Manalyze report for 21d8399ba0b1a062e7c75fc8eed10acee598ec23aa5734b71583f4874ab301b4

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2020-Jun-10 09:58:17
Detected languages	English - United States
Debug artifacts	EasyAntiCheat_x64.pdb
CompanyName	Epic Games, Inc
FileDescription	EasyAntiCheat Client
FileVersion	`2, 0, 0, 0`
InternalName	EasyAntiCheat.dll
LegalCopyright	Copyright Â© Epic Games, Inc 2019
OriginalFilename	EasyAntiCheat.dll
ProductName	EasyAntiCheat
ProductVersion	`2, 0, 0, 0`

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: alt.easyanticheat.net curl.haxx.se download-alt.easyanticheat.net download.eac-cdn.com eac-cdn.com easyanticheat.net example.com gossip.easyanticheat.net https://curl.haxx.se https://curl.haxx.se/docs/http-cookies.html https://download-alt.easyanticheat.net https://download-alt.easyanticheat.net/api/v1/games/ https://download.eac-cdn.com https://download.eac-cdn.com/api/v1/games/ https://gossip.easyanticheat.net https://gossip.easyanticheat.net/api/v1/games/`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryW LoadLibraryExW GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: SwitchToThread` `Possibly launches other programs: CreateProcessW` `Uses Microsoft's cryptographic API: CryptReleaseContext CryptDestroyHash CryptHashData CryptCreateHash CryptAcquireContextW CryptGetHashParam CryptGenRandom CryptAcquireContextA CryptQueryObject CryptStringToBinaryA` `Can create temporary files: GetTempPathW CreateFileA CreateFileW` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc` `Leverages the raw socket API to access the Internet: closesocket WSAIoctl bind select __WSAFDIsSet ioctlsocket freeaddrinfo getaddrinfo getpeername connect getsockopt htons setsockopt send recv WSAGetLastError WSACleanup WSAStartup WSASetLastError socket getsockname ntohs` `Enumerates local disk drives: GetLogicalDriveStringsW GetDriveTypeW` `Manipulates other processes: OpenProcess` `Interacts with the certificate store: CertAddCertificateContextToStore CertOpenStore`
Info	The PE is digitally signed.	`Signer: EasyAntiCheat Oy` `Issuer: GlobalSign Extended Validation CodeSigning CA - SHA256 - G3`
Safe	VirusTotal score: 0/72 (Scanned on 2025-07-28 05:43:37)	`All the AVs think this file is safe.`

Hashes

MD5	`aa8b8a7ce39382b3f227d9c80ffc769f`
SHA1	`ffd083fb2fb93a305ed5460ec14728c227c756e2`
SHA256	`21d8399ba0b1a062e7c75fc8eed10acee598ec23aa5734b71583f4874ab301b4`
SHA3	`68d25818986158f02543006199e385bc156bca358cdce13eebfcb322c3af75a6`
SSDeep	`24576:+p3phGfN7Cu8Xx7EWzrIykzBxnS4L65yv9WQ:+MCtXxw5e+9b`
Imports Hash	`ffbb5fc6e462287e5bc3e74b057ce90d`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x120`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2020-Jun-10 09:58:17
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x87000`
SizeOfInitializedData	`0x3de00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000005C000 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x180000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0xc8000`
SizeOfHeaders	`0x400`
Checksum	`0xd065c`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`b8c8dc9cf375ca6dab3de72d5692b9b5`
SHA1	`c2ca8a36525fbf77cca53539b058ffc260b8d7ff`
SHA256	`59d487aab5c348d20daec4c01edcae367ace2f7cd52d27a631e0cfb57be1666c`
SHA3	`5cbd98794e06c7d3f85d070af9407c412c49b61e4e6017e11a9a07166181ac1a`
VirtualSize	`0x86e20`
VirtualAddress	`0x1000`
SizeOfRawData	`0x87000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.42103`

.rdata

MD5	`c361ec066810463730c63f8aa8846b06`
SHA1	`32c14a08cebc31d215ba8986472d4f3c0b6152a4`
SHA256	`0344d6f1b8140cc643483a488144e3a0344e4bed76d6ca34a2f4dc4f2d0eb6a5`
SHA3	`fc04ad118c5c4b9e0741adc2fb6a0158df2c89794136eb39597f27f902aeb09d`
VirtualSize	`0x2cc64`
VirtualAddress	`0x88000`
SizeOfRawData	`0x2ce00`
PointerToRawData	`0x87400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.39246`

.data

MD5	`6c528d48f80d1cd978626c38ac53b683`
SHA1	`c35112a2b2e645ad4c6e4dde7bc6ad1c0ee8c208`
SHA256	`68b1ca962d7aaca2dbebb004d1cebba660a95188bc4de10733485b18df06b501`
SHA3	`f09b41f604ddcff36b67a9d9be75bdf69f69942744b2f99b0ead890ba8f275e7`
VirtualSize	`0x8630`
VirtualAddress	`0xb5000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0xb4200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.86655`

.pdata

MD5	`9eacc50a3082ff1a8c8236e68f046946`
SHA1	`dd3e773b8bf0d514165e22f22cdaa1df475d7f39`
SHA256	`5a392cc0077bf6a706285271848f9795cca3be293db830ae764d997bae100998`
SHA3	`3dcd78c24ae6e62487dfb3a4b310b13c85fa88a1db2f994ae5669e075fea4ebb`
VirtualSize	`0x6fa8`
VirtualAddress	`0xbe000`
SizeOfRawData	`0x7000`
PointerToRawData	`0xb6000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.87468`

.rsrc

MD5	`a6df00f6f83f7532585cdf72ef0a632c`
SHA1	`38f1cd4327990cf61236001f3f94dfea0876b053`
SHA256	`1b4807b25984b45670c5df1a9b02ab9fafec76366211436080239f11f4dbaed1`
SHA3	`9cc47e6e6f2b193edbd3dced030bea13b36a8c205409e3d02a1926a734fffa4b`
VirtualSize	`0x378`
VirtualAddress	`0xc5000`
SizeOfRawData	`0x400`
PointerToRawData	`0xbd000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.8832`

.reloc

MD5	`adc28cd963fba3b9a3bf18af3f1db21d`
SHA1	`50cde522a2f938701d9bd091fb5a074f6a79af80`
SHA256	`f565325ac82fc2890d2ce338157eddef7df58c7c807b39ba7601ec5b76991b37`
SHA3	`d5d5af94282015adacbf261b518b4b4a4b5977b63b2a8a71bdab917039e23884`
VirtualSize	`0x12d4`
VirtualAddress	`0xc6000`
SizeOfRawData	`0x1400`
PointerToRawData	`0xbd400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.35668`

Imports

KERNEL32.dll	`SystemTimeToFileTime` `GetModuleHandleW` `GetSystemTime` `GetFileTime` `GetLocaleInfoW` `VirtualProtect` `VirtualFree` `VirtualAlloc` `lstrlenA` `lstrcmpA` `DebugBreak` `CreateEventW` `SetEvent` `ResetEvent` `TryEnterCriticalSection` `EnterCriticalSection` `LeaveCriticalSection` `InitializeCriticalSection` `DeleteCriticalSection` `GetCurrentThreadId` `Sleep` `GetLastError` `CreateThread` `SwitchToThread` `MultiByteToWideChar` `LocalFree` `WideCharToMultiByte` `FormatMessageA` `ExitProcess` `GetSystemTimeAsFileTime` `FileTimeToSystemTime` `LocalAlloc` `GetSystemDirectoryW` `LoadLibraryW` `GetCurrentProcessId` `QueryDosDeviceW` `GetLogicalDriveStringsW` `WriteFile` `GetCommandLineW` `GetBinaryTypeW` `GetCurrentProcess` `DuplicateHandle` `CreateDirectoryW` `GetModuleFileNameW` `GetTempPathW` `GetEnvironmentVariableA` `OpenProcess` `CreateProcessW` `SetDllDirectoryW` `DeleteFileW` `GetFileInformationByHandle` `GetFileAttributesW` `FindClose` `FindNextFileW` `GetFileSizeEx` `FindFirstFileW` `ReadFile` `SetLastError` `SleepEx` `InitializeCriticalSectionEx` `ExpandEnvironmentStringsA` `GetModuleHandleA` `VerifyVersionInfoA` `GetSystemDirectoryA` `VerSetConditionMask` `WaitForSingleObjectEx` `CreateFileA` `QueryPerformanceCounter` `QueryPerformanceFrequency` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `EncodePointer` `DecodePointer` `GetCPInfo` `CompareStringW` `LCMapStringW` `GetStringTypeW` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `TerminateProcess` `IsProcessorFeaturePresent` `IsDebuggerPresent` `GetStartupInfoW` `InitializeSListHead` `RtlUnwindEx` `RtlPcToFileHeader` `RaiseException` `InterlockedFlushSList` `LoadLibraryExW` `GetDriveTypeW` `GetFileType` `PeekNamedPipe` `SystemTimeToTzSpecificLocalTime` `ExitThread` `FreeLibraryAndExitThread` `GetModuleHandleExW` `GetModuleFileNameA` `GetConsoleMode` `ReadConsoleW` `GetConsoleCP` `HeapFree` `HeapAlloc` `GetACP` `GetStdHandle` `GetTimeZoneInformation` `FlushFileBuffers` `HeapReAlloc` `GetDateFormatW` `GetTimeFormatW` `IsValidLocale` `GetUserDefaultLCID` `EnumSystemLocalesW` `SetFilePointerEx` `GetCurrentDirectoryW` `GetFullPathNameW` `SetStdHandle` `FindFirstFileExA` `FindNextFileA` `IsValidCodePage` `GetOEMCP` `GetCommandLineA` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetEnvironmentVariableA` `GetProcessHeap` `GetFileAttributesExW` `HeapSize` `WriteConsoleW` `SetEndOfFile` `CreateFileW` `CreateSemaphoreW` `CloseHandle` `WaitForSingleObject` `ReleaseSemaphore` `FreeLibrary` `GetProcAddress` `GlobalFree` `GetTickCount64` `LoadLibraryA` `RtlUnwind`
ADVAPI32.dll	`CryptReleaseContext` `CryptDestroyHash` `CryptHashData` `CryptCreateHash` `CryptAcquireContextW` `CryptGetHashParam` `CryptGenRandom` `CryptAcquireContextA`
USER32.dll	`wvsprintfA` `AllowSetForegroundWindow`
WS2_32.dll	`closesocket` `WSAIoctl` `bind` `select` `__WSAFDIsSet` `ioctlsocket` `freeaddrinfo` `getaddrinfo` `getpeername` `connect` `getsockopt` `htons` `setsockopt` `send` `recv` `WSAGetLastError` `WSACleanup` `WSAStartup` `WSASetLastError` `socket` `getsockname` `ntohs`
CRYPT32.dll	`CertAddCertificateContextToStore` `CertFreeCertificateChainEngine` `CertFreeCertificateChain` `CertGetNameStringA` `CertCreateCertificateChainEngine` `CryptQueryObject` `CertGetCertificateChain` `CertOpenStore` `CertFindCertificateInStore` `CertCloseStore` `CryptStringToBinaryA` `CertFreeCertificateContext`

Delayed Imports

Cerberus_BeginFrame

Ordinal	`1`
Address	`0x25f30`

Cerberus_EndFrame

Ordinal	`2`
Address	`0x25f40`

Cerberus_GameRoundEnd

Ordinal	`3`
Address	`0x25f60`

Cerberus_GameRoundStart

Ordinal	`4`
Address	`0x25f50`

Cerberus_PlayerDespawn

Ordinal	`5`
Address	`0x25f80`

Cerberus_PlayerDowned

Ordinal	`6`
Address	`0x26220`

Cerberus_PlayerRevive

Ordinal	`7`
Address	`0x25fa0`

Cerberus_PlayerSpawn

Ordinal	`8`
Address	`0x25f70`

Cerberus_PlayerTakeDamage

Ordinal	`9`
Address	`0x260e0`

Cerberus_PlayerTick

Ordinal	`10`
Address	`0x25fb0`

Cerberus_PlayerUseWeapon

Ordinal	`11`
Address	`0x26040`

ClientAuth_ClientWriteChallengeResponse

Ordinal	`12`
Address	`0x25e40`

ClientAuth_Destroy

Ordinal	`13`
Address	`0x25e20`

ClientAuth_Initialize

Ordinal	`14`
Address	`0x25e10`

CreateClientAuth

Ordinal	`15`
Address	`0x25aa0`

CreateGameClient

Ordinal	`16`
Address	`0x258b0`

CreateGameLauncher

Ordinal	`17`
Address	`0x25b90`

CreateThirdPartyLauncher

Ordinal	`18`
Address	`0x25cf0`

GameClientP2P_BeginSession

Ordinal	`19`
Address	`0x25ec0`

GameClientP2P_Cerberus

Ordinal	`20`
Address	`0x25e80`

GameClientP2P_EndSession

Ordinal	`21`
Address	`0x25e90`

GameClientP2P_InitLocalization

Ordinal	`22`
Address	`0x25e50`

GameClientP2P_PollForMessageToPeer

Ordinal	`23`
Address	`0x25ed0`

GameClientP2P_PollStatus

Ordinal	`24`
Address	`0x25f00`

GameClientP2P_ReceiveMessageFromPeer

Ordinal	`25`
Address	`0x25ef0`

GameClientP2P_RegisterPeer

Ordinal	`26`
Address	`0x25eb0`

GameClientP2P_ResetState

Ordinal	`27`
Address	`0x25e30`

GameClientP2P_SetLogCallback

Ordinal	`28`
Address	`0x25f10`

GameClientP2P_SetMaxAllowedMessageLength

Ordinal	`29`
Address	`0x25ee0`

GameClientP2P_UnregisterPeer

Ordinal	`30`
Address	`0x25e60`

GameClientP2P_UpdatePlatformUserAuthTicket

Ordinal	`31`
Address	`0x25f20`

GameClient_ConnectionReset

Ordinal	`32`
Address	`0x25e30`

GameClient_Destroy

Ordinal	`33`
Address	`0x25e20`

GameClient_Initialize

Ordinal	`34`
Address	`0x25e10`

GameClient_NetProtect

Ordinal	`35`
Address	`0x25ea0`

GameClient_PollStatus

Ordinal	`36`
Address	`0x25e70`

GameClient_PopNetworkMessage

Ordinal	`37`
Address	`0x25e40`

GameClient_PushNetworkMessage

Ordinal	`38`
Address	`0x25e60`

GameClient_SetMaxAllowedMessageLength

Ordinal	`39`
Address	`0x25e50`

GameClient_SetPlatformUserAuthTicket

Ordinal	`40`
Address	`0x25e80`

GameClient_ValidateServerHost

Ordinal	`41`
Address	`0x25e90`

GameLauncher_Destroy

Ordinal	`42`
Address	`0x25e10`

GameLauncher_GetGameProcessId

Ordinal	`43`
Address	`0x25e40`

GameLauncher_OpenGameProcess

Ordinal	`44`
Address	`0x25e60`

GameLauncher_StartGameA

Ordinal	`45`
Address	`0x26280`

GameLauncher_StartGameW

Ordinal	`46`
Address	`0x26290`

NetProtectClient_GetProtectMessageOutputLength

Ordinal	`47`
Address	`0x26270`

NetProtectClient_ProtectMessage

Ordinal	`48`
Address	`0x26230`

NetProtectClient_UnprotectMessage

Ordinal	`49`
Address	`0x26250`

ThirdPartyLauncher_Destroy

Ordinal	`50`
Address	`0x262a0`

ThirdPartyLauncher_Initialize

Ordinal	`51`
Address	`0x262b0`

ThirdPartyLauncher_SetServer

Ordinal	`52`
Address	`0x25f30`

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x318`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.34774`
MD5	`b0931b14b15b1f023ee1149627bcac00`
SHA1	`21a208987ea2e6f900c1d54c40e10ff91fd22294`
SHA256	`356ae5731fcbbbdd07b3d35fce61a9800cece478efbae8c1ffab6af3e9559e28`
SHA3	`96edaecc1768c8d19c7472eb8a2721f500c83398977635f695798bd46db3c502`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	2.0.0.0
ProductVersion	2.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Epic Games, Inc
FileDescription	EasyAntiCheat Client
FileVersion (#2)	2, 0, 0, 0
InternalName	EasyAntiCheat.dll
LegalCopyright	Copyright Â© Epic Games, Inc 2019
OriginalFilename	EasyAntiCheat.dll
ProductName	EasyAntiCheat
ProductVersion (#2)	2, 0, 0, 0

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2020-Jun-10 09:58:17
Version	`0.0`
SizeofData	`46`
AddressOfRawData	`0xa93ec`
PointerToRawData	`0xa87ec`
Referenced File	EasyAntiCheat_x64.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2020-Jun-10 09:58:17
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0xa941c`
PointerToRawData	`0xa881c`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2020-Jun-10 09:58:17
Version	`0.0`
SizeofData	`904`
AddressOfRawData	`0xa9430`
PointerToRawData	`0xa8830`

TLS Callbacks

StartAddressOfRawData	`0x1800a97d8`
EndAddressOfRawData	`0x1800a97e0`
AddressOfIndex	`0x1800b7760`
AddressOfCallbacks	`0x1800886d0`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x100`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1800b5090`

RICH Header

XOR Key	`0x38aefce3`
Unmarked objects	`0`
C objects (VS2017 v15.?.? build 25203)	`18`
ASM objects (VS2017 v15.?.? build 25203)	`12`
C++ objects (VS2017 v15.?.? build 25203)	`185`
199 (41118)	`4`
ASM objects (VS 2015/2017 runtime 26706)	`9`
C++ objects (VS 2015/2017 runtime 26706)	`58`
C objects (VS 2015/2017 runtime 26706)	`33`
Imports (VS2017 v15.?.? build 25203)	`11`
Total imports	`213`
C++ objects (27039)	`1`
C++ objects (LTCG) (27039)	`116`
Exports (27039)	`1`
Resource objects (27039)	`1`
Linker (27039)	`1`

Errors

Leave a comment

No comments yet.