00000000.00000003.441282479.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.441282479.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000003.441282479.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.441258936.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.441258936.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000003.441258936.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.441128955.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.441128955.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000003.441128955.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.440946252.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.440946252.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000003.440946252.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.441227319.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.441227319.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000003.441227319.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000002.569972070.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000002.569972070.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000002.569972070.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.441026847.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.441026847.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000003.441026847.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.441081684.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.441081684.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000003.441081684.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000003.441301430.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
00000000.00000003.441301430.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0xff0:$a1: /C ping localhost -n %u && del "%s"
- 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xca8:$a5: filename="%.4u.%lu"
- 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe72:$a9: &whoami=%s
- 0xe5a:$a10: %u.%u_%u_%u_x%u
- 0xc22:$a11: size=%u&hash=0x%08x
- 0xc13:$a12: &uptime=%u
- 0xda7:$a13: %systemroot%\system32\c_1252.nls
- 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
|
00000000.00000003.441301430.00000000015F8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
|
00000000.00000002.569687253.0000000001019000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | |
Process Memory Space: d2ef5.exe PID: 4684 | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
Process Memory Space: d2ef5.exe PID: 4684 | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0x1960:$a5: filename="%.4u.%lu"
- 0x1c5e:$a5: filename="%.4u.%lu"
- 0xb55e:$a5: filename="%.4u.%lu"
- 0xb85c:$a5: filename="%.4u.%lu"
- 0x1428:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xb026:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x1355:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x1716:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x1a19:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x4cd2:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x4cf7:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x4e83:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x90b2:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x9212:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xaf53:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xb314:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xb617:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x1de4:$a9: &whoami=%s
- 0xb9e2:$a9: &whoami=%s
- 0x1dcc:$a10: %u.%u_%u_%u_x%u
- 0xb9ca:$a10: %u.%u_%u_%u_x%u
|
Process Memory Space: d2ef5.exe PID: 4684 | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x188f:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x1b90:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0xb48d:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0xb78e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x1428:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x15d4:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xb026:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xb1d2:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x192c:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x1c2a:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xb52a:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xb828:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0x17c0:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x1ac4:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xb3be:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xb6c2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0x19f0:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1cf5:$a9: Software\AppDataLow\Software\Microsoft\
- 0x239e:$a9: Software\AppDataLow\Software\Microsoft\
- 0x23eb:$a9: Software\AppDataLow\Software\Microsoft\
- 0xb5ee:$a9: Software\AppDataLow\Software\Microsoft\
|
Click to see the 26 entries |