Source: |
Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
Source: |
Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
Source: |
Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_10147900 PathFileExistsA,_memset,_memset,_strcpy_s,_strcat_s,FindFirstFileA,_memset,_strcpy_s,_strcat_s,_strcat_s,_strcat_s,_strcat_s,PathFileExistsA,PathRemoveFileSpecA,_memset,_strlen,FindNextFileA,FindClose, |
1_2_10147900 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_10145A40 FindFirstFileA,FindClose, |
1_2_10145A40 |
Source: A8xYhQFvXo.dll |
String found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook) |
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
String found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook) |
Source: A8xYhQFvXo.dll |
String found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook) |
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
String found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook) |
Source: A8xYhQFvXo.dll |
String found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook) |
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook) |
Source: A8xYhQFvXo.dll |
String found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook) |
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook) |
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
String found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook) |
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
String found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook) |
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
String found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook) |
Source: A8xYhQFvXo.dll |
String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook) |
Source: A8xYhQFvXo.dll |
String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook) |
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook) |
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook) |
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook) |
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook) |
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook) |
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
String found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook) |
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook) |
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook) |
Source: rundll32.exe, 00000001.00000002.230693439.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.235972167.00000000101CE000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.245432696.00000000101CE000.00000002.00020000.sdmp, A8xYhQFvXo.dll |
String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook) |
Source: A8xYhQFvXo.dll |
String found in binary or memory: https://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@@@@https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: */*Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: */*Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid |