PESCAN.IO — Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

Information

Icon:

Size: 3,14 MB
SHA-256 Hash: 747072A4094DD0004D84ABD221863CA2DB676853C5CA27DD9B962650790A6472
SHA-1 Hash: 25CA8E5F48D694D4F715BF5A299062F4A979AEFD
MD5 Hash: FE611814D50BD962D1D85E3FB7425FF8
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 0032F8AA
EntryPoint (rva): 5635B2
SizeOfHeaders: 400
SizeOfImage: 720000
ImageBase: 400000
Architecture: x86
ImportTable: 5618CC
IAT: 3F8000
Characteristics: 22
TimeDateStamp: 9EE9976D
Date: 26/06/2054 17:46:21
File Type: EXE
Number Of Sections: 6
ASLR: Disabled
Section Names: .text, .DNGUARD, .DNGUARD, .DNGUARD, .rsrc, .reloc
Number Of Executable Sections: 3
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
[Incomplete Binary or Compressor Packer - 3,99 MB Missing]

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	60000020 (Code, Executable, Readable)	0	0	2000	1EF644	N/A	N/A
.DNGUARD	60000020 (Code, Executable, Readable)	0	0	1F2000	20446B	N/A	N/A
.DNGUARD	C0000040 (Initialized Data, Readable, Writeable)	400	200	3F8000	8	0,0612	129030,00
.DNGUARD	60000020 (Code, Executable, Readable)	600	311C00	3FA000	311A78	7,8968	1287198,54
.rsrc	40000040 (Initialized Data, Readable)	312200	11000	70C000	10EAA	4,4666	3359475,88
.reloc	42000040 (Initialized Data, GP-Relative, Readable)	323200	200	71E000	C	0,1223	127509,00

Description

OriginalFilename: WPF_login.exe
LegalCopyright: Copyright 2023
ProductName: BLTools Cookies Checker
FileVersion: 2.8.4.0
FileDescription: BLTools Cookies Checker
ProductVersion: 2.8.4.0
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (4) - (.DNGUARD) have the Entry Point
Information -> EntryPoint (calculated) - 169BB2
Code -> FF2500807F00F20DA181B3C27C465402B5C932EB9688EA06BEE29D82B9BC8EDD31B0C5E170D76FF142ADB05E7A705726E089
• JMP DWORD PTR [0X7F8000]
• OR EAX, 0XC2B381A1
• JL 0X1054
• PUSH ESP
• ADD DH, BYTE PTR [EBP - 0X6914CD37]
• MOV DL, CH
• PUSH ES
• MOV ESI, 0XB9829DE2
• MOV ESP, 0XB031DD8E
EP changed to another address -> (Address Of EntryPoint > Base Of Data)

Signatures

Certificate - Digital Signature Not Found:
• The file is not signed

Duplicate Sections

Section .DNGUARD duplicate 3 times

Packer/Compiler

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: False
• Version: v4.0
--------> Agile .NET Obfuscator
Detect It Easy (die)
• PE: library: .NET(v4.0.30319)[-]
• PE: linker: Microsoft Linker(48.0)[-]
• Entropy: 7.86593

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	GetModuleHandle	Retrieves a handle to the specified module.

File Access

WPF_login.exe
mscoree.dll

File Access (UNICODE)

WPF_login.exe
cmd.exe
\License.dll
%\ValideSession.txt
_Valide.txt
\Good_Session.txt
\NoPassPay.txt
\PSPlus.txt
\Games.txt
\NoGames.txt
games].txt
\Sites.txt
\NoSites.txt
%\NoCreditCards.txt
!\CreditCards.txt
\Orders.txt
)\GiftCardBalance.txt
-\ErrorBalanceCheck.txt
+\AllValideSession.txt
\LVL.txt
\Achievements.txt
\NoCharacters.txt
\Characters.txt
\Empty.txt
\Other.txt
\NoPlan.txt
\Standart.txt
\Basic.txt
\cookies.txt
\Premium.txt
\Media.txt
\BlueVerified.txt
%\Not_Suspended.txt
\Suspended.txt
!\NoFollowers.txt
] Twitter ADS.txt
1\Good_errorCheckInfo.txt
\Business.txt
\Posts.txt
\LIVE.txt
\ADS_TikTok.txt
\Coins.txt
\Views.txt
%\NoSubscribers.txt
!\Subscribers.txt
\Verified.txt
\NoBrand.txt
\Brand.txt
\MoreChannels.txt
\Monetized.txt
\Found.txt
\NoCoins.txt
\ADS.txt
\Gold.txt
!\Good_Reddit.txt
\Valide.txt
\Banned.txt
\NoMessages.txt
\Messages.txt
\Reviews.txt
\Prime Date.txt
\Prime Open.txt
\PaymentsMethod.txt
\Videos.txt
\Followers.txt
\Tokens.txt
\Prime.txt
\Bits.txt
\NoBits.txt
/\Not_Activated_Keys.txt
\Keys.txt
\Rap.txt
\Roblox_Premium.txt
\Robux.txt
\NoRobux.txt
!\GuardMobile.txt
\GuardEmail.txt
\NoGuard.txt
\Points.txt
!\Open_Market.txt
\Closed_TM.txt
\Balance.txt
\NoBalance.txt
\Hold Balance.txt
].txt
\Inventory.txt
\FamilyPin.txt
txt)|*.txt
BLTools] CC_WITHOUT_CVV.txt
\CC_WITHOUT_CVV.txt
BLTools] CC_WITH_CVV.txt
!\CC_WITH_CVV.txt
\_AllForms_list.txt
!_All_CC_list.txt
\UrlLoginPass.txt
\LoginPass.txt
\EmailPass.txt
%\All_LoginPass.txt
%\All_EmailPass.txt
\Settings.ini
Temp
UserProfile

Interest's Words

Encrypt
Decrypt
PassWord
exec
unescape
attrib
start
cipher
hostname
shutdown
systeminfo
ping
replace
route

Interest's Words (UNICODE)

outlook
smtp
PassWord
<div
<input
start
hostname
expand

URLs (UNICODE)

https://t.me/BLToolsSupport
https://www.exchange-rates.org/api/v2/rates/lookup?isoTo=USD&isoFrom=
https://store.steampowered.com/account/?l=english
https://steamcommunity.com/profiles/
https://store.steampowered.com/api/getfundwalletinfo/?cc=nl&l=english
https://store.steampowered.com/pointssummary/
https://login.steampowered.com/jwt/refresh?redir=
https://steamcommunity.com/market/?l=english
https://steamcommunity.com/miniprofile/
https://steamcommunity.com/actions/ajaxlistfriends
https://steamid.uk/profile/
https://steamcommunity.com/inventory/
https://api.faceit.com/search/v1/?limit=1&query=
https://www.roblox.com/my/settings/json
https://www.roblox.com/users/
https://premiumfeatures.roblox.com/v1/users/
https://economy.roblox.com/v2/users/
https://billing.roblox.com/v1/credit
https://economy.roblox.com/v1/users/
https://inventory.roblox.com/v1/users/
https://www.humblebundle.com/user/wallet?hmb_source=navbar
https://www.humblebundle.com/api/v1/user/order
https://www.humblebundle.com/api/v1/orders?all_tpkds=true
https://freebitco.in/
https://id.twitch.tv/oauth2/validate
https://gql.twitch.tv/gqlorigin=twilight
https://twitch.tv/
https://gql.twitch.tv/gql
https://www.coinbase.com/api/v2/hold-balances
https://www.coinbase.com/api/v2/user/second-factor
https://www.coinbase.com/api/v2/user
https://www.vinted.
https://www.reddit.com/settings/
https://ads.reddit.com/accounts
https://ads-api.reddit.com/api/v3/members/
https://ads-api.reddit.com/api/v2.0/businesses/
https://ads-api.reddit.com/api/v2.1/accounts/
https://ads-api.reddit.com/api/v2.0/accounts/
https://www.reddit.com/user/
https://auth.mail.ru/cgi-bin/auth?mac=1
https://auth.mail.ru/sdc?from=
https://e.mail.ru/messages/inbox
https://e.mail.ru/api/v1/tokens
https://e.mail.ru/api/v1/messages/search?all_attaches=true&email=
https://studio.youtube.com/
https://www.youtube.com/channel/
https://studio.youtube.com/getAccountSwitcherEndpoint
https://www.tiktok.com/passport/web/account/info/?aid=1459
https://webcast-m.tiktok.com/webcast/room/create_info/?aid=1988
https://webcast.tiktok.com/webcast/wallet_api/diamond_buy/permission/?aid=1988
https://www.tiktok.com/api/user/detail/self/
https://ads.tiktok.com/api/v2/i18n/account/account_switch_list/?aid=1583
https://ads.tiktok.com/api/v3/i18n/statistics/dashboard/statistics_overview/?aadvid=
https://ads.tiktok.com/api/v3/i18n/statistics/transaction/balance/query/?aadvid=
https://www.tiktok.com/@
https://www.instagram.com/accounts/edit/
https://i.instagram.com/api/v1/users/web_profile_info/?username=
https://www.instagram.com/
https://api.twitter.com/1.1/account/settings.json
https://api.twitter.com/1.1/users/show.json?screen_name=
https://ads.twitter.com/
https://ads.twitter.com/billing/
https://twitter.com/
https://www.netflix.com/YourAccount
https://bbs-api-os.hoyolab.com/community/painter/wapi/user/full
https://bbs-api-os.hoyolab.com/game_record/card/wapi/getGameRecordCard?uid=
https://bbs-api-os.hoyolab.com/game_record/genshin/api/character
https://upload-os-bbs.mihoyo.com/game_record/genshin/character_image/UI_AvatarIcon
https://upload-os-bbs.mihoyo.com/game_record/genshin/character_icon/UI_AvatarIcon_
https://upload-os-bbs.mihoyo.com/game_record/genshin/equip/UI_EquipIcon_
https://www.facebook.com/friends/list
https://www.facebook.com/
https://www.amazon.com
https://www.amazon.de
https://www.amazon.fr
https://www.amazon.ca
https://www.amazon.pl
https://www.amazon.es
https://www.amazon.it
https://www.amazon.co.uk
https://www.amazon.ae
https://www.amazon.sg
https://www.amazon.nl
https://www.amazon.co.jp
https://www.amazon.com.br
https://www.amazon.cn
https://www.amazon.eg
https://www.amazon.in
https://www.amazon.com.mx
https://www.amazon.sa
https://www.amazon.se
https://www.amazon.com.tr
https://wordpress.com/stats/day
https://api.passport.yandex.ru/accounts
https://mail.yandex.ru/lite/?uid=
https://mail.yandex.ru/web-api/models/liza1?_m=messages
https://web.np.playstation.com/api/graphql/v2/transact/wallets
https://www.escapefromtarkov.com/preorder-page?lang=en
https://mail.rambler.ru/api/v2
https://mail.yahoo.com/
https://mail.yahoo.com/psearch/v3/srp?&multipart=true&appid=YMailNorrin&wssid=
https://apis.mail.yahoo.com/ws/v3/mailboxes
https://accounts.google.com/AccountChooser?flowName=GlifWebSignIn&flowEntry=AccountChooser
https://accounts.google.com/ServiceLogin?service=mail&passive=1209600&osid=1&continue=
https://mail.google.com/mail/u/
https://mail.google.com/sync/u/
https://ogs.google.com/u/0/widget/account
https://pay.google.com/gp/w/u/0/home/paymentmethods
https://accounts.google.com/Logout
https://funpay.com/account/balance
https://funpay.com/users/
https://www.linkedin.com/mypreferences/d/categories/account
https://www.linkedin.com/mysettings-api/settingsApiSneakPeeks?category=SIGN_IN_AND_SECURITY&q=category
https://api.telegram.org/bot
https://www.facebook.com/

IP Addresses

107.0.0.0
11.0.0.0

Known IP/Domains (UNICODE)

yahoo.com
facebook.com
twitter.com

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Unicode	Unicode escape - \u00 - (Common Unicode escape sequences)
Text	Unicode	WinAPI Sockets (send)
Text	Ascii	Encryption (CipherMode)
Text	Ascii	Encryption (CreateDecryptor)
Text	Ascii	Encryption (CryptoStream)
Text	Ascii	Encryption (CryptoStreamMode)
Text	Ascii	Encryption (FromBase64String)
Text	Ascii	Encryption (ICryptoTransform)
Text	Ascii	Encryption (MD5CryptoServiceProvider)
Text	Ascii	Encryption (ToBase64String)
Text	Ascii	Execution (ShellExecute)
Text	Ascii	Keyboard Key (Scroll)
Text	Ascii	Technique used to make malicious code harder to analyze (Obfuscation)
Text	Unicode	Malware designed to intercept and exfiltrate credit card details from compromised systems (Credit Card)
Text	Unicode	Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV)
Text	Ascii	Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Entry Point	Hex Pattern	PE Pack v1.0

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\0	70C130	10828	312330	280000008000000000010000010020000000000000000100130B0000130B00000000000000000000FFFFFF00FFFFFF00FFFF	(............. ...................................
\GROUP_ICON\32512\0	71C958	14	322B58	0000010001008080000001002000280801000100	............ .(.....
\VERSION\1\0	71C96C	354	322B6C	540334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000800	T.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0	71CCC0	1EA	322EC0	EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65	...<?xml version="1.0" encoding="UTF-8" standalone

Intelligent String

• WPF_login.exe
• 2.8.4.0
• \Settings.ini
• Q/WPF_login;component/amazonsettings.xaml
• Aol.com
• K/WPF_login;component/aolsettings.xaml
• ;/WPF_login;component/app.xaml
• K/WPF_login;component/psnsettings.xaml
• S/WPF_login;component/ramblersettings.xaml
• Q/WPF_login;component/redditsettings.xaml
• Q/WPF_login;component/robloxsettings.xaml
• M/WPF_login;component/splashscreen.xaml
• O/WPF_login;component/steamsettings.xaml
• Q/WPF_login;component/tarkovsettings.xaml
• Q/WPF_login;component/tiktoksettings.xaml
• .exe
• %\All_EmailPass.txt
• %\All_LoginPass.txt
• \EmailPass.txt
• \LoginPass.txt
• \LoginPass
• \UrlLoginPass.txt
• \UrlLoginPass
• !_All_CC_list.txt
• '\_AllForms_list.txt
• !\CC_WITH_CVV.txt
• 5\[BLTools] CC_WITH_CVV.txt
• '\CC_WITHOUT_CVV.txt
• ;\[BLTools] CC_WITHOUT_CVV.txt
• K/WPF_login;component/toolswindow.xaml
• .txt
• Q/WPF_login;component/twitchsettings.xaml
• S/WPF_login;component/twittersettings.xaml
• Q/WPF_login;component/vintedsettings.xaml
• W/WPF_login;component/wordpresssettings.xaml
• O/WPF_login;component/yahoosettings.xaml
• Q/WPF_login;component/yandexsettings.xaml
• [/WPF_login;component/youproject1settings.xaml
• [/WPF_login;component/youproject2settings.xaml
• [/WPF_login;component/youproject3settings.xaml
• [/WPF_login;component/youproject4settings.xaml
• [/WPF_login;component/youproject5settings.xaml
• [/WPF_login;component/youproject6settings.xaml
• [/WPF_login;component/youproject7settings.xaml
• [/WPF_login;component/youproject8settings.xaml
• S/WPF_login;component/youtubesettings.xaml
• \License.dll
• cmd.exe
• a/c start cmd /C "color b && title Error && echo
• E/WPF_login;component/authform.xaml
• U/WPF_login;component/coinbasesettings.xaml
• U/WPF_login;component/facebooksettings.xaml
• S/WPF_login;component/freebtcsettings.xaml
• Q/WPF_login;component/funpaysettings.xaml
• S/WPF_login;component/genshinsettings.xaml
• O/WPF_login;component/gmailsettings.xaml
• W/WPF_login;component/googlepaysettings.xaml
• 9images/icons8-roblox-512.ico
• Q/WPF_login;component/humblesettings.xaml
• Q/WPF_login;component/indeedsettings.xaml
• W/WPF_login;component/instagramsettings.xaml
• U/WPF_login;component/linkedinsettings.xaml
• M/WPF_login;component/mailsettings.xaml
• https://t.me/BLToolsSupport
• 1Proxy File (*.txt)|*.txt
• !steampowered.com
• !steamLoginSecure
• %steamcommunity.com
• steamLoginSecure
• https://store.steampowered.com/account/?l=english
• LoginHidden
• https://store.steampowered.com/api/getfundwalletinfo/?cc=nl&l=english
• \FamilyPin.txt
• Login:
• 'account/sg_poor.png
• 'account/sg_fair.png
• 'account/sg_good.png
• https://login.steampowered.com/jwt/refresh?redir=https://steamcommunity.com/market/?l=english
• https://steamcommunity.com/actions/ajaxlistfriends
• \Inventory.txt
• ].txt
• \Hold Balance.txt
• \NoBalance.txt
• \Balance.txt
• \Closed_TM.txt
• !\Open_Market.txt
• \Points.txt
• \NoGuard.txt
• \GuardEmail.txt
• !\GuardMobile.txt
• roblox.com
• https://www.roblox.com/my/settings/json
• https://billing.roblox.com/v1/credit
• \NoRobux.txt
• \Robux.txt
• '\Roblox_Premium.txt
• \Rap.txt
• !humblebundle.com
• https://www.humblebundle.com/user/wallet?hmb_source=navbar
• https://www.humblebundle.com/api/v1/user/order
• https://www.humblebundle.com/api/v1/orders?all_tpkds=true
• \Keys.txt
• /\Not_Activated_Keys.txt
• https://id.twitch.tv/oauth2/validate
• https://gql.twitch.tv/gqlorigin=twilight
• [{"operationName":"ChannelRoot_AboutPanel","variables":{"channelLogin":"
• ","first":20,"after":null},"extensions":{"persistedQuery":{"version":1,"sha256Hash":"84d4173c52bb87af461c5435c535b93354cf51fd5aeef5c67e7574bd2df20c8d"}}},{"operationName":"BitsAutoRefillTab","variables":{},"extensions":{"persistedQuery":{"version":1,"sha256Hash":"7fab97d67c3f10f9d2b380496d191fd997924ffe68920737318c68c44551a9b4"}}},{"operationName":"PaymentMethodsTab_UserPaymentMethods","variables":{"internationalDisabled":false},"extensions":{"persistedQuery":{"version":1,"sha256Hash":"83e66a1acb46de209e3f25a4a7a613e5097c09b7acdab893ed74c00f7a33bddb"}}},{"operationName":"BitsConfigContext_Channel","variables":{"login":"
• _"},"extensions":{"persistedQuery":{"version":1,"sha256Hash":"368aaf9c04d3876cdd0076c105af2cd44b3bfd51a688462152ed4d3a5657e2b9"}}},{"operationName":"GetBitsButton_Bits","variables":{"login":"","withChannel":false,"isLoggedIn":true},"extensions":{"persistedQuery":{"version":1,"sha256Hash":"1622ab9e754d97acfb154caaf3d9d583c44408a76be6d4aba5a67cdba4e72452"}}},{"operationName":"Prime_PrimeOffers_CurrentUser","variables":{},"extensions":{"persistedQuery":{"version":1,"sha256Hash":"a773b7efefe390d49753520f7db73d03794b008af6acc22c06a2c630d46d5518"}}},{"operationName":"SubscriptionsManagement_SubscriptionBenefits","variables":{"limit":100,"cursor":"","filter":"PLATFORM","platform":"WEB"},"extensions":{"persistedQuery":{"version":1,"sha256Hash":"3686519fcca6f82961510d2e4ddd856ec8ded3b23b6513a629cc96c5bfcf3c3e"}}}]
• \NoBits.txt
• \Bits.txt
• \Prime.txt
• \Tokens.txt
• \Followers.txt
• \Videos.txt
• '\PaymentsMethod.txt
• https://gql.twitch.tv/gql
• 1[{"variables":{"login":"
• "},"query":"query PrimeSubscribe_UserPrimeData($login: String!){\nuser(login: $login){\nid\nself{\ncanPrimeSubscribe\nprimeSubCreditBenefit {\nwillRenew\nrenewalDate\n}\nsubscriptionBenefit{\nid\npurchasedWithPrime\ntier\nplatform\nrenewsAt\nendsAt\npaidUpgrade {\nprice\nstartsAt\n}\ngift {\nisGift\ngifter {\nid\ndisplayName\n}\n}\n}\n}\n}\ncurrentUser{\nid\nhasPrime\n}\nrequestInfo{\ncountryCode\n}\n}"},{"operationName":"BitsCard_Bits","variables":{},"extensions":{"persistedQuery":{"version":1,"sha256Hash":"fe1052e19ce99f10b5bd9ab63c5de15405ce87a1644527498f0fc1aadeff89f2"}}}]
• \Prime Open.txt
• \Prime Date.txt
• coinbase.com
• https://www.coinbase.com/api/v2/hold-balances
• https://www.coinbase.com/api/v2/user/second-factor
• https://www.coinbase.com/api/v2/user
• 'https://www.vinted.
• \Reviews.txt
• \Messages.txt
• \NoMessages.txt
• \Banned.txt
• \Valide.txt
• reddit.com
• https://ads.reddit.com/accounts
• !\Good_Reddit.txt
• \Gold.txt
• \ADS.txt
• \NoCoins.txt
• https://auth.mail.ru/cgi-bin/auth?mac=1
• https://auth.mail.ru/sdc?from=https://e.mail.ru/messages/inbox
• https://e.mail.ru/api/v1/tokens
• \Found.txt
• youtube.com
• .google.com
• https://studio.youtube.com/getAccountSwitcherEndpoint
• \Monetized.txt
• \MoreChannels.txt
• \Brand.txt
• \NoBrand.txt
• \Verified.txt
• !\Subscribers.txt
• %\NoSubscribers.txt
• \Views.txt
• tiktok.com
• https://www.tiktok.com/passport/web/account/info/?aid=1459
• https://webcast-m.tiktok.com/webcast/room/create_info/?aid=1988
• https://webcast.tiktok.com/webcast/wallet_api/diamond_buy/permission/?aid=1988
• https://ads.tiktok.com/api/v2/i18n/account/account_switch_list/?aid=1583
• \Coins.txt
• \ADS_TikTok.txt
• \LIVE.txt
• instagram.com
• \Posts.txt
• \Business.txt
• 1\Good_errorCheckInfo.txt
• twitter.com
• https://api.twitter.com/1.1/account/settings.json
• https://twitter.com/i/api/graphql/pVrmNaXcxPjisIvKtLDMEA/UserByScreenName?features=%7B%22blue_business_profile_image_shape_enabled%22%3Atrue%2C%22responsive_web_graphql_exclude_directive_enabled%22%3Atrue%2C%22verified_phone_label_enabled%22%3Afalse%2C%22highlights_tweets_tab_ui_enabled%22%3Atrue%2C%22creator_subscriptions_tweet_preview_api_enabled%22%3Afalse%2C%22responsive_web_graphql_skip_user_profile_image_extensions_enabled%22%3Afalse%2C%22responsive_web_graphql_timeline_navigation_enabled%22%3Atrue%7D&variables=%7B%22screen_name%22%3A%22
• )\['] Twitter ADS.txt
• !\NoFollowers.txt
• \Suspended.txt
• %\Not_Suspended.txt
• \BlueVerified.txt
• \Media.txt
• netflix.com
• https://www.netflix.com/YourAccount
• \Premium.txt
• \cookies.txt
• \Basic.txt
• \Standart.txt
• \NoPlan.txt
• \Other.txt
• mihoyo.com
• hoyolab.com
• https://bbs-api-os.hoyolab.com/community/painter/wapi/user/full
• \Empty.txt
• https://bbs-api-os.hoyolab.com/game_record/genshin/api/character
• ":"https://upload-os-bbs.mihoyo.com/game_record/genshin/character_image/UI_AvatarIcon
• \Characters.txt
• \NoCharacters.txt
• \Achievements.txt
• \LVL.txt
• facebook.com
• https://www.facebook.com/friends/list
• +\AllValideSession.txt
• .amazon.com
• https://www.amazon.com
• https://www.amazon.de
• https://www.amazon.fr
• https://www.amazon.ca
• https://www.amazon.pl
• https://www.amazon.es
• https://www.amazon.it
• https://www.amazon.co.uk
• https://www.amazon.ae
• https://www.amazon.sg
• https://www.amazon.nl
• https://www.amazon.co.jp
• https://www.amazon.com.br
• https://www.amazon.cn
• https://www.amazon.eg
• https://www.amazon.in
• https://www.amazon.com.mx
• https://www.amazon.sa
• https://www.amazon.se
• https://www.amazon.com.tr
• -\ErrorBalanceCheck.txt
• )\GiftCardBalance.txt
• \Orders.txt
• !\CreditCards.txt
• %\NoCreditCards.txt
• wordpress.com
• https://wordpress.com/stats/day
• \NoSites.txt
• \Sites.txt
• https://api.passport.yandex.ru/accounts
• https://mail.yandex.ru/web-api/models/liza1?_m=messages
• playstation.com
• sony.com
• 9sonyentertainmentnetwork.com
• https://web.np.playstation.com/api/graphql/v2/transact/wallets
• https://web.np.playstation.com/api/graphql/v1/op?operationName=oracleUserProfileRetrieve&variables=%7B%7D&extensions=%7B%22persistedQuery%22%3A%7B%22version%22%3A1%2C%22sha256Hash%22%3A%226030dbc8620ff861490c5d46d4c644fcfe0f4feb7abbced7bc92f2944373ff48%22%7D%7D
• https://web.np.playstation.com/api/graphql/v1/op?operationName=getPurchasedGameList&variables=%7B%22isActive%22%3Atrue%2C%22platform%22%3A%5B%22ps4%22%2C%22ps5%22%5D%2C%22size%22%3A24%2C%22start%22%3A0%2C%22sortBy%22%3A%22ACTIVE_DATE%22%2C%22sortDirection%22%3A%22desc%22%2C%22subscriptionService%22%3A%22NONE%22%7D&extensions=%7B%22persistedQuery%22%3A%7B%22version%22%3A1%2C%22sha256Hash%22%3A%222c045408b0a4d0264bb5a3edfed4efd49fb4749cf8d216be9043768adff905e2%22%7D%7D
• games].txt
• \NoGames.txt
• \Games.txt
• \PSPlus.txt
• \NoPassPay.txt
• )escapefromtarkov.com
• https://www.escapefromtarkov.com/preorder-page?lang=en
• <a href="/logout"
• \Good_Session.txt
• rlogin
• https://mail.rambler.ru/api/v2
• .yahoo.com
• \u002F
• https://apis.mail.yahoo.com/ws/v3/mailboxes
• https://accounts.google.com/AccountChooser?flowName=GlifWebSignIn&flowEntry=AccountChooser
• https://ogs.google.com/u/0/widget/account
• !/?authuser\u003d
• https://pay.google.com/gp/w/u/0/home/paymentmethods
• https://accounts.google.com/Logout
• \u003d\u003d
• https://payments.google.com/payments/u/0/payment_methods?tc=35&wst=1623884460143&cst=1623884460160&si=3400117699409835&sri=2&ipi=6tr41s4lggix&hostOrigin=aHR0cHM6Ly9wYXkuZ29vZ2xlLmNvbQ..&origin=https%3A%2F%2Fpay.google.com&mm=e&hl=ru&style=%3Apc%3D%23fff%3Btn%3Dpc%3Bnav%3DPT%3Bm2_o&cn=%24p_hubzzjnuecww0
• www.ebay.com
• "userLoginName":{"_type":"TextualDisplay","textSpans":[{"_type":"TextSpan","text":"
• _Valide.txt
• funpay.com
• https://funpay.com/account/balance
• linkedin.com
• https://www.linkedin.com/mypreferences/d/categories/account
• https://www.linkedin.com/mysettings-api/settingsApiSneakPeeks?category=SIGN_IN_AND_SECURITY&q=category
• %\ValideSession.txt
• https://api.telegram.org/bot
• I/WPF_login;component/mainwindow.xaml
• Aol.com:
• O[Facebook] : https://www.facebook.com/
• W/WPF_login;component/minecraftsettings.xaml
• S/WPF_login;component/netflixsettings.xaml
• S/WPF_login;component/outlooksettings.xaml
• 2.8.3.0

Flow Anomalies

Offset	RVA	Section	Description
22E3E	119233B7	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
2F2B1	119233B7	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
47F0D	2D4CDD3A	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
5ED5E	48B75B5	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
6C880	48B75B5	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
7160C	1190FECB	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
7A275	1190FECB	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
85C90	6D179F1F	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
8DFB9	6F12F097	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
8EC72	6F12F097	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
93294	63B6B178	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
A4675	63B6B178	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
A55D4	4E903F19	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
B39C6	151DC276	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
BAF4C	151DC276	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
D09E0	163BBE9C	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
E2398	54240C54	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
E43FC	751478CD	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
E4500	751478CD	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
ECF23	751478CD	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
EFBA0	751478CD	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
F4F40	751478CD	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
104657	751478CD	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
10DBD7	751478CD	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
1126C1	751478CD	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
115837	EE40C59	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
118BA0	EE40C59	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
118C73	2D376C21	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
122523	2D376C21	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
1378B6	C598129	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
139EE6	26ED8357	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
1487F4	5B8A9754	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
149F46	5B8A9754	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
1591F9	2D7849FE	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
15B0D5	2D7849FE	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
164AC4	2D7849FE	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
169BB2	7F8000	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
16BEF3	5DB3E81D	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
170D3D	5DB3E81D	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
175039	5DB3E81D	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
178BD7	679ABCFF	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
17A884	679ABCFF	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
17CBE7	679ABCFF	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
17D3E2	679ABCFF	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
17D71D	7B16C689	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
189CDE	7B16C689	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
190003	7B16C689	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
19BD33	4860675B	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
19E5CE	4860675B	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
1A63B1	34D2C931	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
1A94D6	45ED5757	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
1AFF4E	779CBB5B	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
1B12AF	94868C6	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
1B2E4B	94868C6	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
1B308D	6B86504A	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
1B70AE	54EEDEE6	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
1BBC67	BF6BC68	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
1DA1DC	7C2BC481	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
2069A6	66C17776	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
206F64	66C17776	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
22B0B9	4138DCB4	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
22DA28	4138DCB4	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
23D381	730D1A6E	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
246515	730D1A6E	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
247E35	4828A181	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
24F8D3	4828A181	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
256D13	2420D3FB	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
25D5BF	1C63D61	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
270139	6619BC01	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
274499	6619BC01	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
275093	6619BC01	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
2817EE	6619BC01	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
2863B5	6619BC01	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
29F2FF	6619BC01	.DNGUARD	JMP [static] \| Indirect jump to absolute memory address
2A2A88	6619BC01	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
2DBCFC	26140823	.DNGUARD	CALL [static] \| Indirect call to absolute memory address
313A47	20FF1515	.rsrc	CALL [static] \| Indirect call to absolute memory address
313C4F	29FF5A3C	.rsrc	JMP [static] \| Indirect jump to absolute memory address
313C97	9FF2525	.rsrc	JMP [static] \| Indirect jump to absolute memory address
314EEB	23FF6415	.rsrc	CALL [static] \| Indirect call to absolute memory address
314EFB	7FF1515	.rsrc	CALL [static] \| Indirect call to absolute memory address
31829F	18FF1816	.rsrc	CALL [static] \| Indirect call to absolute memory address
3183D3	27FF2A28	.rsrc	JMP [static] \| Indirect jump to absolute memory address
3184C7	22FF302C	.rsrc	JMP [static] \| Indirect jump to absolute memory address
318883	2CFF2E2A	.rsrc	JMP [static] \| Indirect jump to absolute memory address
3188E3	1FFF312D	.rsrc	JMP [static] \| Indirect jump to absolute memory address
3189AB	1AFF1515	.rsrc	CALL [static] \| Indirect call to absolute memory address
318B9F	16FF1515	.rsrc	CALL [static] \| Indirect call to absolute memory address
318C37	20FF2C29	.rsrc	JMP [static] \| Indirect jump to absolute memory address
318D93	16FF1515	.rsrc	CALL [static] \| Indirect call to absolute memory address
318F87	15FF1515	.rsrc	CALL [static] \| Indirect call to absolute memory address
318F8B	16FF1515	.rsrc	CALL [static] \| Indirect call to absolute memory address
319183	16FF1515	.rsrc	CALL [static] \| Indirect call to absolute memory address
31937F	17FF1515	.rsrc	CALL [static] \| Indirect call to absolute memory address
319407	1AFFEAE2	.rsrc	CALL [static] \| Indirect call to absolute memory address
31944B	1EFF2C29	.rsrc	JMP [static] \| Indirect jump to absolute memory address
319493	1EFFD0C1	.rsrc	JMP [static] \| Indirect jump to absolute memory address
31961F	2DFFD5C6	.rsrc	JMP [static] \| Indirect jump to absolute memory address
31964F	22FF2C29	.rsrc	JMP [static] \| Indirect jump to absolute memory address
319B7B	1BFF1515	.rsrc	CALL [static] \| Indirect call to absolute memory address
2E536C-2E56FF	N/A	.DNGUARD	Potential obfuscated jump sequence detected, count: 458
322BB3	FFC00400	.rsrc	TLS Callback \| Pointer to 400 Memory
322BB7	FFC00100	.rsrc	TLS Callback \| Pointer to 100 Memory

Extra Analysis

Metric	Value	Percentage
Ascii Code	2172312	66,0255%
Null Byte Code	163383	4,9659%

PESCAN.IO - Analysis Report Basic