PESCAN.IO - Analysis Report Basic

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header

Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Icon: Icon
Size: 1,16 MB
SHA-256 Hash: DC5B215A6A23E5B7C34A982638F7F5B1902B36D0334796DB9B0037DF2A579A25
SHA-1 Hash: 5754400C51BACDC8DB20E6514D978D6157B08B52
MD5 Hash: 1D862D095CF40976C445C429981BA9C9
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 0012A330
EntryPoint (rva): 11D89E
SizeOfHeaders: 200
SizeOfImage: 12A000
ImageBase: 400000
Architecture: x86
ImportTable: 11D844
IAT: 2000
Characteristics: 102
TimeDateStamp: 51F00614
Date: 24/07/2013 16:51:32
File Type: EXE
Number Of Sections: 3
ASLR: Enabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text 60000020 (Code, Executable, Readable) 200 11BA00 2000 11B8A46,449519632399,38
.rsrc 40000040 (Initialized Data, Readable) 11BC00 9A00 11E000 99B85,57621274330,34
.reloc 42000040 (Initialized Data, GP-Relative, Readable) 125600 200 128000 C0,1019128015,00
Description
OriginalFilename: CDCE62005_GUI.exe
LegalCopyright: Copyright 2012
ProductName: CDCE62005_GUI
FileVersion: 1.0.0.0
FileDescription: CDCE62005_GUI
ProductVersion: 1.0.0.0
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 11BA9E
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
JMP DWORD PTR [0X402000]
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL

Signatures
Certificate - Digital Signature:
• The file is signed and the signature is correct

Packer/Compiler
Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
AnyCPU: False
Version: v4.0
Compiler: Microsoft Visual Studio
Detect It Easy (die)
PE: Protector: Eziriz .NET Reactor(6.x.x.x)[By Dr.FarFar]
PE: library: .NET(v4.0.30319)[-]
PE: linker: Microsoft Linker(8.0)[-]
PE: Sign tool: Windows Authenticode(2.0)[PKCS 7]
Entropy: 6.44338

File Access
CDCE62005_GUI.exe
mscoree.dll
TIHera.dll
AppData

File Access (UNICODE)
CDCE62005_GUI.exe
\savedData.ini
ini)|*.INI

Interest's Words
PassWord
<input
<main
exec
attrib
start
ping

Interest's Words (UNICODE)
PassWord

URLs
http://ocsp.thawte.com
http://crl.thawte.com/ThawteTimestampingCA.crl
http://ts-ocsp.ws.symantec.com
http://ts-aia.ws.symantec.com/tss-ca-g2.cer
http://ts-crl.ws.symantec.com/tss-ca-g2.crl
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl
http://csc3-2010-crl.verisign.com/CSC3-2010.crl
http://ocsp.verisign.com
http://csc3-2010-aia.verisign.com/CSC3-2010.cer
http://logo.verisign.com/vslogo.gif04
http://crl.verisign.com/pca3-g5.crl
https://www.verisign.com/rpa
https://www.verisign.com/rpa0
https://www.verisign.com/cps0*
https://www.verisign.com/rpa0

IP Addresses
10.0.0.0

Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii WinAPI Sockets (send)
Text Ascii Antivirus Software (Symantec)
Text Ascii Keyboard Key (Scroll)
Text Unicode Keyboard Key (Scroll)
Text Ascii Technique used to circumvent security measures (Bypass)
Text Unicode Technique used to circumvent security measures (Bypass)
Entry Point Hex Pattern Microsoft Visual C / Basic .NET
Entry Point Hex Pattern Microsoft Visual C++ 8
Entry Point Hex Pattern Microsoft Visual C++ 8.0
Entry Point Hex Pattern Microsoft Visual C v7.0 / Basic .NET
Entry Point Hex Pattern Microsoft Visual Studio .NET
Entry Point Hex Pattern .NET executable
Resources
Path DataRVA Size FileOffset CodeText
\ICON\2\0 11E5B0 668 11C1B0 2800000030000000600000000100040000000000000600000000000000000000100000000000000000000000000080000080(...0............................................
\ICON\3\0 11EC18 2E8 11C818 2800000020000000400000000100040000000000800200000000000000000000100000000000000000000000000080000080(... ...@.........................................
\ICON\4\0 11EF00 128 11CB00 2800000010000000200000000100040000000000C00000000000000000000000100000000000000000000000000080000080(....... .........................................
\ICON\5\0 11F028 EA8 11CC28 2800000030000000600000000100080000000000800A00000000000000000000000100000000000000000000D7563A00D856(...0.......................................V:..V
\ICON\6\0 11FED0 8A8 11DAD0 2800000020000000400000000100080000000000800400000000000000000000000100000000000000000000D7573A00D856(... ...@....................................W:..V
\ICON\7\0 120778 568 11E378 2800000010000000200000000100080000000000400100000000000000000000000100000000000000000000D7563A00D856(....... ...........@........................V:..V
\ICON\8\0 120CE0 2F95 11E8E0 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A86600002F5C4944415478DAED9D0B9C53C5D9.PNG........IHDR.............\r.f../\IDATx.....S..
\ICON\9\0 123C78 25A8 121878 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000(...0........ ......%............................
\ICON\10\0 126220 10A8 123E20 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000(... ...@..... ...................................
\ICON\11\0 1272C8 468 124EC8 2800000010000000200000000100200000000000400400000000000000000000000000000000000000000000000000000000(....... ..... .....@.............................
\GROUP_ICON\32512\0 127730 92 125330 000001000A0030301000010004006806000002002020100001000400E8020000030010101000010004002801000004003030......00......h..... ....................(.....00
\VERSION\1\0 11E2E0 2D0 11BEE0 D00234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0 1277C8 1EA 1253C8 EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65...<?xml version="1.0" encoding="UTF-8" standalone
Intelligent String
• 1.0.0.0
• CDCE62005_GUI.exe
• /INI Files (*.ini)|*.INI
• \savedData.ini
• .ini
• /HEX Files (*.hex)|*.HEX
• .hex
• /INI Files (*.bin)|*.BIN
• D:\Clocks & Opticals\Projects\CDCE62005\GUI Elements\C\CDCE62005_GUI\CDCE62005_GUI\obj\x86\Release\CDCE62005_GUI.pdb
• _CorExeMainmscoree.dll

Flow Anomalies
Offset RVA Section Description
2DDEE 1277C8 .text JMP [static] | Indirect jump to absolute memory address
34AA1 41E8770B .text CALL [static] | Indirect call to absolute memory address
3BBB5 41E8770B .text JMP [static] | Indirect jump to absolute memory address
45185 41E8770B .text JMP [static] | Indirect jump to absolute memory address
4E5E5 41E8770B .text JMP [static] | Indirect jump to absolute memory address
57AFD 41E8770B .text JMP [static] | Indirect jump to absolute memory address
612D2 41E8770B .text JMP [static] | Indirect jump to absolute memory address
6B457 58DA9F3B .text JMP [static] | Indirect jump to absolute memory address
7606D 58DA9F3B .text JMP [static] | Indirect jump to absolute memory address
7F4CD 58DA9F3B .text JMP [static] | Indirect jump to absolute memory address
88AC4 58DA9F3B .text JMP [static] | Indirect jump to absolute memory address
98F2C 219B33AD .text JMP [static] | Indirect jump to absolute memory address
99492 40F0E7DF .text CALL [static] | Indirect call to absolute memory address
A0D70 2B9C4E27 .text JMP [static] | Indirect jump to absolute memory address
A57DA 707EF8AA .text CALL [static] | Indirect call to absolute memory address
A8AB6 3FC204D .text JMP [static] | Indirect jump to absolute memory address
AB897 3FC204D .text CALL [static] | Indirect call to absolute memory address
B6ACA 238F33B2 .text CALL [static] | Indirect call to absolute memory address
C5616 41E8770B .text CALL [static] | Indirect call to absolute memory address
CF3F5 41E8770B .text JMP [static] | Indirect jump to absolute memory address
D9765 41E8770B .text JMP [static] | Indirect jump to absolute memory address
DE7F8 619861FA .text JMP [static] | Indirect jump to absolute memory address
E3EE5 619861FA .text JMP [static] | Indirect jump to absolute memory address
ED4B5 619861FA .text JMP [static] | Indirect jump to absolute memory address
F6EF5 619861FA .text JMP [static] | Indirect jump to absolute memory address
FB745 C3F1CCE .text CALL [static] | Indirect call to absolute memory address
FB833 C3F1CCE .text CALL [static] | Indirect call to absolute memory address
100F15 C3F1CCE .text JMP [static] | Indirect jump to absolute memory address
11BA9E 402000 .text JMP [static] | Indirect jump to absolute memory address
120E6E 402000 .rsrc JMP [static] | Indirect jump to absolute memory address
125800 N/A *Overlay* F83A00000002020030823AEB06092A864886F70D | .:......0.:...*.H...
Extra Analysis
Metric Value Percentage
Ascii Code 667110 54,8037%
Null Byte Code 311843 25,6182%
© 2026 All rights reserved.