Windows Analysis Report
SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe
Analysis ID:	1521527
MD5:	7b4035b7052f56004af9eaab53827574
SHA1:	302e9ca36501728f2e2415f75a2677d2f181f65a
SHA256:	a1b6bc527346f83980b95415abf3a30e636926afcc5e0cdc5d3b6c497b03f204
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Contains functionality for execution timing, often used to detect debuggers

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

ReversingLabs: Detection: 34%

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 4x nop then sub rbx, qword ptr [rax+18h]		0_2_0034F340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 4x nop then mov rdi, 0000800000000000h		0_2_003593A0

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00359820	0_2_00359820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00336040	0_2_00336040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00355C80	0_2_00355C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_0037C880	0_2_0037C880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_003398C0	0_2_003398C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00356960	0_2_00356960
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_0036A1E0	0_2_0036A1E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_0034C9C0	0_2_0034C9C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_0033D260	0_2_0033D260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_0034F640	0_2_0034F640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_0033C6A0	0_2_0033C6A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00377EA0	0_2_00377EA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00342E80	0_2_00342E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_003352C0	0_2_003352C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00345720	0_2_00345720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00344BA5	0_2_00344BA5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_003593A0	0_2_003593A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00335BC0	0_2_00335BC0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: String function: 00367680 appears 32 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: String function: 00367F00 appears 223 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: String function: 00365D40 appears 181 times

PE file contains more sections than normal

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Static PE information: Number of sections : 13 > 10

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: Section: /19 ZLIB complexity 0.9968444172597865
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: Section: /32 ZLIB complexity 0.9955409787735849
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: Section: /65 ZLIB complexity 0.9977410827020202

Source: classification engine

Classification label: mal60.evad.winEXE@5/2@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2640:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

File opened: C:\Windows\system32\cbfd95aba991de69d27a9d80aaf7b1fd8d6e6c984cd99446f612f699565a35c8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

ReversingLabs: Detection: 34%

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

String found in binary or memory: C:/Users/ADMIN/sdk/go1.19.3/src/net/addrselect.go

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Process created: C:\Windows\System32\calc.exe calc
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Process created: C:\Windows\System32\calc.exe calc	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: concrt140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.applicationmodel.datatransfer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.globalization.fontgroups.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: fontgroupsoverride.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.energy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: winrttracing.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.xaml.phone.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.web.dll	Jump to behavior

Source: C:\Windows\System32\calc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\calc.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Jump to behavior

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Static file information: File size 2576896 > 1048576

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: section name: /4
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: section name: /19
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: section name: /32
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: section name: /46
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: section name: /65
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: section name: /78
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: section name: /90
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\calc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\calc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\calc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\calc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Code function: 0_2_0038FDA0 rdtscp

0_2_0038FDA0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe, 00000000.00000002.2146460764.000001BFD1C4C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Code function: 0_2_0038FDA0 Start: 0038FDA9 End: 0038FDBF

0_2_0038FDA0

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Code function: 0_2_0038FDA0 rdtscp

0_2_0038FDA0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Queries the volume information (name, serial number etc) of a device

Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\settings.dat	MS Windows registry file, NT/2000 or above	97D1E055B1028A89296C4BD64E958B28	551FBC0F8FE2E308404FF42CD6112FE1153B431E	2A860D2D7A579B2DA6E8B976CB85251F906CB7EDA359169CBC4E20E7A9023C4E
C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\settings.dat.LOG1	MS Windows registry file, NT/2000 or above	3C40D38E9390916D54B535B4F481B167	DDF4532F71F092AA6B2E5BDB681EDCBD74F03F22	1AECC9A42528EAF563C54F70A9755F6CCF86643E9BD180FF44B781C5F5E44EE2

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

ReversingLabs: Detection: 34%

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 4x nop then sub rbx, qword ptr [rax+18h]		0_2_0034F340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 4x nop then mov rdi, 0000800000000000h		0_2_003593A0

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00359820	0_2_00359820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00336040	0_2_00336040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00355C80	0_2_00355C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_0037C880	0_2_0037C880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_003398C0	0_2_003398C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00356960	0_2_00356960
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_0036A1E0	0_2_0036A1E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_0034C9C0	0_2_0034C9C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_0033D260	0_2_0033D260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_0034F640	0_2_0034F640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_0033C6A0	0_2_0033C6A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00377EA0	0_2_00377EA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00342E80	0_2_00342E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_003352C0	0_2_003352C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00345720	0_2_00345720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00344BA5	0_2_00344BA5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_003593A0	0_2_003593A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: 0_2_00335BC0	0_2_00335BC0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: String function: 00367680 appears 32 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: String function: 00367F00 appears 223 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Code function: String function: 00365D40 appears 181 times

PE file contains more sections than normal

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Static PE information: Number of sections : 13 > 10

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: Section: /19 ZLIB complexity 0.9968444172597865
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: Section: /32 ZLIB complexity 0.9955409787735849
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: Section: /65 ZLIB complexity 0.9977410827020202

Source: classification engine

Classification label: mal60.evad.winEXE@5/2@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2640:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Jump to behavior

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

ReversingLabs: Detection: 34%

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

String found in binary or memory: C:/Users/ADMIN/sdk/go1.19.3/src/net/addrselect.go

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Process created: C:\Windows\System32\calc.exe calc
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Process created: C:\Windows\System32\calc.exe calc	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\calc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: concrt140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.applicationmodel.datatransfer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.globalization.fontgroups.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: fontgroupsoverride.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.energy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: winrttracing.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.ui.xaml.phone.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Section loaded: windows.web.dll	Jump to behavior

Source: C:\Windows\System32\calc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\calc.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Jump to behavior

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Static file information: File size 2576896 > 1048576

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: section name: /4
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: section name: /19
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: section name: /32
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: section name: /46
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: section name: /65
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: section name: /78
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: section name: /90
Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\calc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\calc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\calc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\calc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Code function: 0_2_0038FDA0 rdtscp

0_2_0038FDA0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe, 00000000.00000002.2146460764.000001BFD1C4C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Code function: 0_2_0038FDA0 Start: 0038FDA9 End: 0038FDBF

0_2_0038FDA0

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Code function: 0_2_0038FDA0 rdtscp

0_2_0038FDA0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Queries the volume information (name, serial number etc) of a device

Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior

ID:	1521527
Product:	CloudBasic
Start time:	22:24:08
Start date:	28.09.2024
Sample:	SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	7b4035b7052f56004af9eaab53827574
SHA1:	302e9ca36501728f2e2415f75a2677d2f181f65a
SHA256:	a1b6bc527346f83980b95415abf3a30e636926afcc5e0cdc5d3b6c497b03f204
Filetype:	Win64 Executable (generic) (12005/4) 74.95%

Windows Analysis Report
SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Win64.Goshell-A.17848.24860.exe