PESCAN.IO — Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Executable header (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 105,95 KB
SHA-256 Hash: 0A8AA4319ECB5106BFDAA45A1D5EFFBFD71173CF30FA284906A4437F8A0C644D
SHA-1 Hash: 2197FA748635F6192D3E3BDC2A454F2E2FE442E5
MD5 Hash: 300C50EFE729752E96E5BB8DBD9AE8E6
Imphash: 0575BFBFB10A61D164345C7DABCC8667
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00024772
EntryPoint (rva): 13D0
SizeOfHeaders: 400
SizeOfImage: 20000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 8000
IAT: 8188
Characteristics: 226
TimeDateStamp: 6622F2C0
Date: 19/04/2024 22:40:00
File Type: EXE
Number Of Sections: 11
ASLR: Disabled
Section Names (Optional Header): .text, .data, .rdata, .pdata, .xdata, .bss, .idata, .CRT, .tls, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	60000060 (Code, Initialized Data, Executable, Readable)	400	1800	1000	16C8	5,8207	96471,33
.data	C0000040 (Initialized Data, Readable, Writeable)	1C00	200	3000	90	0,6151	110595,00
.rdata	40000040 (Initialized Data, Readable)	1E00	C00	4000	A50	4,4530	106255,83
.pdata	40000040 (Initialized Data, Readable)	2A00	400	5000	210	2,2593	145439,50
.xdata	40000040 (Initialized Data, Readable)	2E00	200	6000	184	3,0450	37809,00
.bss	C0000080 (Uninitialized Data, Readable, Writeable)	0	0	7000	180	N/A	N/A
.idata	C0000040 (Initialized Data, Readable, Writeable)	3000	600	8000	584	3,6515	113116,67
.CRT	C0000040 (Initialized Data, Readable, Writeable)	3600	200	9000	60	0,2795	122522,00
.tls	C0000040 (Initialized Data, Readable, Writeable)	3800	200	A000	10	0,0000	130560,00
.rsrc	40000040 (Initialized Data, Readable)	3A00	13C00	B000	13A40	6,0863	1506537,78
.reloc	42000040 (Initialized Data, GP-Relative, Readable)	17600	200	1F000	78	1,3851	88497,00

Description

OriginalFilename: pythonw.exe
CompanyName: Python Software Foundation
LegalCopyright: Copyright 2001-2023 Python Software Foundation. Copyright 2000 BeOpen.com. Copyright 1995-2001 CNRI. Copyright 1991-1995 SMC.
ProductName: Python
FileVersion: 3.11.9
FileDescription: Python
ProductVersion: 3.11.9
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 7D0
Code -> 4883EC28488B05F52F0000C70001000000E89AFDFFFF90904883C428C30F1F004883EC28488B05D52F0000C70000000000E8
• SUB RSP, 0X28
• MOV RAX, QWORD PTR [RIP + 0X2FF5]
• MOV DWORD PTR [RAX], 1
• CALL 0XDB0
• NOP
• NOP
• ADD RSP, 0X28
• RET
• NOP DWORD PTR [RAX]
• SUB RSP, 0X28
• MOV RAX, QWORD PTR [RIP + 0X2FD5]
• MOV DWORD PTR [RAX], 0

Signatures

Certificate - Digital Signature:
• The file is signed and the signature is correct

Packer/Compiler

Detect It Easy (die)
• Entropy: 6.2378

File Access

msvcrt.dll
KERNEL32.dll
libpython3.11.dll
.dat

File Access (UNICODE)

pythonw.exe

Interest's Words

exec
start
ping

URLs

http://schemas.microsoft.com/SMI/2016/WindowsSettings
http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://www.digicert.com/CPS0
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	Stealth (VirtualProtect)
Entry Point	Hex Pattern	ASProtect vx.x
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (DLL)

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\1033	B340	3A47	3D40	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000000097048597300000EC300000EC301	.PNG........IHDR.............\r.f....pHYs.........
\ICON\2\1033	ED88	1628	7788	2800000040000000800000000100080000000000001000000000000000000000000100000001000000000000656565006E6E	(...@.......................................eee.nn
\ICON\3\1033	103B0	EA8	8DB0	2800000030000000600000000100080000000000000900000000000000000000000100000001000000000000646464007676	(...0......................................ddd.vv
\ICON\4\1033	11258	8A8	9C58	2800000020000000400000000100080000000000000400000000000000000000000100000001000000000000656565009869	(... ...@...................................eee..i
\ICON\5\1033	11B00	6C8	A500	2800000018000000300000000100080000000000400200000000000000000000000100000001000000000000986930009C6D	(.......0...........@........................i0..m
\ICON\6\1033	121C8	568	ABC8	28000000100000002000000001000800000000000001000000000000000000000001000000010000000000009A6B32009B6C	(....... ....................................k2..l
\ICON\7\1033	12730	2E29	B130	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000000097048597300000EC300000EC301	.PNG........IHDR.............\r.f....pHYs.........
\ICON\8\1033	15560	4228	DF60	2800000040000000800000000100200000000000004200000000000000000000000000000000000000000000000000000000	(...@......... ......B............................
\ICON\9\1033	19788	25A8	12188	2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000	(...0........ ......%............................
\ICON\10\1033	1BD30	10A8	14730	2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\11\1033	1CDD8	988	157D8	2800000018000000300000000100200000000000600900000000000000000000000000000000000000000000000000000000	(.......0..... ..................................
\ICON\12\1033	1D760	468	16160	2800000010000000200000000100200000000000400400000000000000000000000000000000000000000000000000000000	(....... ..... .....@.............................
\GROUP_ICON\1\1033	1DBC8	AE	165C8	000001000C000000000001000800473A0000010040400000010008002816000002003030000001000800A80E000003002020	..............G:....@@......(.....00............
\VERSION\1\1033	1DC78	3B8	16678	B80334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000B00	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	1E030	527	16A30	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y

Intelligent String

• @.bss
• .CRT
• .tls
• libpython3.11.dll
• KERNEL32.dll
• msvcrt.dll
• pythonw.exe
• <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware>
• :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U

Flow Anomalies

Offset	RVA	Section	Description
62F	N/A	.text	CALL QWORD PTR [RIP+0x6F8B]
860	N/A	.text	JMP QWORD PTR [RIP+0x6D22]
C4B	N/A	.text	CALL QWORD PTR [RIP+0x698F]
CAE	N/A	.text	CALL QWORD PTR [RIP+0x6924]
CB8	N/A	.text	CALL QWORD PTR [RIP+0x68EA]
1294	N/A	.text	CALL QWORD PTR [RIP+0x6306]
12EA	N/A	.text	JMP QWORD PTR [RIP+0x62C8]
1337	N/A	.text	CALL QWORD PTR [RIP+0x6263]
1352	N/A	.text	CALL QWORD PTR [RIP+0x6260]
138A	N/A	.text	CALL QWORD PTR [RIP+0x6210]
13C6	N/A	.text	CALL QWORD PTR [RIP+0x61EC]
14A5	N/A	.text	CALL QWORD PTR [RIP+0x60ED]
14D7	N/A	.text	CALL QWORD PTR [RIP+0x60D3]
1990	N/A	.text	JMP QWORD PTR [RIP+0x5C5A]
1998	N/A	.text	JMP QWORD PTR [RIP+0x5C5A]
19A0	N/A	.text	JMP QWORD PTR [RIP+0x5C5A]
19A8	N/A	.text	JMP QWORD PTR [RIP+0x5C5A]
19B0	N/A	.text	JMP QWORD PTR [RIP+0x5C5A]
19B8	N/A	.text	JMP QWORD PTR [RIP+0x5C62]
19C0	N/A	.text	JMP QWORD PTR [RIP+0x5C62]
19C8	N/A	.text	JMP QWORD PTR [RIP+0x5C72]
19D0	N/A	.text	JMP QWORD PTR [RIP+0x5C72]
19D8	N/A	.text	JMP QWORD PTR [RIP+0x5C72]
19E0	N/A	.text	JMP QWORD PTR [RIP+0x5C72]
19E8	N/A	.text	JMP QWORD PTR [RIP+0x5C72]
19F0	N/A	.text	JMP QWORD PTR [RIP+0x5C72]
19F8	N/A	.text	JMP QWORD PTR [RIP+0x5C72]
1A00	N/A	.text	JMP QWORD PTR [RIP+0x5C72]
1A08	N/A	.text	JMP QWORD PTR [RIP+0x5C72]
1A10	N/A	.text	JMP QWORD PTR [RIP+0x5C72]
1A18	N/A	.text	JMP QWORD PTR [RIP+0x5C72]
1A20	N/A	.text	JMP QWORD PTR [RIP+0x5C72]
1A28	N/A	.text	JMP QWORD PTR [RIP+0x5C72]
1A30	N/A	.text	JMP QWORD PTR [RIP+0x5C72]
1A38	N/A	.text	JMP QWORD PTR [RIP+0x5C72]
1A40	N/A	.text	JMP QWORD PTR [RIP+0x5B9A]
1A48	N/A	.text	JMP QWORD PTR [RIP+0x5B8A]
1A50	N/A	.text	JMP QWORD PTR [RIP+0x5B7A]
1A58	N/A	.text	JMP QWORD PTR [RIP+0x5B6A]
1A60	N/A	.text	JMP QWORD PTR [RIP+0x5B5A]
1A68	N/A	.text	JMP QWORD PTR [RIP+0x5B4A]
1A70	N/A	.text	JMP QWORD PTR [RIP+0x5B3A]
1A78	N/A	.text	JMP QWORD PTR [RIP+0x5B2A]
1A80	N/A	.text	JMP QWORD PTR [RIP+0x5B1A]
1A88	N/A	.text	JMP QWORD PTR [RIP+0x5B0A]
459C	N/A	.rsrc	JMP QWORD PTR [RIP+0xC7013C64]
19DCD	N/A	padding	JMP QWORD PTR [RIP+0x2C279963]
3638	1570	.CRT	TLS Callback \| Pointer to 140001570 - 0x970 .text
3640	1540	.CRT	TLS Callback \| Pointer to 140001540 - 0x940 .text
2A00	1000	.pdata	ExceptionHook \| Pointer to 1000 - 0x400 .text + UnwindInfo: .xdata
2A0C	1010	.pdata	ExceptionHook \| Pointer to 1010 - 0x410 .text + UnwindInfo: .xdata
2A18	1130	.pdata	ExceptionHook \| Pointer to 1130 - 0x530 .text + UnwindInfo: .xdata
2A24	1180	.pdata	ExceptionHook \| Pointer to 1180 - 0x580 .text + UnwindInfo: .xdata
2A30	13D0	.pdata	ExceptionHook \| Pointer to 13D0 - 0x7D0 .text + UnwindInfo: .xdata
2A3C	13F0	.pdata	ExceptionHook \| Pointer to 13F0 - 0x7F0 .text + UnwindInfo: .xdata
2A48	1410	.pdata	ExceptionHook \| Pointer to 1410 - 0x810 .text + UnwindInfo: .xdata
2A54	1430	.pdata	ExceptionHook \| Pointer to 1430 - 0x830 .text + UnwindInfo: .xdata
2A60	1440	.pdata	ExceptionHook \| Pointer to 1440 - 0x840 .text + UnwindInfo: .xdata
2A6C	1450	.pdata	ExceptionHook \| Pointer to 1450 - 0x850 .text + UnwindInfo: .xdata
2A78	1470	.pdata	ExceptionHook \| Pointer to 1470 - 0x870 .text + UnwindInfo: .xdata
2A84	14B0	.pdata	ExceptionHook \| Pointer to 14B0 - 0x8B0 .text + UnwindInfo: .xdata
2A90	1520	.pdata	ExceptionHook \| Pointer to 1520 - 0x920 .text + UnwindInfo: .xdata
2A9C	1540	.pdata	ExceptionHook \| Pointer to 1540 - 0x940 .text + UnwindInfo: .xdata
2AA8	1570	.pdata	ExceptionHook \| Pointer to 1570 - 0x970 .text + UnwindInfo: .xdata
2AB4	1600	.pdata	ExceptionHook \| Pointer to 1600 - 0xA00 .text + UnwindInfo: .xdata
2AC0	1610	.pdata	ExceptionHook \| Pointer to 1610 - 0xA10 .text + UnwindInfo: .xdata
2ACC	1710	.pdata	ExceptionHook \| Pointer to 1710 - 0xB10 .text + UnwindInfo: .xdata
2AD8	1720	.pdata	ExceptionHook \| Pointer to 1720 - 0xB20 .text + UnwindInfo: .xdata
2AE4	1730	.pdata	ExceptionHook \| Pointer to 1730 - 0xB30 .text + UnwindInfo: .xdata
2AF0	17A0	.pdata	ExceptionHook \| Pointer to 17A0 - 0xBA0 .text + UnwindInfo: .xdata
2AFC	1910	.pdata	ExceptionHook \| Pointer to 1910 - 0xD10 .text + UnwindInfo: .xdata
2B08	1C70	.pdata	ExceptionHook \| Pointer to 1C70 - 0x1070 .text + UnwindInfo: .xdata
2B14	1CB0	.pdata	ExceptionHook \| Pointer to 1CB0 - 0x10B0 .text + UnwindInfo: .xdata
2B20	1CC0	.pdata	ExceptionHook \| Pointer to 1CC0 - 0x10C0 .text + UnwindInfo: .xdata
2B2C	1E80	.pdata	ExceptionHook \| Pointer to 1E80 - 0x1280 .text + UnwindInfo: .xdata
2B38	1EF0	.pdata	ExceptionHook \| Pointer to 1EF0 - 0x12F0 .text + UnwindInfo: .xdata
2B44	1F60	.pdata	ExceptionHook \| Pointer to 1F60 - 0x1360 .text + UnwindInfo: .xdata
2B50	1FF0	.pdata	ExceptionHook \| Pointer to 1FF0 - 0x13F0 .text + UnwindInfo: .xdata
2B5C	20F0	.pdata	ExceptionHook \| Pointer to 20F0 - 0x14F0 .text + UnwindInfo: .xdata
2B68	2120	.pdata	ExceptionHook \| Pointer to 2120 - 0x1520 .text + UnwindInfo: .xdata
2B74	2170	.pdata	ExceptionHook \| Pointer to 2170 - 0x1570 .text + UnwindInfo: .xdata
2B80	2210	.pdata	ExceptionHook \| Pointer to 2210 - 0x1610 .text + UnwindInfo: .xdata
2B8C	2290	.pdata	ExceptionHook \| Pointer to 2290 - 0x1690 .text + UnwindInfo: .xdata
2B98	22D0	.pdata	ExceptionHook \| Pointer to 22D0 - 0x16D0 .text + UnwindInfo: .xdata
2BA4	2350	.pdata	ExceptionHook \| Pointer to 2350 - 0x1750 .text + UnwindInfo: .xdata
2BB0	2390	.pdata	ExceptionHook \| Pointer to 2390 - 0x1790 .text + UnwindInfo: .xdata
2BBC	2420	.pdata	ExceptionHook \| Pointer to 2420 - 0x1820 .text + UnwindInfo: .xdata
2BC8	2530	.pdata	ExceptionHook \| Pointer to 2530 - 0x1930 .text + UnwindInfo: .xdata
2BD4	2540	.pdata	ExceptionHook \| Pointer to 2540 - 0x1940 .text + UnwindInfo: .xdata
2BE0	2550	.pdata	ExceptionHook \| Pointer to 2550 - 0x1950 .text + UnwindInfo: .xdata
2BEC	2560	.pdata	ExceptionHook \| Pointer to 2560 - 0x1960 .text + UnwindInfo: .xdata
2BF8	2570	.pdata	ExceptionHook \| Pointer to 2570 - 0x1970 .text + UnwindInfo: .xdata
2C04	2690	.pdata	ExceptionHook \| Pointer to 2690 - 0x1A90 .text + UnwindInfo: .xdata
17800	N/A	Overlay	0000000004000000500200000700000002000000 \| ........P...........

Extra Analysis

Metric	Value	Percentage
Ascii Code	52040	47,9649%
Null Byte Code	27334	25,1936%
NOP Cave Found	0x9090909090	Block Count: 25 \| Total: 0,0576%

PESCAN.IO - Analysis Report Basic