d27a5719ec67c146a1b338302074de39f5ad49b17f81cb014cc2c57c4f464d85

Analysis

max time kernel
196s
max time network
73s
platform
windows7_x64
resource
win7v20210408
submitted
14/10/2021, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VanGoth.exe
Size

36KB
MD5

afff555062c4e6fb3a34e7c2be519fcd
SHA1

73ed552ba04e57e8cd991f9f82a182aa298c4baa
SHA256

d27a5719ec67c146a1b338302074de39f5ad49b17f81cb014cc2c57c4f464d85
SHA512

31b3b0cf4e877f848fae85c7afd08fe165ae5bcb114d41781d28403e276f524d383e34f7d3e39b96beb8e39f023ae1d150115bf751a3196e3c773eb688a6277f

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	VanGoth.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc350u.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smf583u.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4340t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa520t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\koc650X.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj5500t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8500at.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\en-US\erofflps.txt	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc3100t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd1360t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hphp910t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpk5400t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpn5150t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpf4400t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc610u.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsMovieMaker.bmp	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd2400t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf4100t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj3500t.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\en-US\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\koc353X.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\sml455u.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\RacRules.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpah470t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4300t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpD5400t.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\oobe\background.bmp	VanGoth.exe
File opened for modification	C:\Windows\System32\catroot2\dberr.txt	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpmcpcp6.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd2500t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa440t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\kom4650X.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsOutlookExpress.bmp	VanGoth.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\data\HardwareVendors.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\NdfEventView.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj5700t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpd7500t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpl7600t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6500nt.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc5100t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc6200t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd1500t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc5500t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpk5300t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc6300t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8500nt.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpc4600t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc660u.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc6100t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd2360t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd4100t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smx620u.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\icsxml\osinfo.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\Amd64\tsmxuPipelineConfig.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsPhotoGallery.bmp	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd5100t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpk8600t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8000at.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd5060t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa620t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc5300t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc4500t.xml	VanGoth.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Adobe.css	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png	VanGoth.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\gadget.xml	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_settings.png	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime.css	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png	VanGoth.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	VanGoth.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png	VanGoth.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png	VanGoth.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png	VanGoth.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoBeta.png	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\weather.html	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\weather.html	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterToolTemplates.xml	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\34.png	VanGoth.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png	VanGoth.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_bkg.png	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png	VanGoth.exe
File opened for modification	C:\Program Files\UnregisterOptimize.ogg	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png	VanGoth.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert.css	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl.css	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen.css	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_over.png	VanGoth.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	VanGoth.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png	VanGoth.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html	VanGoth.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html	VanGoth.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png	VanGoth.exe
File created	C:\Program Files\Internet Explorer\Timeline.cpu.xml	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png	VanGoth.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg	VanGoth.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Windows Exclamation.wav	VanGoth.exe
File created	C:\Windows\Media\Calligraphy\Windows Print complete.wav	VanGoth.exe
File created	C:\Windows\Media\Sonata\Windows Critical Stop.wav	VanGoth.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallPersonalization.sql	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\novelty_m.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\36.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Peacock.jpg	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-huecycle_31bf3856ad364e35_6.1.7600.16385_none_810df6f57d9f2a73\huemainsubpicture2.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winsatmediasamples_31bf3856ad364e35_6.1.7600.16385_none_0b34d0642122c1c4\Clip_480_5sec_6mbps_h264.mp4	VanGoth.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.1.7600.16385_none_094460616193b3f6\WebAdminHelp_Application.aspx	VanGoth.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4d6aa30008b38d10\cpu.html	VanGoth.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..riventextservice-yi_31bf3856ad364e35_6.1.7600.16385_none_4153c9e11ffae30c\TableTextServiceYi.txt	VanGoth.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..tional-chinese-dayi_31bf3856ad364e35_6.1.7600.16385_none_6052679946eea92d\TableTextServiceDaYi.txt	VanGoth.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.1.7600.16385_none_77bb8934c5837c8b\UninstallWebEventSqlProvider.sql	VanGoth.exe
File created	C:\Windows\Media\Characters\Windows Critical Stop.wav	VanGoth.exe
File created	C:\Windows\Media\Festival\Windows Hardware Fail.wav	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_c3b9072b536514f6\add_over.png	VanGoth.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_0dfaaaec65b0831b\bPrev-hot.png	VanGoth.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\modern_dot.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\GB-wp4.jpg	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-usertiles_31bf3856ad364e35_6.1.7600.16385_none_f385bacaa98d1e8b\usertile38.bmp	VanGoth.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d158ae10876efd6d\currency.css	VanGoth.exe
File created	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\US-wp6.jpg	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\44.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\greenStateIcon.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\MigApp.xml	VanGoth.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\security_watermark.jpg	VanGoth.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_debuggers.help.txt	VanGoth.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_prompts.help.txt	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\oskmenu.xml	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\7.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\3.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gpupipeline_31bf3856ad364e35_6.1.7601.17514_none_5a5226e685faba67\DissolveNoise.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\GreenBubbles.jpg	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_btn-previous-static.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\Hydrangeas.jpg	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipssrl.xml	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-usertiles_31bf3856ad364e35_6.1.7600.16385_none_f385bacaa98d1e8b\usertile27.bmp	VanGoth.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.1.7600.16385_none_094460616193b3f6\WebAdminHelp_Internals.aspx	VanGoth.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_do.help.txt	VanGoth.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Stars.jpg	VanGoth.exe
File created	C:\Windows\Media\Heritage\Windows Exclamation.wav	VanGoth.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\corner.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_notes-txt-background.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Windows Print complete.wav	VanGoth.exe
File created	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpd5060t.xml	VanGoth.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Quoting_Rules.help.txt	VanGoth.exe
File created	C:\Windows\PLA\Rules\Rules.System.Memory.xml	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-babygirl_31bf3856ad364e35_6.1.7600.16385_none_b2bd01695c9021fd\16_9-frame-highlight.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-vignette_31bf3856ad364e35_6.1.7600.16385_none_cc1304de922cc585\NavigationUp_SelectionSubpicture.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\oskmenubase.xml	VanGoth.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_membership_sql_b03f5f7f11d50a3a_6.1.7600.16385_none_41ed62770d4da14e\InstallMembership.sql	VanGoth.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallMembership.sql	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-editions-client_31bf3856ad364e35_6.1.7600.16385_none_bc037fbe81d7b074\HomePremiumEdition.xml	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Windows Logon Sound.wav	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\oskpred.xml	VanGoth.exe
File created	C:\Windows\Media\Landscape\Windows Print complete.wav	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-searchdiagnostic_31bf3856ad364e35_6.1.7600.16385_none_8d9dc2260d0e1a98\SearchDiagnostic.xml	VanGoth.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2b166002b7f51771\settings.html	VanGoth.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\settings_box_divider_left.png	VanGoth.exe
File created	C:\Windows\Media\Delta\Windows Hardware Fail.wav	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_815d27dbb889ba17\logo.png	VanGoth.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1488	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1620	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\VanGoth.exe
"C:\Users\Admin\AppData\Local\Temp\VanGoth.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1800

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1816

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1620

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ_IT.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1800-0-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/1800-2-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1800-62-0x0000000000E45000-0x0000000000E56000-memory.dmp

Filesize
68KB

Download
memory/1816-63-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download