VanGoth.exe

max time kernel196s
max time network73s
platformwindows7_x64
resourcewin7v20210408
submitted14-10-2021 01:30

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

VanGoth.exe

Filesize

36KB

Completed

14-10-2021 01:41

Score

8^/10

MD5

afff555062c4e6fb3a34e7c2be519fcd

SHA1

73ed552ba04e57e8cd991f9f82a182aa298c4baa

SHA256

d27a5719ec67c146a1b338302074de39f5ad49b17f81cb014cc2c57c4f464d85

Collection

Credential Access

Drops file in Drivers directory
VanGoth.exe

Reported IOCs

description ioc process

File created C:\Windows\SysWOW64\drivers\gmreadme.txt VanGoth.exe
Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	VanGoth.exe

Drops file in System32 directory

VanGoth.exe

Reported IOCs

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc350u.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smf583u.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4340t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa520t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\koc650X.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj5500t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8500at.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\en-US\erofflps.txt	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc3100t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd1360t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hphp910t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpk5400t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpn5150t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpf4400t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc610u.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsMovieMaker.bmp	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd2400t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf4100t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj3500t.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\en-US\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\koc353X.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\sml455u.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\RacRules.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpah470t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4300t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpD5400t.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\oobe\background.bmp	VanGoth.exe
File opened for modification	C:\Windows\System32\catroot2\dberr.txt	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpmcpcp6.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd2500t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa440t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\kom4650X.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsOutlookExpress.bmp	VanGoth.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\data\HardwareVendors.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\NdfEventView.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj5700t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpd7500t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpl7600t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6500nt.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc5100t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc6200t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd1500t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc5500t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpk5300t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc6300t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8500nt.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpc4600t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc660u.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc6100t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd2360t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd4100t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smx620u.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\icsxml\osinfo.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\Amd64\tsmxuPipelineConfig.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsPhotoGallery.bmp	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd5100t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpk8600t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8000at.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd5060t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa620t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc5300t.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc4500t.xml	VanGoth.exe

Drops file in Program Files directory

VanGoth.exe

Reported IOCs

description	ioc	process
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Adobe.css	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png	VanGoth.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\gadget.xml	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_settings.png	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime.css	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png	VanGoth.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	VanGoth.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png	VanGoth.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png	VanGoth.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png	VanGoth.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoBeta.png	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\weather.html	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\weather.html	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterToolTemplates.xml	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\34.png	VanGoth.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png	VanGoth.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_bkg.png	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png	VanGoth.exe
File opened for modification	C:\Program Files\UnregisterOptimize.ogg	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png	VanGoth.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert.css	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl.css	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen.css	VanGoth.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_over.png	VanGoth.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	VanGoth.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png	VanGoth.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html	VanGoth.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html	VanGoth.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png	VanGoth.exe
File created	C:\Program Files\Internet Explorer\Timeline.cpu.xml	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png	VanGoth.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png	VanGoth.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg	VanGoth.exe

Drops file in Windows directory

VanGoth.exe

Reported IOCs

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Windows Exclamation.wav	VanGoth.exe
File created	C:\Windows\Media\Calligraphy\Windows Print complete.wav	VanGoth.exe
File created	C:\Windows\Media\Sonata\Windows Critical Stop.wav	VanGoth.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallPersonalization.sql	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\novelty_m.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\36.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Peacock.jpg	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-huecycle_31bf3856ad364e35_6.1.7600.16385_none_810df6f57d9f2a73\huemainsubpicture2.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winsatmediasamples_31bf3856ad364e35_6.1.7600.16385_none_0b34d0642122c1c4\Clip_480_5sec_6mbps_h264.mp4	VanGoth.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.1.7600.16385_none_094460616193b3f6\WebAdminHelp_Application.aspx	VanGoth.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4d6aa30008b38d10\cpu.html	VanGoth.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..riventextservice-yi_31bf3856ad364e35_6.1.7600.16385_none_4153c9e11ffae30c\TableTextServiceYi.txt	VanGoth.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..tional-chinese-dayi_31bf3856ad364e35_6.1.7600.16385_none_6052679946eea92d\TableTextServiceDaYi.txt	VanGoth.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.1.7600.16385_none_77bb8934c5837c8b\UninstallWebEventSqlProvider.sql	VanGoth.exe
File created	C:\Windows\Media\Characters\Windows Critical Stop.wav	VanGoth.exe
File created	C:\Windows\Media\Festival\Windows Hardware Fail.wav	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_c3b9072b536514f6\add_over.png	VanGoth.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_0dfaaaec65b0831b\bPrev-hot.png	VanGoth.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\modern_dot.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\GB-wp4.jpg	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-usertiles_31bf3856ad364e35_6.1.7600.16385_none_f385bacaa98d1e8b\usertile38.bmp	VanGoth.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d158ae10876efd6d\currency.css	VanGoth.exe
File created	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\US-wp6.jpg	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\44.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\greenStateIcon.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\MigApp.xml	VanGoth.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\security_watermark.jpg	VanGoth.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_debuggers.help.txt	VanGoth.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_prompts.help.txt	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\oskmenu.xml	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\7.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\3.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gpupipeline_31bf3856ad364e35_6.1.7601.17514_none_5a5226e685faba67\DissolveNoise.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\GreenBubbles.jpg	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_btn-previous-static.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\Hydrangeas.jpg	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ipssrl.xml	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-usertiles_31bf3856ad364e35_6.1.7600.16385_none_f385bacaa98d1e8b\usertile27.bmp	VanGoth.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.1.7600.16385_none_094460616193b3f6\WebAdminHelp_Internals.aspx	VanGoth.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_do.help.txt	VanGoth.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Stars.jpg	VanGoth.exe
File created	C:\Windows\Media\Heritage\Windows Exclamation.wav	VanGoth.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\corner.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_notes-txt-background.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Windows Print complete.wav	VanGoth.exe
File created	C:\Windows\winsxs\amd64_prnhp003.inf_31bf3856ad364e35_6.1.7600.16385_none_2fd781a76c9dcc13\Amd64\hpd5060t.xml	VanGoth.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Quoting_Rules.help.txt	VanGoth.exe
File created	C:\Windows\PLA\Rules\Rules.System.Memory.xml	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-babygirl_31bf3856ad364e35_6.1.7600.16385_none_b2bd01695c9021fd\16_9-frame-highlight.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-vignette_31bf3856ad364e35_6.1.7600.16385_none_cc1304de922cc585\NavigationUp_SelectionSubpicture.png	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\oskmenubase.xml	VanGoth.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_membership_sql_b03f5f7f11d50a3a_6.1.7600.16385_none_41ed62770d4da14e\InstallMembership.sql	VanGoth.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallMembership.sql	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-editions-client_31bf3856ad364e35_6.1.7600.16385_none_bc037fbe81d7b074\HomePremiumEdition.xml	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Windows Logon Sound.wav	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76\oskpred.xml	VanGoth.exe
File created	C:\Windows\Media\Landscape\Windows Print complete.wav	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-searchdiagnostic_31bf3856ad364e35_6.1.7600.16385_none_8d9dc2260d0e1a98\SearchDiagnostic.xml	VanGoth.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2b166002b7f51771\settings.html	VanGoth.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\settings_box_divider_left.png	VanGoth.exe
File created	C:\Windows\Media\Delta\Windows Hardware Fail.wav	VanGoth.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_815d27dbb889ba17\logo.png	VanGoth.exe

Opens file in notepad (likely ransom note)
NOTEPAD.EXE

Tags

ransomware

Reported IOCs

pid process

1488 NOTEPAD.EXE

pid	process
1488	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses

taskmgr.exe

Reported IOCs

pid	process
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam
taskmgr.exe

Reported IOCs

pid process

1620 taskmgr.exe
Suspicious use of AdjustPrivilegeToken
taskmgr.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 1620 taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1620	taskmgr.exe

Suspicious use of FindShellTrayWindow

taskmgr.exe

Reported IOCs

pid	process
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe

Suspicious use of SendNotifyMessage

taskmgr.exe

Reported IOCs

pid	process
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\VanGoth.exe

"C:\Users\Admin\AppData\Local\Temp\VanGoth.exe"

Drops file in Drivers directory
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory

PID:1800

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

PID:1816

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage

PID:1620

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ_IT.txt

Opens file in notepad (likely ransom note)

PID:1488

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\Users\Admin\Desktop\READ_IT.txt
MD5
12afabdd31b93a97f5dd6d9eef522ef5

SHA1
ea374f1d85a199f015c203f13fef66167590cc91

SHA256
59063bbd426e986b4fed2eb5352f7c094554c4219d352a2050953d03c7f5bc52

SHA512
3004df1e68e7abe78f321b21ed83c9a953958ddc6109dea38e1b812867728fe49c84db14bfd5e6a58d26e523695f848d6af060110ea48bc17fb63f629b444d39

Download Submit
memory/1800-0-0x0000000001140000-0x0000000001141000-memory.dmp

Download
memory/1800-2-0x0000000000E40000-0x0000000000E41000-memory.dmp

Download
memory/1800-62-0x0000000000E45000-0x0000000000E56000-memory.dmp

Download
memory/1816-63-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Download

VanGoth.exe

Filter: none

Reported IOCs

Description

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title