PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 2,16 MBSHA-256 Hash: 20E154E00BB6D3865B40DFD8550F1C15325FAED85E18DD5BB712263313CFB574 SHA-1 Hash: E340182FC17F067D56770C489E4FFB398E172D82 MD5 Hash: AB1A0F21B8D342B9BB9FF8C9E00449DE Imphash: F9E14093194F399DCAD11DB296BAFAFB MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 0022DBAF EntryPoint (rva): 81B8 SizeOfHeaders: 1000 SizeOfImage: 22D000 ImageBase: 400000 Architecture: x86 ImportTable: 222734 IAT: 1000 Characteristics: 10F TimeDateStamp: 56785F15 Date: 21/12/2015 20:20:37 File Type: EXE Number Of Sections: 3 ASLR: Disabled Section Names: .text, .data, .rsrc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 1000 | 223000 | 1000 | 2225FC | 6,0227 | 24415355,49 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 224000 | 1000 | 224000 | 5204 | 0,0000 | 1044480,00 |
| .rsrc | 40000040 (Initialized Data, Readable) | 225000 | 3000 | 22A000 | 20E0 | 4,3870 | 927520,46 |
| Description |
| OriginalFilename: Codeldr4.exe CompanyName: Texas Instruments LegalCopyright: Copyright Texas Instruments 2015 ProductName: CodeLoader 4 FileVersion: 4.20.0002 ProductVersion: 4.20.0002 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 81B8 Code -> 68A8854000E8F0FFFFFF00000000000030000000400000000000000052B0A10C2E5BA64C84C6906BCA4B6F64000000000000 • PUSH 0X4085A8 • CALL 0XFFA • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • XOR BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • INC EAX • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EDX - 0X50], DL • MOV EAX, DWORD PTR [0XA65B2E0C] • DEC ESP • TEST DH, AL • NOP • IMUL ECX, EDX, 0X4B • OUTSD DX, DWORD PTR [ESI] • ADD BYTE PTR FS:[EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL |
| Signatures |
| Rich Signature Analyzer: Code -> 8F8AF9DBCBEB9788CBEB9788CBEB978848F79988CAEB9788A2F49E88EAEB978822F49A88CAEB978852696368CBEB9788 Footprint md5 Hash -> 23F134BE1A0573314511DB8B1EDB8309 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Visual Basic 6 - (Native Code) Detect It Easy (die) • PE: compiler: Microsoft Visual Basic(6.0)[Native] • PE: linker: Microsoft Linker(6.0*)[-] • Entropy: 6.00957 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| MSVBVM60.DLL | DllFunctionCall | It enables calling routines from external DLLs in VB code, integrating external code into Visual Basic projects. |
| KERNEL32.DLL | RtlMoveMemory | Moves a block of memory to another location. |
| USER32.DLL | CallWindowProcA | Invokes the window procedure for the specified window and messages. |
| SHELL32.DLL | ShellExecuteA | Performs a run operation on a specific file. |
| File Access |
| MSVBVM60.DLL VBA6.DLL HID.dll setupapi.dll \Windows\SysWOW64\msvbvm60.dll Kernel32.dll user32.dll usb2uwire.dll shell32.dll Tvicport.dll MSScriptControlCtl.Scr .dat |
| File Access (UNICODE) |
| txt)|*.txt Codeldr4.exe pn_sim-lf.txt pn_sim-vco.txt pn_sim-pll.txt pn_sim-osc.txt pn_sim.txt new_lowest_jitter.txt solved_values.txt spurs-other.txt spurs-fpd.txt spurs-ibs.txt spurs-mash-nonlinear.txt spurs-total.txt spurs-sub-fractional.txt spurs-primary-fractional.txt log.txt /usblog.txt Maybe the FlexGUI_view.ini \worksvn\CodeLoader4x\LMK6100-ENGINEERING.ini codeldr.ini Temp |
| Interest's Words |
| lockbit exec start |
| Interest's Words (UNICODE) |
| cscript exec start expand |
| URLs (UNICODE) |
| http://www.ti.com/lsds/ti/analog/clocksandtimers/clocks_and_timers.page |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Unicode | WinAPI Sockets (bind) |
| Text | Unicode | WinAPI Sockets (connect) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Unicode | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Technique used to circumvent security measures (Bypass) |
| Text | Unicode | Technique used to circumvent security measures (Bypass) |
| Text | Unicode | Related to a particular nation or its government (National) |
| Entry Point | Hex Pattern | Microsoft Visual Basic 5.0 |
| Entry Point | Hex Pattern | Microsoft Visual Basic v5.0 |
| Entry Point | Hex Pattern | Microsoft Visual Basic v5.0 - v6.0 |
| Entry Point | Hex Pattern | Microsoft Visual Basic v5.0 |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\30001\0 | 22BB78 | 568 | 226B78 | 280000001000000020000000010008000000000000000000000000000000000000000000000000000B0756000B085F000C0A | (....... .................................V..._... |
| \ICON\30002\0 | 22B2D0 | 8A8 | 2262D0 | 2800000020000000400000000100080000000000000000000000000000000000000000000000000005032F00020335000606 | (... ...@................................./...5... |
| \ICON\30003\0 | 22A428 | EA8 | 225428 | 2800000030000000600000000100080000000000000000000000000000000000000000000000000000045400050263000B07 | (...0....................................T...c... |
| \GROUP_ICON\1\0 | 22A3F8 | 30 | 2253F8 | 00000100030010100000010008006805000031752020000001000800A808000032753030000001000800A80E00003375 | ..............h...1u ..........2u00..........3u |
| \VERSION\1\1033 | 22A150 | 2A8 | 225150 | A80234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001001400 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| Intelligent String |
| • MSVBVM60.DLL • C:\worksvn\CodeLoader4x\Codeldr.vbp • c:/usblog.txt • C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLBA • C:\windows\SysWow64\COMCT232.oca • C:\windows\SysWow64\TABCTL32.oca • C:\windows\SysWOW64\MSCOMCTL.oca • C:\Windows\SysWOW64\msscript.oca • C:\Program Files (x86)\Microsoft Visual Studio\VB98\VBA6.dll • Tvicport.dll • usb2uwire.dll • user32.dll • All Files (*.*)|*.*|Text Files (*.txt)|*.txt • Kernel32.dll • c:\windows\syswow64\msvbvm60.dll • LMKX33_EEMAP_UpdateEEPROMDump • setupapi.dll • ti.gif • log.txt • .ini • codeldr.ini • All Files (*.*)|*.*|Text Files (*.txt)|*.txt|BurstCommand Files (*.mac)|*.mac • VBA6.DLL • http://www.ti.com/lsds/ti/analog/clocksandtimers/clocks_and_timers.page • _display.gif • eedump updated • mtc_EEPROMdump • t:\r • usbAddCmd - GotAck • spurs-primary-fractional.txt • spurs-sub-fractional.txt • spurs-total.txt • spurs-mash-nonlinear.txt • spurs-ibs.txt • spurs-fpd.txt • spurs-other.txt • solved_values.txt • new_lowest_jitter.txt • All Files (*.*)|*.*|EEPROM Files (*.epr)|*.epr • .txt • C:\worksvn\CodeLoader4x\LMK6100-ENGINEERING.ini • pn_sim.txt • pn_sim-osc.txt • pn_sim-pll.txt • pn_sim-vco.txt • pn_sim-lf.txt • Codeldr4.exe |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 7C60 | 401164 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7C66 | 401208 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7C6C | 40125C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7C72 | 4010FC | .text | JMP [static] | Indirect jump to absolute memory address |
| 7C78 | 4010AC | .text | JMP [static] | Indirect jump to absolute memory address |
| 7C7E | 4012A4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7C84 | 40105C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7C8A | 4012D0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7C90 | 401108 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7C96 | 4012C4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7C9C | 4012AC | .text | JMP [static] | Indirect jump to absolute memory address |
| 7CA2 | 401230 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7CA8 | 4011B8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7CAE | 40122C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7CB4 | 401078 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7CBA | 401024 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7CC0 | 401344 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7CC6 | 401020 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7CCC | 40137C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7CD2 | 40127C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7CD8 | 401140 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7CDE | 4011E0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7CE4 | 40136C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7CEA | 401364 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7CF0 | 40119C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7CF6 | 4010DC | .text | JMP [static] | Indirect jump to absolute memory address |
| 7CFC | 401340 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D02 | 40121C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D08 | 401160 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D0E | 40106C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D14 | 401148 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D1A | 401170 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D20 | 40116C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D26 | 40112C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D2C | 40115C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D32 | 40100C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D38 | 401320 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D3E | 40113C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D44 | 401258 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D4A | 40130C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D50 | 401060 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D56 | 4012C0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D5C | 4010C4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D62 | 401008 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D68 | 401080 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D6E | 4010D8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D74 | 4010D4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D7A | 401030 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D80 | 401228 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D86 | 40124C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D8C | 4011EC | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D92 | 401098 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D98 | 401330 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7D9E | 401158 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7DA4 | 401104 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7DAA | 4010D0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7DB0 | 4011E8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7DB6 | 401314 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7DBC | 401248 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7DC2 | 401114 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7DC8 | 401358 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7DCE | 401074 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7DD4 | 4011BC | .text | JMP [static] | Indirect jump to absolute memory address |
| 7DDA | 40101C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7DE0 | 4012F0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7DE6 | 4010C0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7DEC | 40102C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7DF2 | 401308 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7DF8 | 4012F4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7DFE | 401244 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E04 | 40117C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E0A | 401378 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E10 | 401204 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E16 | 4012EC | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E1C | 4010CC | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E22 | 401014 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E28 | 40126C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E2E | 40131C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E34 | 401138 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E3A | 4012E8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E40 | 401144 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E46 | 401278 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E4C | 40118C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E52 | 401240 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E58 | 401354 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E5E | 4011B4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E64 | 401268 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E6A | 4011D8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E70 | 401054 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E76 | 4012B4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E7C | 401374 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E82 | 4011CC | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E88 | 4012CC | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E8E | 40132C | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E94 | 401300 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7E9A | 4011AC | .text | JMP [static] | Indirect jump to absolute memory address |
| 7EA0 | 4012E4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7EA6 | 4010BC | .text | JMP [static] | Indirect jump to absolute memory address |
| 7EAC | 4011A4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7EB2 | 401044 | .text | JMP [static] | Indirect jump to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1169510 | 51,7255% |
| Null Byte Code | 369998 | 16,3644% |
| NOP Cave Found | 0x9090909090 | Block Count: 1215 | Total: 0,1343% |
© 2026 All rights reserved.