00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000003.345037637.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
|
00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000004.00000003.448346739.0000021F4E42C000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
|
0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
0000002D.00000003.797117196.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
|
00000043.00000000.773575293.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000003.344925782.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.389553565.000000000109D000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
0000002D.00000003.712648005.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
|
00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000029.00000003.708638922.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
|
00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000023.00000002.685282476.0000000003558000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x750:$a6: http://constitution.org/usdeclar.txt
- 0x8d5:$a7: grabs=
- 0xf32:$a8: CHROME.DLL
- 0x724:$a9: Software\AppDataLow\Software\Microsoft\
- 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3848:$a9: Software\AppDataLow\Software\Microsoft\
- 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3908:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
|
0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
0000001F.00000002.856104544.000001489B502000.00000004.00000001.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x6c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0xac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x4f2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x11f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x1f5:$a6: http://constitution.org/usdeclar.txt
- 0x37a:$a7: grabs=
- 0x84c:$a8: CHROME.DLL
- 0x1c9:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000002.497478535.0000000000750000.00000040.10000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000029.00000002.721107955.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000003.345194769.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000003.345092170.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
|
00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000023.00000003.682986739.0000000003558000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x750:$a6: http://constitution.org/usdeclar.txt
- 0x8d5:$a7: grabs=
- 0xf32:$a8: CHROME.DLL
- 0x724:$a9: Software\AppDataLow\Software\Microsoft\
- 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3848:$a9: Software\AppDataLow\Software\Microsoft\
- 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3908:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
|
00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000058.00000003.814825751.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
|
00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000058.00000003.803878408.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.493910135.000000000111D000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000043.00000000.771438221.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000023.00000003.683117141.0000000003558000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x750:$a6: http://constitution.org/usdeclar.txt
- 0x8d5:$a7: grabs=
- 0xf32:$a8: CHROME.DLL
- 0x724:$a9: Software\AppDataLow\Software\Microsoft\
- 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3848:$a9: Software\AppDataLow\Software\Microsoft\
- 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3908:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
|
0000001F.00000000.667603922.000001489BB00000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000000.00000003.389654961.000000000111C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
0000003E.00000003.767939746.000001993459C000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
|
0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
0000003E.00000003.765039957.000001993459C000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
|
0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
0000003E.00000003.765207667.000001993459C000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
|
00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000059.00000002.827171942.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
|
00000043.00000000.769688179.000001FA9D6F0000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000000.00000003.390766199.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000023.00000003.683052464.0000000003558000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x750:$a6: http://constitution.org/usdeclar.txt
- 0x8d5:$a7: grabs=
- 0xf32:$a8: CHROME.DLL
- 0x724:$a9: Software\AppDataLow\Software\Microsoft\
- 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3848:$a9: Software\AppDataLow\Software\Microsoft\
- 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3908:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.389500778.000000000119B000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000029.00000000.703497252.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
0000003E.00000000.763965956.0000019933F90000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
0000003E.00000003.767821170.000001993459C000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
|
00000013.00000000.596069262.000002240CA50000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000029.00000000.704474059.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
0000003E.00000000.762259112.0000019933F90000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000023.00000000.681894423.0000000003020000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000059.00000000.816576347.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000003.344972569.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
|
00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000023.00000003.682539634.0000000003558000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x750:$a6: http://constitution.org/usdeclar.txt
- 0x8d5:$a7: grabs=
- 0xf32:$a8: CHROME.DLL
- 0x724:$a9: Software\AppDataLow\Software\Microsoft\
- 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3848:$a9: Software\AppDataLow\Software\Microsoft\
- 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3908:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000003.345107606.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
|
0000003E.00000000.760746671.0000019933F90000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000000.00000003.495743811.0000000000D29000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000023.00000003.682736014.0000000003558000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x750:$a6: http://constitution.org/usdeclar.txt
- 0x8d5:$a7: grabs=
- 0xf32:$a8: CHROME.DLL
- 0x724:$a9: Software\AppDataLow\Software\Microsoft\
- 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3848:$a9: Software\AppDataLow\Software\Microsoft\
- 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3908:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
|
00000029.00000000.702640862.000001CEDB3E0000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000059.00000000.818431890.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
0000002D.00000003.712982128.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
|
00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000043.00000002.778497815.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
|
00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000058.00000003.814713525.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.390744160.000000000119B000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000013.00000002.860622856.000002240CD02000.00000004.00000001.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x6c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0xac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x4f2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x11f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x1f5:$a6: http://constitution.org/usdeclar.txt
- 0x37a:$a7: grabs=
- 0x84c:$a8: CHROME.DLL
- 0x1c9:$a9: Software\AppDataLow\Software\Microsoft\
|
00000059.00000000.820005242.000001AF8B6D0000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000003.345011461.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
|
00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000059.00000003.822550991.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
|
0000001F.00000000.656463020.000001489BB00000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000058.00000000.802729381.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000029.00000003.705598553.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
|
0000001B.00000000.625911169.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000059.00000003.822358925.000001AF8BC9C000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
|
0000001B.00000000.630294105.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
0000002D.00000002.856230458.00000191D3DAC000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
|
00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000029.00000003.705458137.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
|
00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000023.00000003.682832881.0000000003558000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x750:$a6: http://constitution.org/usdeclar.txt
- 0x8d5:$a7: grabs=
- 0xf32:$a8: CHROME.DLL
- 0x724:$a9: Software\AppDataLow\Software\Microsoft\
- 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3848:$a9: Software\AppDataLow\Software\Microsoft\
- 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3908:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
|
00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000043.00000003.775181381.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
|
00000013.00000000.590960903.000002240CA50000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000058.00000003.803740044.0000024EF5BDC000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
|
00000023.00000000.680178718.0000000003020000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.451792745.0000000003F08000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x750:$a6: http://constitution.org/usdeclar.txt
- 0x8d5:$a7: grabs=
- 0xf32:$a8: CHROME.DLL
- 0x724:$a9: Software\AppDataLow\Software\Microsoft\
- 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3848:$a9: Software\AppDataLow\Software\Microsoft\
- 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3908:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000003.344881693.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
|
00000004.00000002.814285126.0000021F457F9000.00000004.00000800.00020000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000003.344788105.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.389768028.000000000119B000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000013.00000000.576910703.000002240CA50000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000029.00000003.708468891.000001CEDBA7C000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.495247062.0000000001148000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000023.00000000.681232862.0000000003020000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000043.00000003.775368587.000001FA9DD8C000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000002.497852767.0000000001181000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000023.00000003.682410000.0000000003558000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x750:$a6: http://constitution.org/usdeclar.txt
- 0x8d5:$a7: grabs=
- 0xf32:$a8: CHROME.DLL
- 0x724:$a9: Software\AppDataLow\Software\Microsoft\
- 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3848:$a9: Software\AppDataLow\Software\Microsoft\
- 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3908:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000002.498174750.0000000001318000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1c68:$a9: Software\AppDataLow\Software\Microsoft\
|
0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
0000001B.00000002.858783348.000001D023E02000.00000004.00000001.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x6c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0xac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x4f2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x11f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x1f5:$a6: http://constitution.org/usdeclar.txt
- 0x37a:$a7: grabs=
- 0x84c:$a8: CHROME.DLL
- 0x1c9:$a9: Software\AppDataLow\Software\Microsoft\
|
00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000023.00000003.682621929.0000000003558000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x750:$a6: http://constitution.org/usdeclar.txt
- 0x8d5:$a7: grabs=
- 0xf32:$a8: CHROME.DLL
- 0x724:$a9: Software\AppDataLow\Software\Microsoft\
- 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3848:$a9: Software\AppDataLow\Software\Microsoft\
- 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3908:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.442938704.0000000003F08000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x750:$a6: http://constitution.org/usdeclar.txt
- 0x8d5:$a7: grabs=
- 0xf32:$a8: CHROME.DLL
- 0x724:$a9: Software\AppDataLow\Software\Microsoft\
- 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3848:$a9: Software\AppDataLow\Software\Microsoft\
- 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3908:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
|
00000058.00000000.801073925.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
00000058.00000000.799390295.0000024EF5620000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
0000001B.00000000.635166996.000001D023AD0000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
0000003E.00000002.795032491.000001993459C000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x86c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xcf2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x91f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9f5:$a6: http://constitution.org/usdeclar.txt
- 0xb7a:$a7: grabs=
- 0x104c:$a8: CHROME.DLL
- 0x9c9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3a90:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3af0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3b50:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3bb0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3c10:$a9: Software\AppDataLow\Software\Microsoft\
|
00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000023.00000003.683222673.0000000003558000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x5d4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x614:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa06:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x687:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x750:$a6: http://constitution.org/usdeclar.txt
- 0x8d5:$a7: grabs=
- 0xf32:$a8: CHROME.DLL
- 0x724:$a9: Software\AppDataLow\Software\Microsoft\
- 0x37f0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3848:$a9: Software\AppDataLow\Software\Microsoft\
- 0x38a8:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3908:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3968:$a9: Software\AppDataLow\Software\Microsoft\
|
0000001F.00000000.673085569.000001489BB00000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
Process Memory Space: Lx6.exe PID: 1172 | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
Process Memory Space: Lx6.exe PID: 1172 | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0x4cb3:$a5: filename="%.4u.%lu"
- 0x4fb1:$a5: filename="%.4u.%lu"
- 0xe3a60:$a5: filename="%.4u.%lu"
- 0xe3d5e:$a5: filename="%.4u.%lu"
- 0x2350cf:$a5: filename="%.4u.%lu"
- 0x236133:$a5: filename="%.4u.%lu"
- 0x25b709:$a5: filename="%.4u.%lu"
- 0x25ba07:$a5: filename="%.4u.%lu"
- 0x25d9f8:$a5: filename="%.4u.%lu"
- 0x25ea62:$a5: filename="%.4u.%lu"
- 0x477b:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xe3528:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x234bfb:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x25b1d1:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x25d524:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x46a8:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x4a69:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x4d6c:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe3455:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe3816:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe3b19:$a8: %08X-%04X-%04X-%04X-%08X%04X
|
Process Memory Space: Lx6.exe PID: 1172 | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x4be2:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x4ee3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0xe398f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0xe3c90:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x234bbb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x234cfe:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x25b638:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x25b939:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x25d4e4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x25d627:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x477b:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x4927:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xe3528:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xe36d4:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x234bfb:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x234d3d:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x25b1d1:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x25b37d:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x25d524:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x25d666:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x4c7f:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
|
Process Memory Space: powershell.exe PID: 4292 | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
Process Memory Space: powershell.exe PID: 4292 | INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen | - 0x5c051c:$b2: ::FromBase64String(
- 0x19505f:$s1: -join
- 0x23ad37:$s1: -join
- 0x5693f1:$s1: -join
- 0x5764c6:$s1: -join
- 0x579898:$s1: -join
- 0x579f4a:$s1: -join
- 0x57ba3b:$s1: -join
- 0x57dc41:$s1: -join
- 0x57e468:$s1: -join
- 0x57ecd8:$s1: -join
- 0x57f413:$s1: -join
- 0x57f445:$s1: -join
- 0x57f48d:$s1: -join
- 0x57f4ac:$s1: -join
- 0x57fcfc:$s1: -join
- 0x57fe78:$s1: -join
- 0x57fef0:$s1: -join
- 0x57ff83:$s1: -join
- 0x5801e9:$s1: -join
- 0x58237f:$s1: -join
|
Process Memory Space: powershell.exe PID: 4292 | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x1ec0:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x2010:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x1f00:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x204f:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x2402:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x34ab:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x1f73:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x20bd:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x2186:$a6: http://constitution.org/usdeclar.txt
- 0x3256:$a6: http://constitution.org/usdeclar.txt
- 0x22e5:$a7: grabs=
- 0x3369:$a7: grabs=
- 0x266e:$a8: CHROME.DLL
- 0x3756:$a8: CHROME.DLL
- 0x6e9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x215e:$a9: Software\AppDataLow\Software\Microsoft\
- 0x322d:$a9: Software\AppDataLow\Software\Microsoft\
- 0xe431e:$a9: Software\AppDataLow\Software\Microsoft\
- 0xe45db:$a9: Software\AppDataLow\Software\Microsoft\
- 0xe46fd:$a9: Software\AppDataLow\Software\Microsoft\
- 0xe4df0:$a9: Software\AppDataLow\Software\Microsoft\
|
Process Memory Space: RuntimeBroker.exe PID: 3124 | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
Process Memory Space: RuntimeBroker.exe PID: 3124 | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x618c5:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x61a17:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x61905:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x61a56:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x61e09:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x62eb2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x61978:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x61ac4:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x61b8d:$a6: http://constitution.org/usdeclar.txt
- 0x62c5d:$a6: http://constitution.org/usdeclar.txt
- 0x61cec:$a7: grabs=
- 0x62d70:$a7: grabs=
- 0x62075:$a8: CHROME.DLL
- 0x6315d:$a8: CHROME.DLL
- 0x2a7b9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x2a805:$a9: Software\AppDataLow\Software\Microsoft\
- 0x2a853:$a9: Software\AppDataLow\Software\Microsoft\
- 0x2a8b1:$a9: Software\AppDataLow\Software\Microsoft\
- 0x2a910:$a9: Software\AppDataLow\Software\Microsoft\
- 0x2a966:$a9: Software\AppDataLow\Software\Microsoft\
- 0x2a9c2:$a9: Software\AppDataLow\Software\Microsoft\
|
Process Memory Space: RuntimeBroker.exe PID: 4372 | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
Process Memory Space: RuntimeBroker.exe PID: 4372 | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x46208:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x46358:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x46248:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x46397:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x4674a:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x477f3:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x462bb:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x46405:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x464ce:$a6: http://constitution.org/usdeclar.txt
- 0x4759e:$a6: http://constitution.org/usdeclar.txt
- 0x4662d:$a7: grabs=
- 0x476b1:$a7: grabs=
- 0x469b6:$a8: CHROME.DLL
- 0x47a9e:$a8: CHROME.DLL
- 0x25b2f:$a9: Software\AppDataLow\Software\Microsoft\
- 0x25b7b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x25bd3:$a9: Software\AppDataLow\Software\Microsoft\
- 0x25c31:$a9: Software\AppDataLow\Software\Microsoft\
- 0x25c93:$a9: Software\AppDataLow\Software\Microsoft\
- 0x25ce9:$a9: Software\AppDataLow\Software\Microsoft\
- 0x25d45:$a9: Software\AppDataLow\Software\Microsoft\
|
Process Memory Space: RuntimeBroker.exe PID: 4552 | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
Process Memory Space: RuntimeBroker.exe PID: 4552 | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xe596:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0xe6e6:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0xe5d6:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xe725:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xead8:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xfb81:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xe649:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xe793:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xe85c:$a6: http://constitution.org/usdeclar.txt
- 0xf92c:$a6: http://constitution.org/usdeclar.txt
- 0xe9bb:$a7: grabs=
- 0xfa3f:$a7: grabs=
- 0xed44:$a8: CHROME.DLL
- 0xfe2c:$a8: CHROME.DLL
- 0xe834:$a9: Software\AppDataLow\Software\Microsoft\
- 0xf903:$a9: Software\AppDataLow\Software\Microsoft\
- 0x2d668:$a9: Software\AppDataLow\Software\Microsoft\
- 0x2d705:$a9: Software\AppDataLow\Software\Microsoft\
- 0x2d81f:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3b2c8:$a9: Software\AppDataLow\Software\Microsoft\
- 0x3b314:$a9: Software\AppDataLow\Software\Microsoft\
|
Process Memory Space: cmd.exe PID: 5832 | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
Process Memory Space: cmd.exe PID: 5832 | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x1319:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x145c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x4ee4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x5027:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x15d88:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x15ecb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x1359:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x149b:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x4f24:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x5066:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x15dc8:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x15f0a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x17f9:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x2863:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x53c4:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x642e:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x16268:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x172d2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x13cc:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x1509:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x4f97:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
|
Process Memory Space: cmd.exe PID: 1920 | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
Process Memory Space: cmd.exe PID: 1920 | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x5816:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x5966:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8c4f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x8d9f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x16e24:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x16f74:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x1a346:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x1a496:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x5856:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x59a5:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x8c8f:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x8dde:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x16e64:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x16fb3:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x1a386:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x1a4d5:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x5d58:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x6e01:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x9191:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xa23a:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x17366:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
|
Process Memory Space: powershell.exe PID: 6064 | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
Process Memory Space: powershell.exe PID: 6064 | INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen | - 0xd81a1:$b2: ::FromBase64String(
- 0x1522c3:$b2: ::FromBase64String(
- 0x20238c:$s1: -join
- 0x20d698:$s1: -join
- 0x22b191:$s1: -join
- 0x1e63:$s4: +=
- 0x203785:$s4: +=
- 0x205ee7:$s4: +=
- 0x205f66:$s4: +=
- 0x206181:$s4: +=
- 0x206204:$s4: +=
- 0x206c8c:$s4: +=
- 0x207091:$s4: +=
- 0x20a5b1:$s4: +=
- 0x20a5d0:$s4: +=
- 0x20a60b:$s4: +=
- 0x20a628:$s4: +=
- 0x20a663:$s4: +=
- 0x20a6cf:$s4: +=
- 0x20a75b:$s4: +=
- 0x20a85a:$s4: +=
|
Process Memory Space: powershell.exe PID: 6064 | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x394f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x3a9f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x5244:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x5394:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x1faf86:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x1fb0d6:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x23dc26:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x23dd76:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x398f:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x3ade:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x5284:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x53d3:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x1fafc6:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x1fb115:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x23dc66:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x23ddb5:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x3e91:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x4398:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x5786:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x5c8d:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x1fb4c8:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
|
Process Memory Space: csc.exe PID: 5836 | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
Process Memory Space: csc.exe PID: 5836 | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbdce:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0xbf1e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0xecc7:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0xee17:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x11d74:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x11ec4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x4bcbb:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x4be0b:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0xbe0e:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xbf5d:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xed07:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xee56:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x11db4:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x11f03:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x4bcfb:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x4be4a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc310:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xd3b9:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xf209:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x102b2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x122b6:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
|
Process Memory Space: cvtres.exe PID: 1716 | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
Process Memory Space: cvtres.exe PID: 1716 | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x996c:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x9abc:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x10957:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x10aa7:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x1453e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x1468e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x99ac:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x9afb:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x10997:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x10ae6:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x1457e:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x146cd:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x9eae:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xaf57:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x10e99:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x11f42:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x14a80:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x15b29:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x9a1f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x9b69:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x10a0a:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
|
Process Memory Space: csc.exe PID: 3536 | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
Process Memory Space: csc.exe PID: 3536 | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x2525:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x2675:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x575a:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x58aa:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0xddf7:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0xdf47:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x2565:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x26b4:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x579a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x58e9:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xde37:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xdf86:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x2a67:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x3b10:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x5c9c:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x6d45:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xe339:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xf3e2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x25d8:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x2722:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x580d:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
|
Process Memory Space: cvtres.exe PID: 5240 | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
Process Memory Space: cvtres.exe PID: 5240 | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x2a16:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x2b66:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0xdfd7:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0xe127:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x10f0e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x1105e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x2a56:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x2ba5:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xe017:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xe166:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x10f4e:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x1109d:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x2f58:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x4001:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xe519:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xf5c2:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x11450:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x124f9:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x2ac9:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x2c13:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xe08a:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
|
Click to see the 170 entries |