| 00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
| 00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0x1228:$a1: /C ping localhost -n %u && del "%s"
- 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xa9c:$a5: filename="%.4u.%lu"
- 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe6d:$a9: &whoami=%s
- 0xe56:$a10: %u.%u_%u_%u_x%u
- 0xd63:$a11: size=%u&hash=0x%08x
- 0xb1d:$a12: &uptime=%u
- 0x6fb:$a13: %systemroot%\system32\c_1252.nls
- 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
|
| 00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
|
| 00000000.00000003.417900586.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
| 00000000.00000003.417900586.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0x1228:$a1: /C ping localhost -n %u && del "%s"
- 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xa9c:$a5: filename="%.4u.%lu"
- 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe6d:$a9: &whoami=%s
- 0xe56:$a10: %u.%u_%u_%u_x%u
- 0xd63:$a11: size=%u&hash=0x%08x
- 0xb1d:$a12: &uptime=%u
- 0x6fb:$a13: %systemroot%\system32\c_1252.nls
- 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
|
| 00000000.00000003.417900586.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
|
| 00000000.00000003.418062084.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
| 00000000.00000003.418062084.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0x1228:$a1: /C ping localhost -n %u && del "%s"
- 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xa9c:$a5: filename="%.4u.%lu"
- 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe6d:$a9: &whoami=%s
- 0xe56:$a10: %u.%u_%u_%u_x%u
- 0xd63:$a11: size=%u&hash=0x%08x
- 0xb1d:$a12: &uptime=%u
- 0x6fb:$a13: %systemroot%\system32\c_1252.nls
- 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
|
| 00000000.00000003.418062084.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
|
| 00000000.00000002.509300056.0000000000820000.00000040.00000020.00020000.00000000.sdmp | Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown | - 0x5677:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
|
| 00000000.00000002.508996515.0000000000620000.00000040.00001000.00020000.00000000.sdmp | Windows_Trojan_Smokeloader_3687686f | unknown | unknown | - 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
|
| 00000000.00000002.509844164.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
| 00000000.00000002.509844164.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0x1228:$a1: /C ping localhost -n %u && del "%s"
- 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xa9c:$a5: filename="%.4u.%lu"
- 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe6d:$a9: &whoami=%s
- 0xe56:$a10: %u.%u_%u_%u_x%u
- 0xd63:$a11: size=%u&hash=0x%08x
- 0xb1d:$a12: &uptime=%u
- 0x6fb:$a13: %systemroot%\system32\c_1252.nls
- 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
|
| 00000000.00000002.509844164.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
|
| 00000000.00000003.417978343.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
| 00000000.00000003.417978343.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0x1228:$a1: /C ping localhost -n %u && del "%s"
- 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xa9c:$a5: filename="%.4u.%lu"
- 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe6d:$a9: &whoami=%s
- 0xe56:$a10: %u.%u_%u_%u_x%u
- 0xd63:$a11: size=%u&hash=0x%08x
- 0xb1d:$a12: &uptime=%u
- 0x6fb:$a13: %systemroot%\system32\c_1252.nls
- 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
|
| 00000000.00000003.417978343.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
|
| 00000000.00000003.417934305.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
| 00000000.00000003.417934305.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0x1228:$a1: /C ping localhost -n %u && del "%s"
- 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xa9c:$a5: filename="%.4u.%lu"
- 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe6d:$a9: &whoami=%s
- 0xe56:$a10: %u.%u_%u_%u_x%u
- 0xd63:$a11: size=%u&hash=0x%08x
- 0xb1d:$a12: &uptime=%u
- 0x6fb:$a13: %systemroot%\system32\c_1252.nls
- 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
|
| 00000000.00000003.417934305.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
|
| 00000000.00000003.418044877.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
| 00000000.00000003.418044877.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0x1228:$a1: /C ping localhost -n %u && del "%s"
- 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xa9c:$a5: filename="%.4u.%lu"
- 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe6d:$a9: &whoami=%s
- 0xe56:$a10: %u.%u_%u_%u_x%u
- 0xd63:$a11: size=%u&hash=0x%08x
- 0xb1d:$a12: &uptime=%u
- 0x6fb:$a13: %systemroot%\system32\c_1252.nls
- 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
|
| 00000000.00000003.418044877.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
|
| 00000000.00000003.418004616.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
| 00000000.00000003.418004616.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0x1228:$a1: /C ping localhost -n %u && del "%s"
- 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xa9c:$a5: filename="%.4u.%lu"
- 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe6d:$a9: &whoami=%s
- 0xe56:$a10: %u.%u_%u_%u_x%u
- 0xd63:$a11: size=%u&hash=0x%08x
- 0xb1d:$a12: &uptime=%u
- 0x6fb:$a13: %systemroot%\system32\c_1252.nls
- 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
|
| 00000000.00000003.418004616.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
|
| 00000000.00000003.418106797.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
| 00000000.00000003.418106797.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0x1228:$a1: /C ping localhost -n %u && del "%s"
- 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
- 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
- 0xa9c:$a5: filename="%.4u.%lu"
- 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xe6d:$a9: &whoami=%s
- 0xe56:$a10: %u.%u_%u_%u_x%u
- 0xd63:$a11: size=%u&hash=0x%08x
- 0xb1d:$a12: &uptime=%u
- 0x6fb:$a13: %systemroot%\system32\c_1252.nls
- 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
|
| 00000000.00000003.418106797.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
- 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
- 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
- 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
- 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
|
| Process Memory Space: KOYCdGz80D.exe PID: 5348 | JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | |
| Process Memory Space: KOYCdGz80D.exe PID: 5348 | Windows_Trojan_Gozi_fd494041 | unknown | unknown | - 0x6a9f:$a5: filename="%.4u.%lu"
- 0x6c55:$a5: filename="%.4u.%lu"
- 0x17fb5:$a5: filename="%.4u.%lu"
- 0x1816b:$a5: filename="%.4u.%lu"
- 0x6652:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x17b68:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
- 0x67c6:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x6b9f:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x6d57:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xc495:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xc576:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0xc7da:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x13dd1:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x13eb2:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x1405d:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x17cdc:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x180b5:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x1826d:$a8: %08X-%04X-%04X-%04X-%08X%04X
- 0x6fb7:$a9: &whoami=%s
- 0x184cd:$a9: &whoami=%s
- 0x6fa0:$a10: %u.%u_%u_%u_x%u
|
| Process Memory Space: KOYCdGz80D.exe PID: 5348 | Windows_Trojan_Gozi_261f5ac5 | unknown | unknown | - 0x6b46:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
|
Edit tour
KOYCdGz80D.exe (PID: 5348 cmdline: 