Medal[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Medal.exe
Size

3.5MB
MD5

e0d383d7c4ce7424594614da3c4a8a69
SHA1

d34617d080d9e0926292c5162903b97a5123c186
SHA256

ee91d861eff1c1178af9781170efe52ec667d0870b5835df2b70485d76aec2af
SHA512

7d562637a722bc2bc07ffc1b73291ec850d06fba5fb011aecb0a31d9fbabe5a977d3503998776c2b99853e3ea0f92147f9a75f9ca320a5209162c619f3a25ebf
SSDEEP

49152:epAnDLh2kAF+2nFqRnstzcoWQdasS+3PCgASJtrBmO7iROew4MWfo:eenDLYqS5C8J3t7Kk3

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Medal.exe

Files

Medal.exe
.exe windows:6 windows x64 arch:x64

a2e935b3867f4fcf2b2ed22aa16ef7cb

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Administrator\Desktop\fortnite project\cheat src\marcelfn\fortnite\marcelFN.pdb

Imports

ntdll

RtlCaptureContext
NtQuerySystemInformation
RtlInitUnicodeString
NtOpenFile
RtlLookupFunctionEntry
RtlVirtualUnwind
VerSetConditionMask

d3d11

D3D11CreateDeviceAndSwapChain

d3dcompiler_43

D3DCompile

d3dx11d_43

D3DX11CreateShaderResourceViewFromMemory

kernel32

GetProcessHeap
DeviceIoControl
InitializeCriticalSectionEx
DeleteCriticalSection
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetModuleFileNameA
GetModuleFileNameW
LocalFree
QueryFullProcessImageNameW
GetCurrentThreadId
VirtualFree
SetLastError
FormatMessageA
GetTempPathW
EnterCriticalSection
LeaveCriticalSection
SleepEx
GetSystemDirectoryA
VerifyVersionInfoA
GetTickCount
MoveFileExA
WaitForSingleObjectEx
GetEnvironmentVariableA
GetStdHandle
GetFileType
PeekNamedPipe
WaitForMultipleObjects
CreateFileA
GetFileSizeEx
HeapFree
AreFileApisANSI
GetFileAttributesExW
FindNextFileW
FindFirstFileExW
FindFirstFileW
FindClose
CreateDirectoryW
GetCurrentDirectoryW
GetLocaleInfoEx
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetSystemTimeAsFileTime
HeapReAlloc
HeapAlloc
HeapDestroy
GetLastError
K32QueryWorkingSetEx
Process32NextW
Process32FirstW
ReadProcessMemory
VirtualAlloc
OpenProcess
GetCurrentProcessId
K32GetDeviceDriverBaseNameA
K32EnumDeviceDrivers
GetModuleHandleW
GetCurrentProcess
IsDebuggerPresent
Process32Next
Process32First
CreateToolhelp32Snapshot
GetConsoleWindow
SetConsoleTitleA
GlobalAddAtomA
VirtualQuery
VirtualProtect
GetTickCount64
GetCurrentThread
CreateThread
ExitProcess
Sleep
CloseHandle
Beep
WriteFile
ReadFile
GetFileSize
CreateFileW
LoadLibraryA
GetProcAddress
GetModuleHandleA
FreeLibrary
QueryPerformanceFrequency
QueryPerformanceCounter
WideCharToMultiByte
MultiByteToWideChar
GlobalFree
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileInformationByHandleEx
InitializeSListHead
HeapSize
WakeAllConditionVariable
OutputDebugStringW
SleepConditionVariableSRW

user32

GetForegroundWindow
SetCursorPos
SetCursor
EmptyClipboard
GetClientRect
GetClipboardData
SetClipboardData
GetCursorPos
ClientToScreen
ScreenToClient
CloseClipboard
GetAsyncKeyState
GetKeyState
GetRawInputDeviceList
GetRawInputDeviceInfoW
FindWindowA
LoadCursorA
TranslateMessage
DispatchMessageA
PeekMessageA
PostMessageA
DestroyWindow
OpenClipboard
ShowWindow
SetLayeredWindowAttributes
SetWindowPos
GetSystemMetrics
UpdateWindow
MessageBoxA
GetWindowLongA
SetWindowLongA

advapi32

SetSecurityInfo
CryptAcquireContextA
CryptReleaseContext
CryptGenRandom
OpenProcessToken
AddAccessAllowedAce
CopySid
GetLengthSid
GetTokenInformation
InitializeAcl
IsValidSid
ConvertSidToStringSidW
RegCloseKey
RegCreateKeyW
RegOpenKeyW
RegSetKeyValueW
CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGetHashParam
RegDeleteTreeW

shell32

ShellExecuteA

msvcp140

??Bid@locale@std@@QEAA_KXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??7ios_base@std@@QEBA_NXZ
?good@ios_base@std@@QEBA_NXZ
?flags@ios_base@std@@QEBAHXZ
?width@ios_base@std@@QEBA_JXZ
?width@ios_base@std@@QEAA_J_J@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
?_Throw_Cpp_error@std@@YAXH@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?id@?$ctype@D@std@@2V0locale@2@A
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Syserror_map@std@@YAPEBDH@Z
?_Winerror_map@std@@YAHH@Z
?uncaught_exception@std@@YA_NXZ
?setf@ios_base@std@@QEAAHHH@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xbad_function_call@std@@YAXXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
?tie@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_ostream@_WU?$char_traits@_W@std@@@2@XZ
?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ
?fill@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WXZ
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z
?widen@?$ctype@_W@std@@QEBA_WD@Z
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?id@?$ctype@_W@std@@2V0locale@2@A
_Thrd_detach
_Query_perf_frequency
_Query_perf_counter
?uncaught_exceptions@std@@YAHXZ
_Cnd_do_broadcast_at_thread_exit
?_Xlength_error@std@@YAXPEBD@Z
??1_Lockit@std@@QEAA@XZ
?_Xout_of_range@std@@YAXPEBD@Z
??0_Lockit@std@@QEAA@H@Z

imm32

ImmReleaseContext
ImmSetCompositionWindow
ImmSetCandidateWindow
ImmGetContext

dwmapi

DwmExtendFrameIntoClientArea

psapi

GetModuleInformation

shlwapi

PathFindFileNameW

normaliz

IdnToAscii

wldap32

ord200
ord30
ord79
ord35
ord33
ord32
ord27
ord301
ord22
ord41
ord50
ord45
ord60
ord211
ord46
ord217
ord26
ord143

crypt32

CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
CertFreeCertificateChain
PFXImportCertStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertGetCertificateChain
CertCreateCertificateChainEngine
CertOpenStore
CertFreeCertificateChainEngine
CryptQueryObject

ws2_32

sendto
gethostname
ntohl
ntohs
freeaddrinfo
getaddrinfo
select
__WSAFDIsSet
ioctlsocket
listen
htonl
accept
WSACleanup
WSAStartup
WSAIoctl
WSASetLastError
socket
recvfrom
closesocket
recv
send
WSAGetLastError
bind
connect
getpeername
getsockname
getsockopt
htons
setsockopt

rpcrt4

RpcStringFreeA
UuidToStringA
UuidCreate

userenv

UnloadUserProfile

vcruntime140

__current_exception_context
__current_exception
strrchr
_local_unwind
__C_specific_handler_noexcept
__C_specific_handler
wcsstr
memcmp
strchr
memchr
strstr
__std_terminate
memset
memmove
memcpy
_CxxThrowException
__std_exception_destroy
__std_exception_copy

vcruntime140_1

__CxxFrameHandler4

api-ms-win-crt-runtime-l1-1-0

_invalid_parameter_noinfo_noreturn
_resetstkoflw
system
_invalid_parameter_noinfo
strerror
__sys_nerr
terminate
_beginthreadex
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
__p___argc
_exit
_initterm_e
_initterm
_getpid
_get_initial_narrow_environment
_errno
exit
_crt_atexit
abort
_set_app_type
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_seh_filter_exe
_cexit

api-ms-win-crt-heap-l1-1-0

malloc
_set_new_mode
realloc
free
_recalloc
calloc
_callnewh

api-ms-win-crt-string-l1-1-0

strncmp
strcmp
_wcsicmp
strncpy
tolower
_stricmp
strpbrk
strcspn
_strdup
strspn
isupper

api-ms-win-crt-stdio-l1-1-0

fclose
fflush
__stdio_common_vsscanf
fread
_lseeki64
__stdio_common_vsprintf
_set_fmode
__stdio_common_vfprintf
fgets
feof
fputs
fopen
_wfopen
__p__commode
__acrt_iob_func
_read
_write
_pclose
__stdio_common_vsnprintf_s
_close
_open
_get_stream_buffer_pointers
__stdio_common_vsprintf_s
ungetc
setvbuf
getchar
_popen
_fseeki64
fsetpos
fputc
fgetpos
fgetc
fwrite
fseek
ftell

api-ms-win-crt-utility-l1-1-0

srand
qsort
rand

api-ms-win-crt-math-l1-1-0

cos
sin
sqrt
tanf
__setusermatherr
asin
cosf
sinf
sqrtf
pow
logf
atan2
ceilf
acosf
log
powf
_dclass
atan

api-ms-win-crt-convert-l1-1-0

strtoul
strtoull
strtoll
strtol
strtod
atoi
atof

api-ms-win-crt-filesystem-l1-1-0

_access
_fstat64
_unlock_file
_wremove
_stat64
_unlink
_lock_file

api-ms-win-crt-time-l1-1-0

_gmtime64
strftime
_time64
_localtime64

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
___lc_codepage_func
localeconv

Sections

.text
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 244KB - Virtual size: 244KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1.8MB - Virtual size: 1.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 52KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 464B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 134KB - Virtual size: 133KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a2e935b3867f4fcf2b2ed22aa16ef7cb

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

d3d11

d3dcompiler_43

d3dx11d_43

kernel32

user32

advapi32

shell32

msvcp140

imm32

dwmapi

psapi

shlwapi

normaliz

wldap32

crypt32

ws2_32

rpcrt4

userenv

vcruntime140

vcruntime140_1

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 1.3MB - Virtual size: 1.3MB

.rdata Size: 244KB - Virtual size: 244KB

.data Size: 1.8MB - Virtual size: 1.8MB

.pdata Size: 52KB - Virtual size: 52KB

_RDATA Size: 512B - Virtual size: 464B

.rsrc Size: 134KB - Virtual size: 133KB

.reloc Size: 3KB - Virtual size: 2KB

.text
Size: 1.3MB - Virtual size: 1.3MB

.rdata
Size: 244KB - Virtual size: 244KB

.data
Size: 1.8MB - Virtual size: 1.8MB

.pdata
Size: 52KB - Virtual size: 52KB

_RDATA
Size: 512B - Virtual size: 464B

.rsrc
Size: 134KB - Virtual size: 133KB

.reloc
Size: 3KB - Virtual size: 2KB