollo.exe.15256629ac0.14.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.apollo.exe.1525edf0000.15.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.apollo.exe.15244780000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4217866938.000001525EDF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4216733237.0000015256621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4216733237.00000152567D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.1755800170.0000015244782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: apollo.exe PID: 7556, type: MEMORYSTR |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 600000 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 599874 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 599765 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 599655 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 599546 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 599437 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 599328 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 599218 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 599109 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598999 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598890 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598781 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598671 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598562 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598453 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598343 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598234 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598124 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598015 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597900 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597796 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597687 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597578 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597468 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597359 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597249 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597140 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597031 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596921 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596812 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596703 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596592 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596484 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596374 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596265 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596156 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596046 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595937 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595828 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595718 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595609 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595499 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595390 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595281 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595171 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595062 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 7636 |
Thread sleep time: -43500s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -23980767295822402s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -600000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -599874s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -599765s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -599655s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -599546s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -599437s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -599328s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -599218s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -599109s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -598999s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -598890s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -598781s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -598671s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -598562s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -598453s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -598343s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -598234s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -598124s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -598015s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -597900s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -597796s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -597687s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -597578s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -597468s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -597359s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -597249s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -597140s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -597031s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -596921s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -596812s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -596703s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -596592s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -596484s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -596374s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -596265s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -596156s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -596046s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -595937s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -595828s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -595718s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -595609s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -595499s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -595390s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -595281s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -595171s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 |
Thread sleep time: -595062s >= -30000s |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 600000 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 599874 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 599765 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 599655 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 599546 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 599437 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 599328 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 599218 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 599109 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598999 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598890 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598781 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598671 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598562 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598453 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598343 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598234 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598124 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 598015 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597900 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597796 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597687 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597578 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597468 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597359 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597249 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597140 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 597031 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596921 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596812 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596703 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596592 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596484 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596374 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596265 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596156 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 596046 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595937 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595828 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595718 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595609 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595499 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595390 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595281 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595171 |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Thread delayed: delay time: 595062 |
Jump to behavior |
Source: apollo.exe, 00000000.00000002.4218250603.000001525F005000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\apollo.exe |
Process Stats: CPU usage > 42% for more than 60s |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs |
.Net Code: GetFunctionPointers contains injection code |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs |
.Net Code: Inject contains injection code |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs |
.Net Code: Setup contains injection code |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs |
.Net Code: Inject contains injection code |
Source: apollo.exe, IdentityManager.cs |
Reference to suspicious API methods: _OpenProcessToken(handle, 983551u, out _originalPrimaryToken) |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs |
Reference to suspicious API methods: base._agent.GetApi().GetLibraryFunction<VirtualAllocEx>(Library.KERNEL32, "VirtualAllocEx", true, true) |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs |
Reference to suspicious API methods: base._agent.GetApi().GetLibraryFunction<WriteProcessMemory>(Library.KERNEL32, "WriteProcessMemory", true, true) |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs |
Reference to suspicious API methods: base._agent.GetApi().GetLibraryFunction<CRT>(Library.KERNEL32, "CreateRemoteThread", true, true) |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs |
Reference to suspicious API methods: base._agent.GetApi().GetLibraryFunction<VirtualProtectEx>(Library.KERNEL32, "VirtualProtectEx", true, true) |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs |
Reference to suspicious API methods: _syscall.MarshalNtSyscall<NtAllocateVirtualMemory>("NtAllocateVirtualMemory") |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs |
Reference to suspicious API methods: _syscall.MarshalNtSyscall<NtProtectVirtualMemory>("NtProtectVirtualMemory") |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs |
Reference to suspicious API methods: _syscall.MarshalNtSyscall<NtCreateThreadExDelegate>("NtCreateThreadEx") |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs |
Reference to suspicious API methods: _syscall.MarshalNtSyscall<NtWriteVirtualMemory>("NtWriteVirtualMemory") |
Source: C:\Users\user\Desktop\apollo.exe |
Queries volume information: C:\Users\user\Desktop\apollo.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation |
Jump to behavior |