PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 4,74 MBSHA-256 Hash: EF204CE3093554CE3A16901BE9B7C2A3672BFC6EE1EF248EBFA3E44BE0B7E018 SHA-1 Hash: 0F8CBC8B9B30A755F7E1B91CC2AF307CAD65E8CD MD5 Hash: 8B0235E17DEFF87AB3D85B082C807136 Imphash: E77807CFBC2E19BC446502B927C3BD2A MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 004C9489 EntryPoint (rva): 81F50C SizeOfHeaders: 400 SizeOfImage: 8CE000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 476018 IAT: 411000 Characteristics: 23 TimeDateStamp: 69287856 Date: 27/11/2025 16:12:06 File Type: EXE Number Of Sections: 9 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .fptable, .E[, .cl_, .ZGQ, .rsrc Number Of Executable Sections: 3 Subsystem: Windows GUI UAC Execution Level Manifest: requireAdministrator [Incomplete Binary or Compressor Packer - 4,06 MB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 0 | 0 | 1000 | 42E2C | N/A | N/A |
| .rdata | 40000040 (Initialized Data, Readable) | 0 | 0 | 44000 | 1EB5E | N/A | N/A |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 0 | 0 | 63000 | 5D3C | N/A | N/A |
| .pdata | 40000040 (Initialized Data, Readable) | 0 | 0 | 69000 | 3D38 | N/A | N/A |
| .fptable | C0000040 (Initialized Data, Readable, Writeable) | 0 | 0 | 6D000 | 100 | N/A | N/A |
| .E[ | 60000020 (Code, Executable, Readable) | 0 | 0 | 6E000 | 3A2F65 | N/A | N/A |
| .cl_ | C0000040 (Initialized Data, Readable, Writeable) | 400 | 200 | 411000 | D0 | 0,6001 | 115668,00 |
| .ZGQ | 68000060 (Code, Initialized Data, Shared, Executable, Readable) | 600 | 473400 | 412000 | 4733A8 | 7,9880 | 114251,41 |
| .rsrc | 40000040 (Initialized Data, Readable) | 473A00 | 48000 | 886000 | 47F30 | 6,1388 | 3717303,08 |
| Description |
| OriginalFilename: UplayOffline.exe LegalCopyright: DENUVO.STORE 2025 ProductName: UplayOffline FileVersion: 1.17.2 FileDescription: UplayOffline ProductVersion: 1.17.2 Language: Russian (Russia) (ID=0x419) CodePage: Cyrillic (Windows 1251) (0x4E3) |
| Entry Point |
| The section number (8) have the Entry Point Information -> EntryPoint (calculated) - 40DB0C Code -> E8EAF1FDFF0BCE3E2BD70B197707929E72E8A6C663D70B89878782E6BB8A88EF8BAB9C48B82CC4E6D0D71BCFFAA6122CCD5E • CALL 0XFFFFFFFFFFFE01EF • OR ECX, ESI • SUB EDX, EDI • OR EBX, DWORD PTR [RCX] • JA 0X1015 • XCHG EAX, EDX • SAHF • JB 0XFFA • CMPSB BYTE PTR [RSI], BYTE PTR [RDI] |
| Packer/Compiler |
| Detect It Easy (die) • PE+(64): linker: Microsoft Linker(14.44)[-] • PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 7.95336 |
| File Access |
| $6SHELL32.dll KERNEL32.dll gole32.dll GDI32.dll gdiplus.dll ADVAPI32.dll VERSION.dll OLEAUT32.dll zcUSER32.dll .ps1 @.dat |
| File Access (UNICODE) |
| UplayOffline.exe |
| Interest's Words |
| exec ping |
| URLs |
| http://ocsp.digicert.com http://cacerts.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crt http://crl3.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crl http://cacerts.digicert.com/DigiCertTrustedRootG4.crt http://crl3.digicert.com/DigiCertTrustedRootG4.crl http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegOpenKeyEx) |
| Entry Point | Hex Pattern | Wavelet compressed bitmap |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1033 | 8864F0 | A244 | 473EF0 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000080004944415478DAEC7D65981DC795 | .PNG........IHDR.............\r.f....IDATx..}e.... |
| \ICON\2\1033 | 890738 | 10828 | 47E138 | 280000008000000000010000010020000000000000000100130B0000130B0000000000000000000000000000404444014044 | (............. .............................@DD.@D |
| \ICON\3\1033 | 8A0F60 | 4228 | 48E960 | 280000004000000080000000010020000000000000400000130B0000130B0000000000000000000040444400404444034044 | (...@......... ......@..................@DD.@DD.@D |
| \ICON\4\1033 | 8A5188 | 25A8 | 492B88 | 280000003000000060000000010020000000000000240000130B0000130B0000000000000000000040444401404444024044 | (...0........ ......$..................@DD.@DD.@D |
| \ICON\5\1033 | 8A7730 | 10A8 | 495130 | 280000002000000040000000010020000000000000100000130B0000130B0000000000000000000040444401404444014044 | (... ...@..... .........................@DD.@DD.@D |
| \ICON\6\1033 | 8A87D8 | 468 | 4961D8 | 280000001000000020000000010020000000000000040000130B0000130B0000000000000000000040444401404444014044 | (....... ..... .........................@DD.@DD.@D |
| \ICON\7\1033 | 8A8C40 | A244 | 496640 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000080004944415478DAEC7D65981DC795 | .PNG........IHDR.............\r.f....IDATx..}e.... |
| \ICON\8\1033 | 8B2E88 | 10828 | 4A0888 | 280000008000000000010000010020000000000000000100130B0000130B0000000000000000000000000000404444014044 | (............. .............................@DD.@D |
| \ICON\9\1033 | 8C36B0 | 4228 | 4B10B0 | 280000004000000080000000010020000000000000400000130B0000130B0000000000000000000040444400404444034044 | (...@......... ......@..................@DD.@DD.@D |
| \ICON\10\1033 | 8C78D8 | 25A8 | 4B52D8 | 280000003000000060000000010020000000000000240000130B0000130B0000000000000000000040444401404444024044 | (...0........ ......$..................@DD.@DD.@D |
| \ICON\11\1033 | 8C9E80 | 10A8 | 4B7880 | 280000002000000040000000010020000000000000100000130B0000130B0000000000000000000040444401404444014044 | (... ...@..... .........................@DD.@DD.@D |
| \ICON\12\1033 | 8CAF28 | 468 | 4B8928 | 280000001000000020000000010020000000000000040000130B0000130B0000000000000000000040444401404444014044 | (....... ..... .........................@DD.@DD.@D |
| \ICON\13\1033 | 8CB390 | 988 | 4B8D90 | 280000001800000030000000010020000000000060090000130B0000130B00000000000000000000009600FF009600FF0096 | (.......0..... .................................. |
| \ICON\14\1033 | 8CBD18 | 988 | 4B9718 | 280000001800000030000000010020000000000060090000130B0000130B00000000000000000000009600FF009600FF0096 | (.......0..... .................................. |
| \ICON\15\1033 | 8CC6A0 | 988 | 4BA0A0 | 280000001800000030000000010020000000000060090000130B0000130B00000000000000000000009600FF009600FF0096 | (.......0..... .................................. |
| \ICON\16\1033 | 8CD028 | 988 | 4BAA28 | 280000001800000030000000010020000000000060090000130B0000130B00000000000000000000009600FF009600FF0096 | (.......0..... .................................. |
| \GROUP_ICON\107\1033 | 8CD9B0 | 5A | 4BB3B0 | 000001000600000000000100200044A200000100808000000100200028080100020040400000010020002842000003003030000001002000A825000004002020000001002000A810000005001010000001002000680400000600 | ............ .D........... .(.....@@.... .(B....00.... ..%.... .... ............. .h..... |
| \GROUP_ICON\108\1033 | 8CDA10 | 5A | 4BB410 | 000001000600000000000100200044A200000700808000000100200028080100080040400000010020002842000009003030000001002000A82500000A002020000001002000A81000000B001010000001002000680400000C00 | ............ .D........... .(.....@@.... .(B....00.... ..%.... .... ............. .h..... |
| \GROUP_ICON\131\1033 | 8CDA70 | 14 | 4BB470 | 0000010001001818000001002000880900000D00 | ............ ....... |
| \GROUP_ICON\132\1033 | 8CDA88 | 14 | 4BB488 | 0000010001001818000001002000880900000E00 | ............ ....... |
| \GROUP_ICON\133\1033 | 8CDAA0 | 14 | 4BB4A0 | 0000010001001818000001002000880900000F00 | ............ ....... |
| \GROUP_ICON\134\1033 | 8CDAB8 | 14 | 4BB4B8 | 0000010001001818000001002000880900001000 | ............ ....... |
| \VERSION\1\1033 | 8CDAD0 | 2D4 | 4BB4D0 | D40234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001001100 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 8CDDA8 | 188 | 4BB7A8 | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String |
| • UplayOffline.exe • .ZGQ • P.LlC • :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 11196 | N/A | .ZGQ | JMP QWORD PTR [RIP+0xFF0C889F] |
| 12C93 | N/A | .ZGQ | JMP QWORD PTR [RIP+0xE0B7F23A] |
| 12CA2 | N/A | .ZGQ | JMP QWORD PTR [RIP+0xFB6C2022] |
| 12CB0 | N/A | .ZGQ | JMP QWORD PTR [RIP+0x5512B424] |
| 12CDF | N/A | .ZGQ | JMP QWORD PTR [RIP+0x13EDA126] |
| 1BE4E | N/A | .ZGQ | CALL QWORD PTR [RIP+0x8792FD6A] |
| 1DE29 | N/A | .ZGQ | CALL QWORD PTR [RIP+0xE2E7A256] |
| 21A6F | N/A | .ZGQ | CALL QWORD PTR [RIP+0xEDADBF88] |
| 34BF2 | N/A | .ZGQ | JMP QWORD PTR [RIP+0x9885F4D] |
| 3A4BA | N/A | .ZGQ | CALL QWORD PTR [RIP+0xD97899F4] |
| 40D05 | N/A | .ZGQ | JMP QWORD PTR [RIP+0x3260E07E] |
| 41477 | N/A | .ZGQ | JMP QWORD PTR [RIP+0xF59C33EE] |
| 5073D | N/A | .ZGQ | CALL QWORD PTR [RIP+0xDB6A8EFD] |
| 63BA8 | N/A | .ZGQ | CALL QWORD PTR [RIP+0xFB32D7F] |
| 6436E | N/A | .ZGQ | CALL QWORD PTR [RIP+0x8D10BB2C] |
| 677B2 | N/A | .ZGQ | CALL QWORD PTR [RIP+0xC4129320] |
| 6E148 | N/A | .ZGQ | CALL QWORD PTR [RIP+0xB3EE73D] |
| 7BB49 | N/A | .ZGQ | JMP QWORD PTR [RIP+0xFE840825] |
| 7E156 | N/A | .ZGQ | JMP QWORD PTR [RIP+0x37821708] |
| 853D5 | N/A | .ZGQ | JMP QWORD PTR [RIP+0x9B3D8D8A] |
| 8A477 | N/A | .ZGQ | CALL QWORD PTR [RIP+0x826151C1] |
| 8AE7F | N/A | .ZGQ | JMP QWORD PTR [RIP+0x8BBE808] |
| 8E8BF | N/A | .ZGQ | CALL QWORD PTR [RIP+0x32AB7A14] |
| 94A54 | N/A | .ZGQ | CALL QWORD PTR [RIP+0xC43ACAA6] |
| B63FC | N/A | .ZGQ | CALL QWORD PTR [RIP+0x61A67AC6] |
| BDCC3 | N/A | .ZGQ | CALL QWORD PTR [RIP+0x19D9EE27] |
| BFC89 | N/A | .ZGQ | JMP QWORD PTR [RIP+0x8EF14618] |
| C1AEF | N/A | .ZGQ | CALL QWORD PTR [RIP+0x57C40647] |
| D995B | N/A | .ZGQ | CALL QWORD PTR [RIP+0x7EF4B303] |
| DB532 | N/A | .ZGQ | JMP QWORD PTR [RIP+0xDDD94EF0] |
| E2F99 | N/A | .ZGQ | JMP QWORD PTR [RIP+0xA8504F13] |
| FE5A9 | N/A | .ZGQ | JMP QWORD PTR [RIP+0xAEDA5A92] |
| 1023E4 | N/A | .ZGQ | CALL QWORD PTR [RIP+0xD2F45536] |
| 1077EF | N/A | .ZGQ | JMP QWORD PTR [RIP+0xA6F93115] |
| 10FD7B | N/A | .ZGQ | CALL QWORD PTR [RIP+0xFFD8FBE2] |
| 1100CC | N/A | .ZGQ | CALL QWORD PTR [RIP+0x6282A56B] |
| 115F18 | N/A | .ZGQ | JMP QWORD PTR [RIP+0xD8634B2A] |
| 124308 | N/A | .ZGQ | CALL QWORD PTR [RIP+0xEC717F8D] |
| 12E637 | N/A | .ZGQ | JMP QWORD PTR [RIP+0x7EFCA4C7] |
| 13D020 | N/A | .ZGQ | JMP QWORD PTR [RIP+0x7E242D57] |
| 13EBA2 | N/A | .ZGQ | CALL QWORD PTR [RIP+0x23723CAD] |
| 1427B1 | N/A | .ZGQ | CALL QWORD PTR [RIP+0xFA603A7D] |
| 149752 | N/A | .ZGQ | CALL QWORD PTR [RIP+0x6FFA2067] |
| 1549AA | N/A | .ZGQ | CALL QWORD PTR [RIP+0x374B2E2B] |
| 15B11F | N/A | .ZGQ | CALL QWORD PTR [RIP+0x61273CE] |
| 15F2BE | N/A | .ZGQ | JMP QWORD PTR [RIP+0x7B494D1E] |
| 15FB56 | N/A | .ZGQ | JMP QWORD PTR [RIP+0xAE393CC8] |
| 171EAE | N/A | .ZGQ | CALL QWORD PTR [RIP+0x5FD5FAD1] |
| 178122 | N/A | .ZGQ | JMP QWORD PTR [RIP+0xDA470278] |
| 18E00D | N/A | .ZGQ | JMP QWORD PTR [RIP+0xAAC64FE5] |
| 18FF0E | N/A | .ZGQ | CALL QWORD PTR [RIP+0x855254B9] |
| 190D31 | N/A | .ZGQ | JMP QWORD PTR [RIP+0x720E8310] |
| 19387F | N/A | .ZGQ | CALL QWORD PTR [RIP+0x7AF3628A] |
| 194736 | N/A | .ZGQ | CALL QWORD PTR [RIP+0xF195D893] |
| 19A87E | N/A | .ZGQ | CALL QWORD PTR [RIP+0x600FD2A6] |
| 19B378 | N/A | .ZGQ | CALL QWORD PTR [RIP+0x71896C7F] |
| 1A5047 | N/A | .ZGQ | JMP QWORD PTR [RIP+0x9ADE10D0] |
| 1A51DD | N/A | .ZGQ | JMP QWORD PTR [RIP+0xA8FCC271] |
| 1B3D06 | N/A | .ZGQ | CALL QWORD PTR [RIP+0xE0D0489C] |
| 1B9D47 | N/A | .ZGQ | CALL QWORD PTR [RIP+0x3F691DE0] |
| 1C37D2 | N/A | .ZGQ | JMP QWORD PTR [RIP+0x9B68EC60] |
| 1C7224 | N/A | .ZGQ | JMP QWORD PTR [RIP+0x742F36D5] |
| 1C786F | N/A | .ZGQ | CALL QWORD PTR [RIP+0x44040C2A] |
| 1C934A | N/A | .ZGQ | CALL QWORD PTR [RIP+0x3AC68E7F] |
| 1CBD8E | N/A | .ZGQ | JMP QWORD PTR [RIP+0xB29AC6E5] |
| 1D8775 | N/A | .ZGQ | JMP QWORD PTR [RIP+0xB39F0F82] |
| 1D900F | N/A | .ZGQ | CALL QWORD PTR [RIP+0xE308E21D] |
| 1DA99F | N/A | .ZGQ | JMP QWORD PTR [RIP+0xA533CE6] |
| 1DCA8A | N/A | .ZGQ | CALL QWORD PTR [RIP+0xE9072846] |
| 1E3BD4 | N/A | .ZGQ | CALL QWORD PTR [RIP+0x9606C7CD] |
| 1E58FC | N/A | .ZGQ | JMP QWORD PTR [RIP+0xFEFF275] |
| 1EA10F | N/A | .ZGQ | JMP QWORD PTR [RIP+0x3E5A7D87] |
| 1F55B8 | N/A | .ZGQ | JMP QWORD PTR [RIP+0xA5F3710E] |
| 200474 | N/A | .ZGQ | CALL QWORD PTR [RIP+0xE8FFB43E] |
| 206133 | N/A | .ZGQ | CALL QWORD PTR [RIP+0x3161798A] |
| 20ADC6 | N/A | .ZGQ | CALL QWORD PTR [RIP+0xF071E43F] |
| 225122 | N/A | .ZGQ | JMP QWORD PTR [RIP+0x9F4CF8A] |
| 22CCB1 | N/A | .ZGQ | JMP QWORD PTR [RIP+0x4FB11547] |
| 22E557 | N/A | .ZGQ | CALL QWORD PTR [RIP+0xE27DA332] |
| 239D1D | N/A | .ZGQ | JMP QWORD PTR [RIP+0x4C67415D] |
| 2456D3 | N/A | .ZGQ | CALL QWORD PTR [RIP+0xE0EDED6C] |
| 25D500 | N/A | .ZGQ | CALL QWORD PTR [RIP+0x135C1A63] |
| 274FAF | N/A | .ZGQ | CALL QWORD PTR [RIP+0xE23A62EC] |
| 27616A | N/A | .ZGQ | CALL QWORD PTR [RIP+0xC4202106] |
| 28061A | N/A | .ZGQ | CALL QWORD PTR [RIP+0xABB35D5A] |
| 28166D | N/A | .ZGQ | JMP QWORD PTR [RIP+0xEDA63E1D] |
| 281CE2 | N/A | .ZGQ | CALL QWORD PTR [RIP+0xAAEC3E6A] |
| 297392 | N/A | .ZGQ | JMP QWORD PTR [RIP+0xC26A7E57] |
| 29E76A | N/A | .ZGQ | JMP QWORD PTR [RIP+0x42CCC495] |
| 2A53D9 | N/A | .ZGQ | JMP QWORD PTR [RIP+0xC0732008] |
| 2A78B1 | N/A | .ZGQ | JMP QWORD PTR [RIP+0xFDE9CBF5] |
| 2B532D | N/A | .ZGQ | CALL QWORD PTR [RIP+0x9749A11C] |
| 2BCCFC | N/A | .ZGQ | JMP QWORD PTR [RIP+0xDF4C1470] |
| 2C9AE8 | N/A | .ZGQ | JMP QWORD PTR [RIP+0x1510B515] |
| 2CA5D7 | N/A | .ZGQ | CALL QWORD PTR [RIP+0x74DC7E28] |
| 2DE2B7 | N/A | .ZGQ | CALL QWORD PTR [RIP+0x24C6B02C] |
| 2E972F | N/A | .ZGQ | CALL QWORD PTR [RIP+0xAE6D23A] |
| 30366A | N/A | .ZGQ | CALL QWORD PTR [RIP+0x79EA8E9F] |
| 311065 | N/A | .ZGQ | JMP QWORD PTR [RIP+0x2E8FFBF0] |
| 313237 | N/A | .ZGQ | JMP QWORD PTR [RIP+0xC3FE62B5] |
| 600-4739FF | 412000 | .ZGQ | Executable section anomaly, first bytes: FD7C1C8973BADAEF |
| 4BBA00 | N/A | *Overlay* | 98200000000202003082208B06092A864886F70D | . ......0. ...*.H... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 3334581 | 67,0785% |
| Null Byte Code | 111498 | 2,2429% |
© 2026 All rights reserved.