Click to jump to signature section
Source: apollo.exe | Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: apollo.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/EncryptedFileStore/obj/Release/net451/EncryptedFileStore.pdbSHA256w source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/ApolloInterop/obj/Release/net451/ApolloInterop.pdbSHA256 source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Process/obj/Release/net451/Process.pdbSHA256( source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/KerberosTickets/obj/Release/net451/KerberosTickets.pdbSHA256 source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/PSKCrypto/obj/Release/net451/PSKCryptography.pdbSHA256t source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/SimpleResolver/obj/Release/net451/SimpleResolver.pdbSHA256 source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Process/obj/Release/net451/Process.pdb source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/PSKCrypto/obj/Release/net451/PSKCryptography.pdb source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/ApolloInterop/obj/Release/net451/ApolloInterop.pdb source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Injection/obj/Release/net451/Injection.pdb source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Injection/obj/Release/net451/Injection.pdbSHA256 source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/HttpProfile/obj/Release/net451/HttpProfile.pdbSHA256 source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/SimpleResolver/obj/Release/net451/SimpleResolver.pdb source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/KerberosTickets/obj/Release/net451/KerberosTickets.pdb source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/HttpProfile/obj/Release/net451/HttpProfile.pdb source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Apollo/obj/Release/net451/Apollo.pdb source: apollo.exe |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/EncryptedFileStore/obj/Release/net451/EncryptedFileStore.pdb source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp |
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.datacontract.org |
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.datacontract.org/2004/07/ |
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.datacontract.org/2004/07/ApolloInterop.Structs.MythicStructs |
Source: apollo.exe, 00000000.00000002.4215687848.0000015246668000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: apollo.exe | String found in binary or memory: https://192.168.1.217 |
Source: apollo.exe, 00000000.00000002.4215687848.000001524675D000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.00000152467C6000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.000001524677C000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://192.168.1.217( |
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.00000152467C6000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.000001524677C000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://192.168.1.217/dato |
Source: apollo.exe, 00000000.00000002.4218250603.000001525F005000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://192.168.1.217/to |
Source: apollo.exe, 00000000.00000002.4215687848.0000015246668000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://192.168.1.217:4 |
Source: apollo.exe, 00000000.00000002.4215687848.00000152466FB000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.00000152467C6000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.000001524677C000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://192.168.1.217:443 |
Source: apollo.exe, 00000000.00000002.4215687848.0000015246668000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://192.168.1.217:4432 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49964 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 50007 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 50006 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49730 |
Source: unknown | Network traffic detected: HTTP traffic on port 49730 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 50007 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 50005 |
Source: unknown | Network traffic detected: HTTP traffic on port 49964 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 50005 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 50006 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49737 |
Source: unknown | Network traffic detected: HTTP traffic on port 49737 -> 443 |
Source: Yara match | File source: 0.2.apollo.exe.15244f30000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.apollo.exe.15244f30000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: apollo.exe PID: 7556, type: MEMORYSTR |
Source: C:\Users\user\Desktop\apollo.exe | Process Stats: CPU usage > 49% |
Source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameEncryptedFileStore.dllF vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameEncryptedFileStore.dllF vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameInjection.dll4 vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameKerberosTickets.dll@ vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameSimpleResolver.dll> vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameHttpProfile.dll8 vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenamePSKCryptography.dll@ vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameProcess.dll0 vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameEncryptedFileStore.dllF vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameEncryptedFileStore.dllF vs apollo.exe |
Source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameApolloInterop.dll< vs apollo.exe |
Source: apollo.exe | Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: apollo.exe, TaskManager.cs | Task registration methods: 'CreateTaskingMessage' |
Source: 0.2.apollo.exe.15256805a10.13.raw.unpack, load.cs | Task registration methods: 'CreateTasking' |
Source: 0.2.apollo.exe.15256629ac0.14.raw.unpack, load.cs | Task registration methods: 'CreateTasking' |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, QueueUserAPC.cs | Suspicious method names: .QueueUserAPC.Inject |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs | Suspicious method names: .NtCreateThreadEx.Inject |
Source: 0.2.apollo.exe.15244e60000.1.raw.unpack, SacrificialProcess.cs | Suspicious method names: .SacrificialProcess.Inject |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs | Suspicious method names: .CreateRemoteThread.Inject |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs | Suspicious method names: .InjectionManager.GetCurrentTechnique |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs | Suspicious method names: .InjectionManager.SetTechnique |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs | Suspicious method names: .InjectionManager.LoadTechnique |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs | Suspicious method names: .InjectionManager.GetTechniques |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs | Suspicious method names: .InjectionManager.CreateInstance |
Source: classification engine | Classification label: mal84.troj.evad.winEXE@2/0@0/1 |
Source: C:\Users\user\Desktop\apollo.exe | Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03 |
Source: apollo.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: unknown | Process created: C:\Users\user\Desktop\apollo.exe "C:\Users\user\Desktop\apollo.exe" |
Source: C:\Users\user\Desktop\apollo.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: secur32.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: napinsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: pnrpnsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: wshbth.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: nlaapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: winrnr.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: dhcpcsvc6.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: dhcpcsvc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: rasapi32.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: rasman.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: rtutils.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Section loaded: schannel.dll | Jump to behavior |
Source: apollo.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/EncryptedFileStore/obj/Release/net451/EncryptedFileStore.pdbSHA256w source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/ApolloInterop/obj/Release/net451/ApolloInterop.pdbSHA256 source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Process/obj/Release/net451/Process.pdbSHA256( source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/KerberosTickets/obj/Release/net451/KerberosTickets.pdbSHA256 source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/PSKCrypto/obj/Release/net451/PSKCryptography.pdbSHA256t source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/SimpleResolver/obj/Release/net451/SimpleResolver.pdbSHA256 source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Process/obj/Release/net451/Process.pdb source: apollo.exe, 00000000.00000002.4215105934.0000015244E60000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/PSKCrypto/obj/Release/net451/PSKCryptography.pdb source: apollo.exe, 00000000.00000002.4215182470.0000015244E90000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/ApolloInterop/obj/Release/net451/ApolloInterop.pdb source: apollo.exe, 00000000.00000002.4215252791.0000015244F30000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Injection/obj/Release/net451/Injection.pdb source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Injection/obj/Release/net451/Injection.pdbSHA256 source: apollo.exe, 00000000.00000002.4215394399.0000015244F80000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/HttpProfile/obj/Release/net451/HttpProfile.pdbSHA256 source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/SimpleResolver/obj/Release/net451/SimpleResolver.pdb source: apollo.exe, 00000000.00000002.4215495956.0000015244FC0000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/KerberosTickets/obj/Release/net451/KerberosTickets.pdb source: apollo.exe, 00000000.00000002.4215429692.0000015244F90000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/HttpProfile/obj/Release/net451/HttpProfile.pdb source: apollo.exe, 00000000.00000002.4215146572.0000015244E80000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/Apollo/obj/Release/net451/Apollo.pdb source: apollo.exe |
Source: | Binary string: /tmp/tmp70mibbdd19136689-735c-4fa8-8aca-762da6751eee/EncryptedFileStore/obj/Release/net451/EncryptedFileStore.pdb source: apollo.exe, 00000000.00000002.4215687848.000001524665A000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215687848.0000015246643000.00000004.00000800.00020000.00000000.sdmp, apollo.exe, 00000000.00000002.4215578898.0000015244FE0000.00000004.08000000.00040000.00000000.sdmp |
Source: apollo.exe, AssemblyLoader.cs | .Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[]) |
Source: apollo.exe, TaskManager.cs | .Net Code: LoadTaskModule System.Reflection.Assembly.Load(byte[]) |
Source: 0.2.apollo.exe.15256805a10.13.raw.unpack, wmiexecute.cs | .Net Code: Start |
Source: 0.2.apollo.exe.15256805a10.13.raw.unpack, AssemblyLoader.cs | .Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[]) |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, InjectionManager.cs | .Net Code: LoadTechnique System.Reflection.Assembly.Load(byte[]) |
Source: 0.2.apollo.exe.15256629ac0.14.raw.unpack, wmiexecute.cs | .Net Code: Start |
Source: 0.2.apollo.exe.15256629ac0.14.raw.unpack, AssemblyLoader.cs | .Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[]) |
Source: Yara match | File source: apollo.exe, type: SAMPLE |
Source: Yara match | File source: 0.2.apollo.exe.1525edf0000.15.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.apollo.exe.15256629ac0.14.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.apollo.exe.15256805a10.13.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.apollo.exe.15256805a10.13.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.apollo.exe.15256629ac0.14.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.apollo.exe.1525edf0000.15.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.0.apollo.exe.15244780000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.4215687848.0000015246621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.4217866938.000001525EDF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.4216733237.0000015256621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.4216733237.00000152567D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.1755800170.0000015244782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: apollo.exe PID: 7556, type: MEMORYSTR |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 600000 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 599874 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 599765 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 599655 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 599546 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 599437 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 599328 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 599218 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 599109 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598999 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598890 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598781 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598671 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598562 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598453 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598343 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598234 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598124 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598015 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597900 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597796 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597687 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597578 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597468 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597359 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597249 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597140 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597031 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596921 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596812 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596703 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596592 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596484 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596374 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596265 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596156 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596046 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595937 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595828 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595718 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595609 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595499 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595390 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595281 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595171 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595062 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 7636 | Thread sleep time: -43500s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -23980767295822402s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -600000s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -599874s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -599765s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -599655s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -599546s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -599437s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -599328s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -599218s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -599109s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -598999s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -598890s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -598781s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -598671s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -598562s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -598453s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -598343s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -598234s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -598124s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -598015s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -597900s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -597796s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -597687s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -597578s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -597468s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -597359s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -597249s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -597140s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -597031s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -596921s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -596812s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -596703s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -596592s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -596484s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -596374s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -596265s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -596156s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -596046s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -595937s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -595828s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -595718s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -595609s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -595499s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -595390s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -595281s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -595171s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe TID: 8148 | Thread sleep time: -595062s >= -30000s | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 600000 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 599874 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 599765 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 599655 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 599546 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 599437 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 599328 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 599218 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 599109 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598999 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598890 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598781 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598671 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598562 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598453 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598343 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598234 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598124 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 598015 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597900 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597796 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597687 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597578 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597468 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597359 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597249 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597140 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 597031 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596921 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596812 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596703 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596592 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596484 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596374 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596265 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596156 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 596046 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595937 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595828 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595718 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595609 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595499 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595390 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595281 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595171 | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Thread delayed: delay time: 595062 | Jump to behavior |
Source: apollo.exe, 00000000.00000002.4218250603.000001525F005000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\apollo.exe | Process Stats: CPU usage > 42% for more than 60s |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs | .Net Code: GetFunctionPointers contains injection code |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs | .Net Code: Inject contains injection code |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs | .Net Code: Setup contains injection code |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs | .Net Code: Inject contains injection code |
Source: apollo.exe, IdentityManager.cs | Reference to suspicious API methods: _OpenProcessToken(handle, 983551u, out _originalPrimaryToken) |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs | Reference to suspicious API methods: base._agent.GetApi().GetLibraryFunction<VirtualAllocEx>(Library.KERNEL32, "VirtualAllocEx", true, true) |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs | Reference to suspicious API methods: base._agent.GetApi().GetLibraryFunction<WriteProcessMemory>(Library.KERNEL32, "WriteProcessMemory", true, true) |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs | Reference to suspicious API methods: base._agent.GetApi().GetLibraryFunction<CRT>(Library.KERNEL32, "CreateRemoteThread", true, true) |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, CreateRemoteThread.cs | Reference to suspicious API methods: base._agent.GetApi().GetLibraryFunction<VirtualProtectEx>(Library.KERNEL32, "VirtualProtectEx", true, true) |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs | Reference to suspicious API methods: _syscall.MarshalNtSyscall<NtAllocateVirtualMemory>("NtAllocateVirtualMemory") |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs | Reference to suspicious API methods: _syscall.MarshalNtSyscall<NtProtectVirtualMemory>("NtProtectVirtualMemory") |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs | Reference to suspicious API methods: _syscall.MarshalNtSyscall<NtCreateThreadExDelegate>("NtCreateThreadEx") |
Source: 0.2.apollo.exe.15244f80000.5.raw.unpack, NtCreateThreadEx.cs | Reference to suspicious API methods: _syscall.MarshalNtSyscall<NtWriteVirtualMemory>("NtWriteVirtualMemory") |
Source: C:\Users\user\Desktop\apollo.exe | Queries volume information: C:\Users\user\Desktop\apollo.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\apollo.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation | Jump to behavior |