PESCAN.IO — Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Executable header (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 327,22 KB
SHA-256 Hash: 1B4270F1E81B988EF3C27D477C247F7617731386F311141CC35EDC3E63CD2A88
SHA-1 Hash: DD863180DD077989643CE825305BF16DD72A3635
MD5 Hash: AEDD76C0DE5260EBDB6C387C52CDBDFB
Imphash: 037D757ABE5D1FD1AC478007A2B46384
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00059F36
EntryPoint (rva): A530
SizeOfHeaders: 400
SizeOfImage: 55000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 405B4
IAT: 2E000
Characteristics: 22
TimeDateStamp: 68A91AF0
Date: 23/08/2025 1:35:44
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .fptable, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console
UAC Execution Level Manifest: asInvoker

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	60000020 (Code, Executable, Readable)	400	2CC00	1000	2CB9C	6,4700	1100973,92
.rdata	40000040 (Initialized Data, Readable)	2D000	13000	2E000	12FEA	5,1008	3234175,36
.data	C0000040 (Initialized Data, Readable, Writeable)	40000	1400	41000	2A60	2,8847	554677,90
.pdata	40000040 (Initialized Data, Readable)	41400	2800	44000	2700	5,3682	320438,25
.fptable	C0000040 (Initialized Data, Readable, Writeable)	43C00	200	47000	100	0,0000	130560,00
.rsrc	40000040 (Initialized Data, Readable)	43E00	B800	48000	B7A8	3,7737	2459816,90
.reloc	42000040 (Initialized Data, GP-Relative, Readable)	4F600	A00	54000	9E8	5,4343	14572,20

Description

OriginalFilename: Audio Services Perform.exe
CompanyName: AnyAudio
LegalCopyright: Copyright (C) 2025
ProductName: Audio Services Perform
FileVersion: 3.4.6.0
FileDescription: Audio Services Perform
ProductVersion: 3.4.6.0
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 9930
Code -> 4883EC28E8EF0800004883C428E972FEFFFFCCCC4883EC284D8B4138488BCA498BD1E80D000000B8010000004883C428C3CC
• SUB RSP, 0X28
• CALL 0X18F8
• ADD RSP, 0X28
• JMP 0XE84
• INT3
• INT3
• SUB RSP, 0X28
• MOV R8, QWORD PTR [R9 + 0X38]
• MOV RCX, RDX
• MOV RDX, R9
• CALL 0X1034
• MOV EAX, 1
• ADD RSP, 0X28
• RET
• INT3

Signatures

Rich Signature Analyzer:
Code -> 162191345240FF675240FF675240FF6726C1FA66E240FF6726C1FB664340FF6726C1FC665A40FF67D5C9FC665840FF67D5C9FB664240FF67D5C9FA660640FF6726C1FE665740FF675240FE67D440FF67D9C9F6665340FF67D9C900675340FF67524068675340FF67D9C9FD665340FF67526963685240FF67
Footprint md5 Hash -> C4037D9E1D9D23CE5F8D0A0C3285CB0C
• The Rich header apparently has not been modified

Packer/Compiler

Detect It Easy (die)
• PE+(64): compiler: Microsoft Visual C/C++(-)[-]
• PE+(64): linker: Microsoft Linker(14.44**)[-]
• PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7]
• Entropy: 6.19665

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.

File Access

AudioServicesPerform.exe
USER32.dll
KERNEL32.dll
.dat
@.dat
Temp

File Access (UNICODE)

Audio Services Perform.exe
mscoree.dll
kernel32.dll

Interest's Words

exec
start
ping

URLs

http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crt
http://crl3.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crl
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Reconnaissance (FindNextFileW)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (VirtualAlloc)
Text	Ascii	Stealth (VirtualProtect)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (DLL)
Entry Point	Hex Pattern	PE-Exe Executable Image

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\1057	48280	8DB	44080	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000008A249444154789CEDDC318B5CD719	.PNG........IHDR.............\r.f....IDATx...1.\..
\ICON\2\1057	48B60	4228	44960	2800000040000000800000000100200000000000000000000000000000000000000000000000000000000000000000000000	(...@......... ...................................
\ICON\3\1057	4CD88	25A8	48B88	2800000030000000600000000100200000000000000000000000000000000000000000000000000000000000000000000000	(...0........ ...................................
\ICON\4\1057	4F330	1A68	4B130	2800000028000000500000000100200000000000000000000000000000000000000000000000000000000000000000000000	(...(...P..... ...................................
\ICON\5\1057	50D98	10A8	4CB98	2800000020000000400000000100200000000000000000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\6\1057	51E40	988	4DC40	2800000018000000300000000100200000000000000000000000000000000000000000000000000000000000000000000000	(.......0..... ...................................
\ICON\7\1057	527C8	6B8	4E5C8	2800000014000000280000000100200000000000000000000000000000000000000000000000000000000000000000000000	(.......(..... ...................................
\ICON\8\1057	52E80	468	4EC80	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_ICON\101\1057	532E8	76	4F0E8	0000010008000D0D00000100000DDB080000010040400000010020002842000002003030000001002000A825000003002828	....................@@.... .(B....00.... ..%....((
\VERSION\1\1057	53360	2C8	4F160	C80234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000400	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	53628	17D	4F428	3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779	<?xml version='1.0' encoding='UTF-8' standalone='y

Intelligent String

• 3.4.6.0
• mscoree.dll
• [*] M: audiosrv.bin
• AudioServicesPerform.exe.upd
• .bss
• KERNEL32.dll
• USER32.dll
• Audio Services Perform.exe
• :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U

Flow Anomalies

Offset	RVA	Section	Description
1B7F	N/A	.text	CALL QWORD PTR [RIP+0x2B883]
1BD0	N/A	.text	CALL QWORD PTR [RIP+0x2B84A]
1BFC	N/A	.text	CALL QWORD PTR [RIP+0x2B7FE]
1D48	N/A	.text	CALL QWORD PTR [RIP+0x2B6DA]
1D58	N/A	.text	CALL QWORD PTR [RIP+0x2B9A2]
21C6	N/A	.text	CALL QWORD PTR [RIP+0x2B244]
21CF	N/A	.text	CALL QWORD PTR [RIP+0x2B243]
22D5	N/A	.text	CALL QWORD PTR [RIP+0x2B135]
22E2	N/A	.text	CALL QWORD PTR [RIP+0x2B130]
8275	N/A	.text	CALL QWORD PTR [RIP+0x251CD]
829D	N/A	.text	CALL QWORD PTR [RIP+0x251AD]
8869	N/A	.text	CALL QWORD PTR [RIP+0x24EB1]
888D	N/A	.text	CALL QWORD PTR [RIP+0x24E8D]
88E2	N/A	.text	CALL QWORD PTR [RIP+0x24E38]
88FE	N/A	.text	CALL QWORD PTR [RIP+0x24E1C]
8A67	N/A	.text	CALL QWORD PTR [RIP+0x24CB3]
8A83	N/A	.text	CALL QWORD PTR [RIP+0x24C97]
8B87	N/A	.text	CALL QWORD PTR [RIP+0x24B93]
8BA0	N/A	.text	CALL QWORD PTR [RIP+0x24B7A]
8BDC	N/A	.text	CALL QWORD PTR [RIP+0x24B3E]
8FC1	N/A	.text	JMP QWORD PTR [RIP+0x24499]
9275	N/A	.text	CALL QWORD PTR [RIP+0x24205]
9288	N/A	.text	CALL QWORD PTR [RIP+0x241FA]
929F	N/A	.text	CALL QWORD PTR [RIP+0x241E3]
92B5	N/A	.text	JMP QWORD PTR [RIP+0x241E5]
92C5	N/A	.text	JMP QWORD PTR [RIP+0x241A5]
92CD	N/A	.text	JMP QWORD PTR [RIP+0x241BD]
92D5	N/A	.text	JMP QWORD PTR [RIP+0x241BD]
92EA	N/A	.text	CALL QWORD PTR [RIP+0x241B8]
938E	N/A	.text	CALL QWORD PTR [RIP+0x24124]
9429	N/A	.text	CALL QWORD PTR [RIP+0x24089]
9492	N/A	.text	CALL QWORD PTR [RIP+0x24028]
94E5	N/A	.text	CALL QWORD PTR [RIP+0x23FD5]
9596	N/A	.text	CALL QWORD PTR [RIP+0x23F24]
95F0	N/A	.text	CALL QWORD PTR [RIP+0x23E62]
9876	N/A	.text	CALL QWORD PTR [RIP+0x23EA4]
9F8B	N/A	.text	CALL QWORD PTR [RIP+0x23567]
9F94	N/A	.text	CALL QWORD PTR [RIP+0x23556]
9F9A	N/A	.text	CALL QWORD PTR [RIP+0x23560]
9FAE	N/A	.text	JMP QWORD PTR [RIP+0x23554]
9FC2	N/A	.text	CALL QWORD PTR [RIP+0x23548]
A0A9	N/A	.text	CALL QWORD PTR [RIP+0x23461]
A149	N/A	.text	CALL QWORD PTR [RIP+0x23389]
A161	N/A	.text	CALL QWORD PTR [RIP+0x23379]
A19B	N/A	.text	CALL QWORD PTR [RIP+0x23347]
A1B7	N/A	.text	CALL QWORD PTR [RIP+0x2331B]
A1D1	N/A	.text	CALL QWORD PTR [RIP+0x23309]
A20B	N/A	.text	CALL QWORD PTR [RIP+0x232D7]
A257	N/A	.text	CALL QWORD PTR [RIP+0x2321B]
A265	N/A	.text	CALL QWORD PTR [RIP+0x231FD]
A271	N/A	.text	CALL QWORD PTR [RIP+0x232A1]
A281	N/A	.text	CALL QWORD PTR [RIP+0x231C1]
A2E8	N/A	.text	JMP QWORD PTR [RIP+0x23232]
A358	N/A	.text	CALL QWORD PTR [RIP+0x231B2]
A385	N/A	.text	CALL QWORD PTR [RIP+0x2314D]
A39F	N/A	.text	CALL QWORD PTR [RIP+0x2313B]
A3E3	N/A	.text	CALL QWORD PTR [RIP+0x230FF]
A437	N/A	.text	CALL QWORD PTR [RIP+0x230EB]
A454	N/A	.text	CALL QWORD PTR [RIP+0x2309E]
A45F	N/A	.text	CALL QWORD PTR [RIP+0x2308B]
A496	N/A	.text	CALL QWORD PTR [RIP+0x22FE4]
A4EC	N/A	.text	JMP QWORD PTR [RIP+0x23006]
A57A	N/A	.text	CALL QWORD PTR [RIP+0x231A0]
A5B6	N/A	.text	CALL QWORD PTR [RIP+0x23164]
A61A	N/A	.text	CALL QWORD PTR [RIP+0x23100]
A66E	N/A	.text	CALL QWORD PTR [RIP+0x230AC]
A954	N/A	.text	CALL QWORD PTR [RIP+0x22B86]
AD90	N/A	.text	CALL QWORD PTR [RIP+0x227A2]
AEB0	N/A	.text	CALL QWORD PTR [RIP+0x22682]
B3B2	N/A	.text	CALL QWORD PTR [RIP+0x22368]
B429	N/A	.text	CALL QWORD PTR [RIP+0x222F1]
B55E	N/A	.text	CALL QWORD PTR [RIP+0x221BC]
B578	N/A	.text	CALL QWORD PTR [RIP+0x21FC2]
B5B9	N/A	.text	CALL QWORD PTR [RIP+0x21F89]
B6C3	N/A	.text	CALL QWORD PTR [RIP+0x25DCF]
B70C	N/A	.text	CALL QWORD PTR [RIP+0x21E26]
B8C4	N/A	.text	CALL QWORD PTR [RIP+0x21C86]
B94B	N/A	.text	CALL QWORD PTR [RIP+0x21C07]
B983	N/A	.text	CALL QWORD PTR [RIP+0x21BC7]
B99B	N/A	.text	CALL QWORD PTR [RIP+0x21BB7]
BCCA	N/A	.text	CALL QWORD PTR [RIP+0x21A50]
BEC0	N/A	.text	CALL QWORD PTR [RIP+0x2185A]
CDD7	N/A	.text	CALL QWORD PTR [RIP+0x206CB]
D050	N/A	.text	CALL QWORD PTR [RIP+0x20452]
D70B	N/A	.text	CALL QWORD PTR [RIP+0x2000F]
D9AB	N/A	.text	CALL QWORD PTR [RIP+0x1FD6F]
DD79	N/A	.text	CALL QWORD PTR [RIP+0x1F7C9]
DFAC	N/A	.text	CALL QWORD PTR [RIP+0x1F596]
EC93	N/A	.text	CALL QWORD PTR [RIP+0x1E807]
ED31	N/A	.text	CALL QWORD PTR [RIP+0x1E859]
ED3F	N/A	.text	CALL QWORD PTR [RIP+0x1E80B]
ED69	N/A	.text	CALL QWORD PTR [RIP+0x1E821]
EDD7	N/A	.text	CALL QWORD PTR [RIP+0x1E7AB]
EDE3	N/A	.text	CALL QWORD PTR [RIP+0x1E69F]
EE2F	N/A	.text	JMP QWORD PTR [RIP+0x1E8EB]
EE3B	N/A	.text	JMP QWORD PTR [RIP+0x1E727]
EE78	N/A	.text	JMP QWORD PTR [RIP+0x1E8A2]
EE84	N/A	.text	JMP QWORD PTR [RIP+0x1E6F6]
EEC0	N/A	.text	JMP QWORD PTR [RIP+0x1E85A]
EECC	N/A	.text	JMP QWORD PTR [RIP+0x1E69E]
50000	N/A	Overlay	E01C00000002020030821CCF06092A864886F70D \| ........0.....*.H...

Extra Analysis

Metric	Value	Percentage
Ascii Code	178014	53,1271%
Null Byte Code	77254	23,0559%

PESCAN.IO - Analysis Report Basic