d27a5719ec67c146a1b338302074de39f5ad49b17f81cb014cc2c57c4f464d85

Analysis

max time kernel
541s
max time network
360s
platform
windows10_x64
resource
win10-en-20210920
submitted
14/10/2021, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VanGoth.exe
Size

36KB
MD5

afff555062c4e6fb3a34e7c2be519fcd
SHA1

73ed552ba04e57e8cd991f9f82a182aa298c4baa
SHA256

d27a5719ec67c146a1b338302074de39f5ad49b17f81cb014cc2c57c4f464d85
SHA512

31b3b0cf4e877f848fae85c7afd08fe165ae5bcb114d41781d28403e276f524d383e34f7d3e39b96beb8e39f023ae1d150115bf751a3196e3c773eb688a6277f

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	VanGoth.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ResumeMeasure.png => C:\Users\Admin\Pictures\ResumeMeasure.png.VanGoth	VanGoth.exe
File renamed	C:\Users\Admin\Pictures\UninstallResize.png => C:\Users\Admin\Pictures\UninstallResize.png.VanGoth	VanGoth.exe
File renamed	C:\Users\Admin\Pictures\EditUnregister.png => C:\Users\Admin\Pictures\EditUnregister.png.VanGoth	VanGoth.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wsmanconfig_schema.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnfxcl2.inf_amd64_f26eeb7da72ee32b\fxhb2-PipelineConfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_445baef28ad35ddf\Amd64\MSPWGR.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\dlclf0-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\dlclfhb1-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prntscl2.inf_amd64_710ef19434c930a9\tsunicl2.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrP6OFm0-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\wbem\xsl-mappings.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_468bda717012acbd\Amd64\MSxpsXPS-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prncacl1.inf_amd64_5cab2573ec016b93\CNN08CL1_PipelineConfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnekcl2.inf_amd64_0a4ef5f40c1abe07\ekusbbidi.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnfxcl2.inf_amd64_f26eeb7da72ee32b\fxpclcolor-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\icsxml\osinfo.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_faa2804656671550\MPDW-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsacl1.inf_amd64_8adcb7af71f53089\saBPS-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsacl1.inf_amd64_8adcb7af71f53089\saCP6-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaek002.inf_amd64_f5e1942118a448c2\DeviceModelInfo\EKWInScnCapXml.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlclv.inf_amd64_e2158c7cf3110141\DL-XPS-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkycl1.inf_amd64_d830c6577c8a2c44\kyw8-xps-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlxclv.inf_amd64_e0d61070674d9678\LX-XPS-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_6df3b80c4f6b8f8d\MXDW-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_708bc7360cbceaea\Amd64\MSECP.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnokcl2.inf_amd64_1e45a4f567fdae98\OKV4ClassSMP_0000.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhpcl4.inf_amd64_9412589272562044\amd64\HP-PCL3GUI-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkmcl4.inf_amd64_01e54ba5b8932b04\kocl4-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrccl1.inf_amd64_dfe2d643f3e20cd0\rctcpbidi.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsacl1.inf_amd64_8adcb7af71f53089\saactcpip.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsacl1.inf_amd64_8adcb7af71f53089\saCXP-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prntscl2.inf_amd64_710ef19434c930a9\tsunicl2PipelineConfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlcl1.inf_amd64_dbe82d5f3b18ec9a\deacwsd.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\dlclf3-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnecl2.inf_amd64_fdd93c90b4633940\nexpscolor-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnokcl2.inf_amd64_1e45a4f567fdae98\OKV4PCL6-PipelineConfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrBAPSc0-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls	VanGoth.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnekcl2.inf_amd64_0a4ef5f40c1abe07\EK-PDL-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrccl1.inf_amd64_dfe2d643f3e20cd0\rcwsdbidi.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prncacl1.inf_amd64_5cab2573ec016b93\CNN08CL1_bidiwsd.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlcl1.inf_amd64_dbe82d5f3b18ec9a\deacusb.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlcl1.inf_amd64_dbe82d5f3b18ec9a\deCP6-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnfxcl2.inf_amd64_f26eeb7da72ee32b\fxpclbw-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhpcl1.inf_amd64_c6040b9adc0369af\amd64\hpbxusbbidiextnwb.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlcl1.inf_amd64_dbe82d5f3b18ec9a\deSP-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhpcl1.inf_amd64_c6040b9adc0369af\amd64\hpbxiodrveventwb.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrOFPSc0-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\AppxProvisioning.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\NdfEventView.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\xpsrchvw.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlxclw.inf_amd64_7cbd66040de48539\LX-PCL-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrP6BAm0-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\dlclf4-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnfxcl2.inf_amd64_f26eeb7da72ee32b\fxhb1-PipelineConfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhpcl3.inf_amd64_0e666fb8f1b0545e\amd64\hpcPCL6_PipelineConfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_468bda717012acbd\Amd64\MSxpsPCL6-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_445baef28ad35ddf\Amd64\MSXPS2.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_3aa7e4fc9c545305\Amd64\MSAppMon-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnecl2.inf_amd64_fdd93c90b4633940\nehb0-PipelineConfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsacl1.inf_amd64_8adcb7af71f53089\saacevents.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt	VanGoth.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	VanGoth.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\Assets\xbox_windows_logo-01.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-125.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\WideTile.scale-100.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-16.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_hover_2x.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim2.smile.scale-200.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\Particles.jpg	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-unplated.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-125.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-400.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20_altform-unplated_contrast-white.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\MedTile.scale-200.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\klondike\Snowfall_Success_.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\1d.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-200.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-48_altform-unplated.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf	VanGoth.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLargeTile.scale-100.png	VanGoth.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png	VanGoth.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\3007_40x40x32.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\SmallTile.scale-200.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\PaintApplist.scale-150.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7656_24x24x32.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7656_40x40x32.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Confirmation.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageLargeTile.scale-200.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9724_24x24x32.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-100_contrast-white.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Came_To_Play_.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\SmartSelect.mp4	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\cloud_icon.png	VanGoth.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-100.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\telemetryrules\hxcalendarappimm.exe_Rules.xml	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-400.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-400.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_SaveAutomatically_LTR_Phone.mp4	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\heart.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-64_altform-unplated.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-black_scale-200.png	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml	VanGoth.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\LargeTile.scale-125.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Paint_Logo_with_Trademark_ABOUT_POPUP.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\xj_60x42.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-150.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-80.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_4_Point_Star.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\added.txt	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\skype.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-unplated.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1914_32x32x32.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-125_contrast-black.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\LargePyramidTile.jpg	VanGoth.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.contrast-white_scale-100.png	VanGoth.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Assets\RemindersSplashScreen.contrast-white.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_11h.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-150.png	VanGoth.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.15063.0_none_2bd1e3a1cfd67be0\TileSmall.contrast-black_scale-150.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-100.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-60_altform-unplated.png	VanGoth.exe
File created	C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy\Assets\StoreLogo.Scale-180.png	VanGoth.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\DefaultWsdlHelpGenerator.aspx	VanGoth.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-300.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\pr_60x42.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-30.png	VanGoth.exe
File created	C:\Windows\Media\Windows Feed Discovered.wav	VanGoth.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..actsupport.appxmain_31bf3856ad364e35_10.0.15063.0_none_a5ca1360f9ef4c6d\LargeTile.scale-100_contrast-white.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-black_scale-125.png	VanGoth.exe
File created	C:\Windows\Web\Wallpaper\Theme2\img12.jpg	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\aq_60x42.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-100_contrast-black.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\SmallTile.scale-200.png	VanGoth.exe
File created	C:\Windows\SystemApps\ContactSupport_cw5n1h2txyewy\Assets\TinyTile.scale-100_contrast-black.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-36.png	VanGoth.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx	VanGoth.exe
File created	C:\Windows\diagnostics\index\KeyboardDiagnostic.xml	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_13d.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PeopleLargeTile.scale-100.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-150.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-unplated_contrast-white.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-40_altform-unplated.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-48_altform-unplated.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ne_60x42.png	VanGoth.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square150x150Logo.scale-150.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\SmallTile.scale-100.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-24_altform-unplated.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\AppList.scale-125.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileLargeSquare.scale-100.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\sadsmile.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-40_altform-unplated.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.scale-125.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\AppxManifest.xml	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\SmallTile.scale-100.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\LightGray.png	VanGoth.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx	VanGoth.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..trast-white.cortana_31bf3856ad364e35_10.0.15063.0_none_c7203a9c4dfdf241\SmallTile.scale-400.png	VanGoth.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..om-miantuan.cortana_31bf3856ad364e35_10.0.15063.0_none_edfba5bd1d34275c\WideTile.scale-100.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\klondike\Mining_For_Gold_Unearned_small.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Klondike\Goal_2.jpg	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\nu_16x11.png	VanGoth.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.15063.0_none_224b97ad28ee338b\MicrosoftEdgeEPUB.targetsize-48.png	VanGoth.exe
File created	C:\Windows\ImmersiveControlPanel\images\TinyTile.contrast-white_scale-150.png	VanGoth.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..tom-cortana.cortana_31bf3856ad364e35_10.0.15063.0_none_e76db50250be7285\AppListIcon.targetsize-32.png	VanGoth.exe
File created	C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15552.17062_none_2a7da49f7e9ba8db\InstallSqlStateTemplate.sql	VanGoth.exe
File created	C:\Windows\InfusedApps\Frameworks\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\AppxBlockMap.xml	VanGoth.exe
File created	C:\Windows\WinSxS\amd64_systemresource-wind..-ui-accountscontrol_31bf3856ad364e35_10.0.15063.0_none_e328baf08c907e79\Exchange.Theme-Light_Scale-100.png	VanGoth.exe
File created	C:\Windows\WinSxS\x86_netfx4-cfx_core_sql_files_b03f5f7f11d50a3a_4.0.15552.17062_none_ee17823a4ff68608\SqlWorkflowInstanceStoreSchema.sql	VanGoth.exe
File created	C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy\Assets\Square30x30.contrast-black_Scale-180.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-125.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\kr_60x42.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MusicStoreLogo.scale-100_contrast-black.png	VanGoth.exe
File created	C:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_providers_b03f5f7f11d50a3a_4.0.15552.17062_none_4f07a11dac6a7e88\ManageConsolidatedProviders.aspx	VanGoth.exe
File created	C:\Windows\SystemApps\DesktopView_cw5n1h2txyewy\appxmanifest.xml	VanGoth.exe

C:\Users\Admin\AppData\Local\Temp\VanGoth.exe
"C:\Users\Admin\AppData\Local\Temp\VanGoth.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3512-115-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3512-117-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/3512-118-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/3512-119-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/3512-120-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download