RezWareUpdater.exe?ex=670cae4b&is=670b5ccb&hm=6b7767e2959bba7239b160100573375d95ac04f204f064ca6d9161caf5dd4d0e&

First submission 2024-10-13 18:25:03

File details

File type:	PE32+ executable (console) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	13474.25 KB (13797632 bytes)
Compile time:	2024-10-10 19:34:17
MD5:	caf83d29d4db7764696f1c225317fe16
SHA1:	d6eccfffdf1558f9661ea5d3682ef81357f3de4c
SHA256:	90d1c781e275b373b9f5d719b04c228e30296564cf874b9c806da895a978c149
Import Hash :	a06f302f71edd380da3d5bf4a6d94ebd
Sections 6	.text .rdata .data .pdata .rsrc .reloc
Directories 4	import resource debug relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	7/77 VT report date: 2024-10-13 17:12:00
Malware Type 1	trojan

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXps://cdn.discordapp.com/attachments/1293585587353419776/1293991018248536064/RezWareUpdater.exe?ex=670cae4b&is=670b5ccb&hm=6b7767e2959bba7239b160100573375d95ac04f204f064ca6d9161caf5dd4d0e&	cdn.discordapp.com	2024-10-13 18:25:03

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x2b110	176640	ea200f32c9b32ca6d80cc06d709db3e6a5557f73	55ff5ed922edfe0b0c10734c674f4ee4
.rdata	0x2d000	0x12842	76288	143382e2abb9a78cf7bd9e117d95a50993807fb1	baea2bd13376f5730f42869043fccaa4
.data	0x40000	0x5408	3584	249cf6b3c95e5782a7f27c661b5f018c45d7745c	aff56347f897785154c53727472c548d
.pdata	0x46000	0x22f8	9216	b5fd13ef0a20267ee6c023bcfed00a928a687dfd	57f77a295f3be6e2a8e90035dde19ce2
.rsrc	0x49000	0x4b1c	19456	2bd1ab10e109b0f82c82d8baaef3ff7a46c4ea44	cc038531547849dfae4994fe6bbae7e2
.reloc	0x4e000	0x768	2048	e599e91a866af587afec0cc6408b4eaba8188703	42d6242177dbae8e11ed5d64b87d0d48

PE Resources 3

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x490e8	17678	PE Resource: RT_ICON - Data PNG IHDR\rforNTwDIDATx]\|tR !!!BO(!Z:* PD (t)@,`3I^n~+{3F21$0dd09ev1f8p%7H _sN~a3Y+f1@N\|w)Z\|c"P) )Eo2jpSwb\|#!$!.ep_'kQc"")ge72v"^)r DWHC"Cwy?]o@v0a!&B<IBj1bx$5/4x[=A{'DI0CCN>a]]+Cv~)""#WI.a'7AP?!?dI0N&Og$Z3,bLKE(!6W(j(d]ij4qt <6{>k6g:1TGK1>$oWytTUA15h3EMiL:#uwtxoC'N^^\|3^>=9&JZRQakt##l(BY:6L>ZzC;uon7b26`;y@Ng\|?t]Zv3'A=#"qS?a%G0e .GI)uM7=,+N:$Nuu3hj`KT>BoWlW~"a(DS?adpuvJr9EW2v ,9wS!)"/(&YCaeQ_:3]]S.#sxn#5/7axO;\ {'WO,!i0xMvgt$p",;C<^+GC!{eC$NW2a<Z6! Cta& s BGPa!a,dm[}!!_kBpGFJ5ZG+m\.5yg po7hJ{n@~`Cca&y7>>\9gol0XCONY8IHOT86]94wJ]X]0ZfIC3&%I0jCgd<% {Fs(+v;'Y[0n"7GAF7e]'$YjO;b}]#=3l jVtT4&J<\|8rl2Y;3Nd"D.YCy{+u< Y8\|@,0HQ/-4HGp=u7e}% L@<=&R H&(=C[%U9@==wnuA\1aK t`g3'6xg4xBouSPam]v{ n27pHQ!H$"#i}5ryJ!:NP?DDIorHN4aa/E`RJQ&F )5dg^v9XDstec I`wq/`Wt[pIHuX<)^}.#}HBK(%+U0~W5onr}n+K_(@a lc: \uZ8 a${Cxw}#nud:V'0Il NM'GM<gc`gr"1p7m<4St :gd]fKs:.%Z/A<"V"5p t:]X+SR )'\|b {m:t7DEsPDW;$tS;? V@vk$,ySG/_Nb;`gN`B~rE.&dZl{~w @W8!GsSq"t: _'l#)z3B_(8,tx`hn~ ?Q#B] \t@GxB@{J0 >h]}< @h%,[K=~/Z xR+1tRN?f,X<1nA/lKn?8P,nd:lds+iS x tnG`w1-z~ 8\|qBT0r)x$'U lm+G1MV#]N;Qf',I:-r .4CVS}m{mZ>Y6-og_tv_ c$#Y}~Z5+PElB(.BC(LUOJ4`R5()1'YF cW8/J(,Q B8BQZ{;/7{B:gm]~x4clT`^4W@?7;_jSt$vHJesJVh)=rP) k58cD2 9:FYU[KujY3;`>uL72UN~l(^RGlF+0#3><$GD%1LqJHb$B}8+[yXggV&1gjr;6g zH)!Z<>UfygOnYIA_&\D%ChtrTm[M}%LnO =C<sl/p Vf~Rx\|T"7`cC2Mp99 {n_WSFu\|+l"&6`gT]w cbbA4d>}:-[V^Mk{.\HM#GR6m())BCCu%GQ;&k9~z%~_?8q"?~mZf +WEg;bj+Wto ni39 LkyOFo0V?`}{;w.}tE"/_~6oL'O4-h pZitR:t]pntIik:pr0wJ]ba2lD$p@1=hXU8Mw[KTX9< 0@ oV;oOZi@-A[Hj9+t q9B/e;-bIC`#:`pWz7m>#v9J~GzBK18/tW #lG(5RG>[A=}6`#]m.91{s9Ta9CYYYv% 7#xGBUkC\|#ebU\N]lE'wng A3coK9 ((7oCW}E,wmS5N\|V hyw)::P NlkR\|^5U#yCNO}G#G(==!8-uOcxd<~z}(XO}{cyf~]tH9Z~7j M0eOg-Br#k5jO?!+;YDi9lV&6m_\|JLc=F_wwx7]{d8eL dY3S<KaC:~vt0ff\|6Y\}:uG;/bcc )9m8FGl 6%+V@CeZJ&0Cndf:%c2lz#n:e4G6eC5=7=rw{:ux1F?'<QZZKcogjIEUC3f48TJ0xKQ+-JrwA\| \| %Yjsl5,f9lL,]g3&RO?-[;nN pypz2{ltBY4+Hrd_fjQ-fUfA\|->!hQ/(=a;WYr8MA'lz5~sZjM4?0A%zAyFw6~p%VQD#UgNwg:$#~k)-a!z7Wm Ebd0?gGTVxqM AEh]Jsr}BM!5`FdRy:Ui<l Wqin5B g(m~lL_qD? 7kxyGWT:Si$v"g e+: f?^l.fc:}lvKU5A~QPrOddSoNNUAzF<A2L:\-` 2R0ZOC=n+VK~LBYS}V4 P];t8@I{=%cj"_z2vS'y)JZM`kCYdQN(mo]ak:#{yjeX?&wvGTSkx={L6`=Agvf"u!`N<P _wsjm?b MIIQ%BN)?Nj;:_<Q-cLUvh^^oOIS1k\|{:yJFYG#m({T[-FT![d6 RFsI+\:vHes4zj3<<j_(;;[3Z<x\?d`&bC0g{eb8v%xC/L$ etFucT'Z2PNZdTVT;veiU8C2PMz6Q-Iu<r2=g n^zI@Y'8 `@+q SJ-[$TQ0UPJ[&53?9 _}?PgY^=U6molmMY_mpRdT1g.snAY+U`UeM' 6mrpL2I[UV%1<K8.;Cy?WzO=b06\|8)M?t6j9@q1Sc}Dh:IDZ=mL{zP}b}zix0 cSn:h 4nAPoDvkMH -Jv6WKO3V6-d 69x-G?S> _qCJQVWJ3K..#[sToKi. .h=k$]:K36@I49}I)?eNpTqh&IM k4l_)5X]<Na0iUJILBO\|IIQoLV7L(l .Gw+WcOG_7Z!PC\e6mTJ_g.c&5:CY^[%4K\|Qf< /3-P@buqaI`lIV.}{E\|E@aE@xo;w:p[l3#t+u$%^+',z [sgiI>y T9k!;-Mt~h\k\9WUrH UgJY+&uWekUad`a5 x[{Rpm^,{NuJ P"32V Jsfcz-a6 6h7VK$<;q 6m(Fb)dZb5%i0[P@v/pFL`DVHh=M{`n@2aS]26~,teo'%l9_-olx?Lq a>Pf=%.T\Nml H-4`]}e9r)%%)4ziPJS f z`T=Y5~tt< CM`7EG lz?De$V:-O(QBqZ/[+(=)Q\|A{k1{[S\+{h~HzRn3MNNvtY#!JYcLqdk>'LS [G}UL dlR-ojXbM_9tKV#Fv2-/ "-}5R\|G6C[dJ1v @nPPqs=Jie&hhaxN;VO8kHFQxfYal>&/gk~XJns3P1o2?#Ng7,P<jt/e2\U~z2+~xgFi;JfNZCGP\l:1'--Sh{0JsW3-k_nl56}iYt:'13>'@I{:rs>\|7ms_ihE<]>oUnC/SMB ^Y:1nZbuf$QapQ-D CWO=GLVPB?g [<"A'Y/m6qR^0v&mX,l(>C^ (VvbWcVG1.l.U/bd-DGj =6#hA /i^7`hlka`mE@ZbK<$'s cA[\+`U[8SZ^lVjkcV[pglUi!6_<oE xf6 [1)HcTvV@kI]E]}?<[i x`6 [6_l6H`h(6td<9VPm dJM-oDP@P@E!R`/.@{, `v` AKb(%)4VNww1P]IA5A. #v7j0p Xd`Fd+5E" `Znc4XC:ZI@X?WA n+Tt_ hE ?Z[^Jk1j E05t+GwA=k}80-ZqC&L~-"V4mm_ZP-(KEpKKJ&`jH4j]7jYb\}.S):nhWhVYI>{-v4YRQJNeB)D0Ep)PWh/X<}Kiy@t-boz/4wk">~9UF!cMxH#n Mb m#@``n_-oD!/LMtot}{#G\|w F-Qu`P>}Z4byf)9@drC9=sGd<^47Q7yPCVP1:v9Hy&b2sg>tVC=#hNvh: QFPmkC{' 0~pF[maj4.Xm{dkBzh2WVHm_W`MmIK69cOkM(_yOM8GT&EM{[MhZ"\|5A@[WYahpDU;i<l2P{p hd59@"A {XBi ((0WSirY$GgW6c-jzd+s8UX Z&[\|u2>>(^C4 8@5X&>y'z`I`l .G77~68"E@!H87.kmRx^@k=}>nzdDH?^#NyP:@9K75<N0~95+I2<x\%RPm&05%UVmZ\CqKGzr[1 ( Z>T\' 4zO~>(%P^G`C`ucz~RSrO;p[` \|}hNrE`bd\4-&j[l zXmIwkZ>pj0~r{kpoi(; h^O?~xUSJjd)'\|(0HT\|6(k" (:\}Lll6%MeN!N}oUV+0.<IU1v,@95:e$&3 )?JF6@8 >LU xO$=&$R7<o"XvP)F;Z`8MZ>Dml67QqP`v7MZ0\7?GWWSlLblN`kwv/'/!\|AP:fpQ80L8dRFX9'c9b04yuK0ZKO nEbijh0dDW^dcHeDi@\|ndO(47(@^_z.LYra5VngoyA BB?^[lLi\G8Z]}+Z8-Fyr=T( k)L num(R_~R!V@S<T{N0YU:M`c[_F:_ohK1EG9D@@Uy\| :?}:D 02$;sA eU/r@IfY\G[1x%/8zsGs:LHX4Mw3,\bTZMQ\|O[j t^#5?Z.L7< (hjpQ,yIjTBpEzxf}nSoV.h&5I;RaqHP@KPJe97+VT{`=?Z%.A_UT!/ 01_U=Tk_sldDie :tVh41BL?":Q;wrJ\|f;b2LzOFIuo +^W$TZs}rU_;u{ztzGg<(nZStT5`@pT>eJ?lvtYcKFh'n`4H/ hU-W C-]?9FWl.OKvF{dG1Ci@,2,i7a?x=i{\NW:@+RcT.RiJ\Kaj!?-)f%vy9HX'=W3-3)`O Wm\>XA$aEPx62u`D=74=>du}B>N-~}c'r?kkoS}Fg~@;J14AW?Hl?}oF.TYE /iz1qNVa+(}y+`]-^;f?A&A?/[tm [\q57y=oeg3"6g``r\c-]a&t_{%X8U`=.TVuuKzV=\|)77LXCPCS{SoeLs/"T]sn/VQwLWe`(dc2-QnzB&!=#K7a3>}"jH?.lCm0GSV tcDZk+$>FCicUrBz^ll~]>T"$ FQ7M!B2z~~>Ps#)8= ,Gvskfk[kwki<q8+sb5U) eSUlBa LF9,+<xir6aIeo%LbJM5"~0HV /WtL(1mF P)p9[D&{D>S>9nq=.t]2Koz8-tke[34b8T`}5=ma+OKp+,_ g+'S~C'2?+el}>H,&3e]sGVx'Y}?:w$&y&3\!hd6nH/F?\|'!$ pzf J~A>+N1zN?mZri!i,S9d7Y65&"E_>_ %o?i/ScKwtvoWVu^)7HPO]\|AalvYIAw}z93{tSsQ(}q;I&&&Jn(Hej`}mW,aSM(v?+?q>5:</p@ ,8NM+;t;L_uw1M%w[p^j %V9g{{os8wG ^ltZg?&CEG?3.)-=M6\|Q ?Nfl 2-eN,?%aOZ/I3Cb]<oi[?wNiv,z:5 c3Kny=S\|v<B>{J[q{kTvurXy`V#=0zF%SH?;~]>V\| yyA7Wal3'a+B?&qDo=4CCd]kMXT/RW:31v8Sp?'[O[@z4s:i6%'RyQN`zm'bt9 UCf.)byj2~(FCgu 6$t2-/DT@Q;N`br~_w0DWA5wQ'tj-Hp\|&qh:}kPZm%Cab5sZNdRW\|4ic3@yM'&lI2!79NXa7y-;"G}?V6R5%f#{sL5Xt=Cs"lA$>^%@{UakGix%8I?ta+iZ94tA(0v jqFoWU9}4}#T\|C#g:]eE7VX)0y=E\|IhB^G'GPF2wfs'Y%>II'n&ZQpq`Z)AON\|={ z_f7 <f9`tC=qo3Fy!a!khpDCh=Q-] 0@hvs+E%h\a}V>?jQkGgB$@\R.B/CA_NJ4pm$5F~>\|-Ly~C ;#vpo][v6dR2<i@%`J`\|TF+?:DT(Epi=>fFzlhPV3k=?t?Ym!D{L#3XIk4`=-QIn f@_#8[;J;}@{2_XPs~ rKvy' o;0$?89Qyy;-aAD:DZ;/w~?_gyLG=wE~~Uo{&g:A;7AKg$}#>E(<zR D,`Lc'j<?iXJc0y@']@wtx?#~9"bO#i&r`a"QTI}!C5Ah+koyaw&=Ov{Hm55>^8{o#k^?qS>LaA8g FFYbh2geV_SNwnn<F'r' C-4WTH3;,uZ()7wy3HP7}9l0V\| 3 cV)<8[Cg.}resY_o?[OokCK?O/)CnmrD .cvPNnlq.Y-j\|PY}J=+0q( &\|>,"xxd5Jnuc?IW;ugUM/H\uY;+5ZQGC38N(>:C[2+sn:Gttw 7 uj@WeZV[_tH&i1Wh O+QTZ35hGCwh}i`y'2RQU\<[_$0>1v+F?fpevK<w}gB.&tCF9?`JN]99x iftWvP&RFUT(Rwe)q?}}]i{ >]#O_57&31d Detu^(_1fM]YroMVQ7I9K9a$WgQ>9>/mSw`\..BOC/T #?bM!qV6!9"Gbh :t\|]Wp}OM.L)oW~QJC%"J$R]w.I?\|6,n;:5:8?; CQ4<bSz57'#n+U\E~mM>]J z&y.OLTXXkaeI"\Jf?^~#@{6wS%Hci444oj]Z:+6.o3m_1eZ htjP'Q. r/LB9uc#8)]k"HO(y_{2)$<>("tAWj0'[vo+,}3@4_O7@gZ ,=gMFY0gOvFAM#!Zk 3DT`Dd7}+z v@'14f9,,Z4 pZsB8{\|T~oq 8<""-s}2Xl={4GyjTlYx24aX)I=&ihMbRi-hT\|2K3d: %X8lvt~@Gm_\:BOc8o[z9 hHD~o}j&g\<0aTVcIczQ;yl2O cntS:,^x~f%=3 r7`Rh8AY\8eNGkdp2SV1UoO&7v+2w,K[%1\ .q'^Gt]B\|`jX''}-+rUzeUvkZ4g"5L=n`.Yj)$J(2Cb[5u=S>\|)YL2rm3Y??~QSZ}hn8':8teLJC+E?K&>0UNuSeXvZ\N]",whZg%wb3"PL lOs@{_4$KGYba(O*0J{[U\Pd F&;B6qX^R~zR2qM7GjO./sU& -`cx^#uY=~V$>FiE5""%;$qgv2,(D #G 2dLt.,I%KM'Me\|mhj&Yz# D z$ Uw+Y8 Yx{2ns{?cl1@5I-7 f IENDB`
RT_GROUP_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x4d5f8	20
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x4d60c	1293	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language=""/> </dependentAssembly> </dependency> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x490e8

17678

PNG


IHDR\rforNTwDIDATx]|tR	!!!BO(!Z:*
PD	*(t)@,`3I^n~+{3F21$0dd09ev1f8p%7H
_sN~a3Y+f1@N|w)Z|c"P) )Eo2jpSwb|*#!$!.ep_'kQc"")g*e72v"^)r DWHC"Cwy?]o@v0a!&B<IBj1bx$5/4x[=A{'DI0C*CN>a]]+Cv~)""#WI.a'7AP?!?dI0N&Og$Z3,bLKE(!6*W(j(d]ij4qt
<6{>k6g:1TGK1>$oWytTUA15h3EMiL:#uwtxoC'N^^|3^>=9&JZRQakt##l(B*Y:6L>ZzC;uon7b26`;y@Ng|?t]Zv3'A=#"qS*?a%G0e
.GI)uM7=,+N:$Nuu3h*j`KT>BoWlW~"a(DS?adpuvJr9EW2v
,9wS!)"/(&YC*aeQ_:3]]S.#sxn#5/7axO;\	{'WO,!i0xMvgt$p",;C<^+GC!{eC$NW2a<Z6!
Cta&	s	BGPa!a,d*m[}!!_kBpGFJ5ZG+m\.5yg
po7hJ{n@~`Cca&y7>>\9gol0XCONY8IHOT86]94wJ]X]0ZfIC3&%I0jCgd<%	{Fs(+v;'Y[0n"7GAF7e]'$YjO;b}]#=3l
jVtT4&J<|8rl2Y;3Nd"D.YCy{+u< Y8|@,0HQ/-4HGp=u7e}%	L@<=&R	H&(=C[%U9@==wnuA*\1aK	t`g3'6xg4xBouSPam]v{
 n27pHQ!H$"#i}5ryJ!:NP?D*DIorHN4aa/E`RJQ&F
)5dg^v9XDstec I`wq/`Wt[pIHuX<)^}.#}HBK(%+U0~W5onr}n+K_(@a
lc:	\uZ8
a${Cxw}#nud:V'0Il
NM'GM<g*c`gr"1p7m<4St
:gd]fKs:.%Z/A<"*V"5p	t:]X+SR
)*'|b
{m:t7DEsPDW;$tS;?	V@vk$,ySG/_Nb;`gN`B~rE.&dZl{~w	@W8!GsSq"t:
_'l#)z3B_(8,tx`hn~
?Q#B]
\t@GxB@{J0
>h]}<	@h%,[K=~/Z
xR+1tRN?f,X<1nA/lKn?8P,nd:lds+iS	x tnG`w1-z~ 8|qBT0r)x$'U	lm+G1MV#]N;Qf',I:-r
.4CVS}m{mZ>Y6-og_tv_
c$#Y}~Z5+PElB(.BC(LUO*J4*`R5()1'YF
cW8/J(,Q B8BQZ{;/7{B:gm]~x4clT`^4W@?7;_jSt$vHJesJVh)=rP)
k58cD2 9:FYU[KujY3;`>uL72U*N~l(^RGlF+0#3><$GD%1LqJHb$B}8+[yXggV&1gjr;6g
zH)!Z<>Ufyg*OnYIA_&\D%ChtrTm[M}%LnO
=C<sl/p	 Vf~Rx|T"7`cC2Mp99 {n_WSFu|+l"&6`gT]w	cbbA4d>}:-[V^Mk{.\HM#GR6m())BCCu%GQ;&k9~z%~_?8q"?~mZf
+WEg;bj+Wto
ni39
LkyOFo0V?`}{;w.}tE"/_~6oL'O4-h	pZitR:t]pntIik:pr0wJ]ba2lD$p@1=hXU8Mw[KTX9<
0@
oV;oOZi@-A[Hj9+t	q9B/e;-bIC`#:`pWz7m>#v9J~GzBK18/tW
#lG(5RG>[A=}6`#]m.91{s9Ta9CYYYv%	7#xGBUkC|#ebU\N]lE'wng	A3coK9
((7oCW}E,wmS5N|V	hyw)::P
NlkR|^5U#yCNO}G#G(==!8-uOcxd<~z}(XO}{cyf~]tH9Z~7j
M0eOg-Br#k5jO?!+;YDi9lV&6m_|JLc=F_wwx7]{d8eL dY3S<KaC:~vt0ff|6Y\}:uG;/bcc
)9m8FGl

6%+V@CeZJ&0Cndf:%c2lz#n*:e4G6eC5=7=rw{:ux1F?'<QZ*ZKcogjIEUC3f48TJ0xKQ+-JrwA|
| %Yjsl5,f9lL,]g3&RO?-[;nN
pypz2{ltBY4+Hrd_fjQ-fUfA|->!hQ/(=a;WYr8MA'lz5~sZjM4?0A%zAyFw6~p%VQD#UgNwg:$#~k)-a!z7Wm	Ebd0?gGTVxqM
AEh]J*sr}*BM!5`FdRy:Ui<l
Wqin5B
g(m~lL_qD?
7kxyGWT:Si$v"g
e+: f?^l.fc:}lvKU5A~QPrOddSoNNUAzF<A2L:\-`
2R0ZOC=n+VK~LBYS}V4
P];t8@I{=%cj"_z2vS'y)JZM`kCYdQN(mo]ak:#{yjeX?&wvGTSkx={L6`=Agvf"u!`N<P _wsjm?b MIIQ%BN)?Nj;:_<Q-cLUvh^^oOIS1k|{:yJFYG#m({T[-FT![d6 RFsI+\:vHes4zj3<<j_(;;[3Z<x\?d`&bC0g{eb8v%xC/L$
etFucT'Z2PNZdTVT;veiU8C2PMz6Q-Iu<r2=g
n^zI@Y'8
`@+q
SJ-[$TQ0UPJ[&53?9 _}?PgY^=U6molmMY_mpRdT1g.snAY+U`UeM'
6mrpL2I[UV%1<K8.;Cy?WzO=b06|8)M?t6j9@q1Sc}Dh:IDZ=mL{zP}b}zix0
cSn:h
4nAPoDvkMH	-Jv6WKO3*V6-d
69x-G?S> _qCJQVWJ3K..#[sToKi.
.h=k$]:K36@I49}I)?eNpTq*h&IM
k4l_)5X]<Na0iUJILBO|IIQoLV7L(l
.Gw+WcOG_7Z!PC\e6mTJ_g.c&5:CY^[%4K|Qf<	/3-P@buqaI`lIV.}{E|E@aE@xo;w*:p[l3#t+u$%^+',z [sgiI>y T9k!;-Mt~h\k\9WUrH UgJY+&uWe*kUad`a5	x[{Rpm^,{NuJ
P"*32V
Jsfcz-a6	6h7VK$<;q
6m(Fb)dZb5%i0[P@v/pFL`DVHh=M{`n@2aS]26~,teo'%l9_-olx?Lq
a>Pf=%.T\*Nml	H-4`]}e9r)%%)4ziPJS
f z`T=Y5~tt< CM`7EG
lz?De$V:-O(QBqZ/[+(=)Q|A{k1{[S\+{h~HzRn3MNNvtY#!JYcLqdk*>'LS
[G}UL dlR-ojXbM_9tKV#Fv2-/ "*-}5R|G6C[dJ1v	@nPPqs=Jie&hhaxN;VO8kHFQxfYal>&/gk~XJns3P1o2?#Ng7,P<jt/e2\U~z2+~xgFi;JfNZCGP\l:1'--Sh{0JsW3-k_nl56}iYt:'13>'@I{:rs>|7ms_ihE<]>oUnC/SMB	^Y:1nZbuf$QapQ-D	CWO=GLVPB?g
[<"A'Y/m6qR^0v&mX,l(>C^
(VvbWcVG1.l.U/bd-DGj	=6#hA /i^7`hlka`mE@ZbK<$'s
cA[\+`U[8SZ^lVjkcV[pglUi!6_<oE
xf6
[1)HcTvV@kI]E]}?<[i	x`6
[6_l6H`h(6td<9VPm	dJM-oDP@P@E!R`/.@{,  `v`	AKb(%)4VNww1P]IA5A.  #v7j0p
Xd`Fd+5E" `*Znc4XC:ZI@X?WA
n+Tt_
hE ?Z[^Jk1j	E05t+GwA=k}80-ZqC&L~-"V4mm_ZP-(KEpKKJ&`jH4j]7jYb\}.S):*nhWhVYI>{-v4YRQJ*NeB)D0Ep)PWh/X<}Kiy@t-boz/4wk">*~9UF!cMxH#n
Mb m#@``n_-oD!/LMtot}{#G|w F-Qu`P>}Z4byf)9@drC9=sGd<^47Q7yPCVP1:v9Hy&b2sg>tVC=#hNvh:	QFPmkC{'
0~pF[maj4.Xm{dkBzh2WVHm_W`MmIK69cOkM(_yOM8GT&EM{[MhZ"|5A@[WYahpDU;i<l2P{p hd59@"A	{XBi
((0WSirY$GgW6c-jzd+s8UX	Z&[|u2>>(^C4
8@5X&>y'z`I`l	.G77~68"E@!H*87.kmRx^*@k=}>nzdDH?^#NyP:@9K75<N0~95+I2<x\%RPm&05%UVmZ\CqKGzr[1	( Z>T\' 4zO~>(%P^G`C`ucz~RSrO;p[`
|}hNrE`bd\4-&j[l
zXmIwkZ>pj0~r{kpoi(;	h^O?~xUSJjd)'|(0HT|6(k" (:\}Lll6%MeN!N}oUV+0.<IU1v,@95:e$&3 )?JF6@8	>LU	xO$=&$R7<o"XvP)F;Z`8MZ>Dml67QqP`v7MZ0\7?GWWSlLblN`kwv/'/!|AP:fpQ80L8dRFX9'c9b04yuK0ZKO
nEbijh0dDW^dcHeDi@|ndO(47(@^_z.LYra5Vngoy*A
BB?^[lLi\G8Z]}+Z8-Fyr=T(
k)L	num(R_~R!V@S<T{N0YU:M`c[_F:_ohK1EG9D@@Uy|
:?}:D 02$;*sA 
eU/r@IfY\G*[*1x%/8zsGs:LHX4Mw3,\bTZMQ|O[j t^#5?Z.L7<
(hjpQ,yIjTBpEzxf}nSoV.h&5I;RaqHP@KPJe97+VT{`=?Z%.A_UT!/	01_U=Tk_sldDie
:tVh41BL?":Q;wrJ|f;b2LzOFIuo
+^W$TZs}rU_;u{z*tzGg<(nZStT5`@pT>eJ?lvtYcKFh'n`4H/ hU-W C-]?9FWl.OKvF{dG1Ci@,2,i7a?x=i{\NW:@+RcT.RiJ\Kaj!?-)f%vy9HX'=W3-3)`O
Wm\>XA$aEPx62u`D=74=>du}B>N-~}c'r?kkoS}Fg~@;J14AW?Hl?}oF.TYE
/iz1qNVa+(}y+`]-^;f?A&A?/[tm	[\q57y=oeg3"6g``r\c-]a&t_{%X8U`=.TVuuKzV=|)77LXCPCS{SoeLs/"T]sn/VQwLWe`(dc2-QnzB&!=#K7a3>}"jH?.lCm0GSV	tcDZk+$>FCicUrBz^ll~]>T"$
FQ7M!B*2z~~>Ps#)8=
,Gvskfk[kwki<q8+sb5U)
eSUlBa LF9,+<xir6aIeo%LbJM5"~0HV /WtL(1mF
 P)p9[D&{D>S>9nq=.t]2Koz8-tke[34b8T`}5=ma+OKp+,_	*g*+'S~C'2?+el}>H,&3e]sGVx'Y}?:w$&y&3\!hd6nH/F?|'!$	pzf	 J~A>+N1zN?m*Zri!i,S9d7Y65&"E_>_ %o?i/ScKwtvoWVu^)7HPO]|AalvYIAw}z93{tSsQ(}q;I&&&Jn(Hej`}mW,aSM(v?+?q>5:</p@	,8NM+;t;L_uw1M%w[p^j
%V9g{{os8wG
^ltZg?&CEG?3.)-=M6|Q	?Nfl
2-eN,?%aOZ/I3Cb]<oi[?wNiv,z:5
c3Kny=S|v<B>{J[q{kTvurXy`V#=0zF%SH?;~]>V| yyA7Wal3'a+B?&qDo=4CCd]kMXT/RW:31v8Sp?'[O[@z4s:i6%'RyQN`zm'bt9	 UCf.)byj2~(FCgu
6$t2-/DT@Q;N`br~_w0DWA5wQ'tj-Hp|&qh:}kPZm%Cab5sZNdRW|4ic3@yM'&lI2!79NXa7y-;"G}?V6R5%f#{sL5Xt=Cs"lA$>^%@{UakGix%8I?ta+iZ94tA(0v	jqFoWU9}4}#T|C#g:]eE7VX)0y=E|IhB^G'GPF2wfs'Y%>II'n&ZQpq`Z)AON|={
z_f7
<f9`tC=qo3Fy!a!khpDCh=Q-] 0@hvs+E%h\a}V>?jQkGgB$@\R.B/CA_NJ4pm$5F~>|-Ly~C
;#vpo][v6dR2<i@%`J`|TF+?:DT(Epi=>fFzlhPV3k=?t?Ym!D{L*#3XIk4`=-QIn
f@_#8[;J;}@{2_XPs~	rKvy'	o;0$?89Qyy;-aAD:DZ;/w~?_gyLG=wE~~Uo{&g:A;7AKg$}#>E(<zR
D,`Lc'j<?iXJc0y@']@wtx?#~9"bO#i&r`a"QTI}!C5Ah+koyaw&=Ov{Hm55>^8{o#k^?qS>LaA8g
FFYbh2geV_SNwnn<F'r'
C-4WTH3;,uZ()7wy3HP7}9l0V|
3 cV)<8[Cg.}resY_o?[OokCK?O/)CnmrD
	
.cvPNnlq.Y-j|PY}J=+0q(	&|>,"xxd5J*nuc?IW;ugUM/H\uY;+5ZQGC38N(>:C[2+sn:Gttw
7
uj@WeZV[_tH&i1Wh
O+QTZ35hGCwh}i`y'2RQU\<[_$0>1v+F?fpevK<w}gB.&tCF9?`JN]99x	iftWvP&RFUT(Rwe)q?}}]i{	>]#O_57&31d *Detu^(_1fM]YroMVQ7I9K9a$WgQ>9>/mSw`\..BOC/T	#?bM!qV6!9"Gbh
:t|]Wp}OM.L)oW~QJC%"J$R]w*.I?|6,n;:5:8?;
CQ4<bSz57'#n+U\E~mM>]J
z&y.OLTXXkaeI"\Jf?^~#@{6wS%Hci444oj]Z:+6.o3m_1eZ
htjP'Q.	r/LB9uc#8)]k"HO(y_{2)$<>("tAWj0'[vo+,}3@4_O7@gZ
,=gMFY0gOvFAM#!Zk	3DT`Dd7}+z	v@'14f9,,Z4
pZsB8{|T~oq
8<""-s}2Xl={4Gy*jTlYx24aX)I=&ihMbRi-hT|2K3d: %X8lvt~@Gm_\:BOc8o[z9
hHD~o}j&g\<0aTVcIczQ;yl2O cntS:,^x~f%=3	r7`Rh8AY\8eNGkdp2SV1UoO&7v+2w,K[%1\
.q'^Gt]B|`jX''}-+rUzeUvkZ4g"5L=n`.Yj)$J(2Cb[5u=S>|)YL2r*m3Y??~QSZ}hn8':8teLJC+E?K&*>0U*NuSeXvZ\N]",whZg*%wb3"PL
lOs@{_4$KGYba(O**0J{[U\Pd F&;B6qX^R~zR2qM7GjO./sU&
-`cx^#uY=~V$>FiE5""%;$qgv2,(D
#G	2dLt.,I%KM'Me|mhj&Yz# D
z$
 Uw+Y8 Yx{2ns{?cl1@5I-7 f
IENDB`

RT_GROUP_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x4d5f8

RT_MANIFEST

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x4d60c

1293

Packers detected 2

Microsoft Visual C++ 8.0 (DLL)
Microsoft Visual C++ 8.0

Anti debug functions 7

GetLastError
GetWindowThreadProcessId
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Backup
h.oLd
Compressed
base_library.zip
bbase_library.zip
Library
mscoree.dll
vcruntime140.dll
bapi-ms-win-core-file-l1-1-0.dll
bapi-ms-win-crt-math-l1-1-0.dll
ucrtbase.dll
bapi-ms-win-core-sysinfo-l1-1-0.dll
bapi-ms-win-core-namedpipe-l1-1-0.dll
bpywin32_system32\pywintypes312.dll
bapi-ms-win-crt-string-l1-1-0.dll
bapi-ms-win-core-memory-l1-1-0.dll
bapi-ms-win-core-file-l1-2-0.dll
bapi-ms-win-core-processthreads-l1-1-1.dll
bapi-ms-win-core-interlocked-l1-1-0.dll
bapi-ms-win-core-profile-l1-1-0.dll
bapi-ms-win-core-datetime-l1-1-0.dll
bapi-ms-win-crt-utility-l1-1-0.dll
bapi-ms-win-crt-multibyte-l1-1-0.dll
bapi-ms-win-core-synch-l1-1-0.dll
bapi-ms-win-core-rtlsupport-l1-1-0.dll
bpython312.dll
bapi-ms-win-crt-locale-l1-1-0.dll
bapi-ms-win-crt-runtime-l1-1-0.dll
bapi-ms-win-crt-process-l1-1-0.dll
bapi-ms-win-core-util-l1-1-0.dll
bapi-ms-win-core-console-l1-1-0.dll
bapi-ms-win-crt-time-l1-1-0.dll
bapi-ms-win-core-file-l2-1-0.dll
bapi-ms-win-core-heap-l1-1-0.dll
bapi-ms-win-crt-environment-l1-1-0.dll
bapi-ms-win-core-timezone-l1-1-0.dll
blibffi-8.dll
bpywin32_system32\pythoncom312.dll
bapi-ms-win-core-string-l1-1-0.dll
bapi-ms-win-crt-conio-l1-1-0.dll
blibcrypto-3.dll
bapi-ms-win-crt-heap-l1-1-0.dll
bucrtbase.dll
ADVAPI32.dll
KERNEL32.dll
8python312.dll
bapi-ms-win-core-processenvironment-l1-1-0.dll
bPythonwin\mfc140u.dll
USER32.dll
bapi-ms-win-crt-convert-l1-1-0.dll
bVCRUNTIME140.dll
blibssl-3.dll
bapi-ms-win-core-debug-l1-1-0.dll
bapi-ms-win-core-processthreads-l1-1-0.dll
bapi-ms-win-crt-filesystem-l1-1-0.dll
bapi-ms-win-core-handle-l1-1-0.dll
bVCRUNTIME140_1.dll
bapi-ms-win-core-localization-l1-2-0.dll
Bapi-ms-win-core-synch-l1-2-0.dll
bpython3.dll
bapi-ms-win-core-libraryloader-l1-1-0.dll
bapi-ms-win-core-errorhandling-l1-1-0.dll
bapi-ms-win-crt-stdio-l1-1-0.dll

Strings analysis - Possible URLs found 1

http://schemas.microsoft.com/SMI/2016/WindowsSettings

Import functions

ADVAPI32.dll 4 KERNEL32.dll 107 USER32.dll 14

Function	Address	Souspicious	Anti Debug
ConvertSidToStringSidW	0x14002d000
GetTokenInformation	0x14002d008
OpenProcessToken	0x14002d010
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x14002d018

Function	Address	Souspicious	Anti Debug
GetTimeZoneInformation	0x14002d028
GetProcessHeap	0x14002d030
FreeEnvironmentStringsW	0x14002d038
GetEnvironmentStringsW	0x14002d040
GetCPInfo	0x14002d048
GetOEMCP	0x14002d050
GetACP	0x14002d058
IsValidCodePage	0x14002d060
GetStringTypeW	0x14002d068
FormatMessageW	0x14002d070
GetLastError	0x14002d078
GetModuleFileNameW	0x14002d080
LoadLibraryExW	0x14002d088
SetDllDirectoryW	0x14002d090
CreateSymbolicLinkW	0x14002d098
GetProcAddress	0x14002d0a0
CreateDirectoryW	0x14002d0a8
GetCommandLineW	0x14002d0b0
GetEnvironmentVariableW	0x14002d0b8
ExpandEnvironmentStringsW	0x14002d0c0
DeleteFileW	0x14002d0c8
FindClose	0x14002d0d0
FindFirstFileW	0x14002d0d8
FindNextFileW	0x14002d0e0
HeapSize	0x14002d0e8
RemoveDirectoryW	0x14002d0f0
GetTempPathW	0x14002d0f8
CloseHandle	0x14002d100
QueryPerformanceCounter	0x14002d108
QueryPerformanceFrequency	0x14002d110
WaitForSingleObject	0x14002d118
Sleep	0x14002d120
GetCurrentProcess	0x14002d128
GetCurrentProcessId	0x14002d130
TerminateProcess	0x14002d138
GetExitCodeProcess	0x14002d140
CreateProcessW	0x14002d148
GetStartupInfoW	0x14002d150
FreeLibrary	0x14002d158
LocalFree	0x14002d160
SetConsoleCtrlHandler	0x14002d168
GetConsoleWindow	0x14002d170
K32EnumProcessModules	0x14002d178
K32GetModuleFileNameExW	0x14002d180
CreateFileW	0x14002d188
FindFirstFileExW	0x14002d190
GetFinalPathNameByHandleW	0x14002d198
MultiByteToWideChar	0x14002d1a0
WideCharToMultiByte	0x14002d1a8
GetFileAttributesExW	0x14002d1b0
HeapReAlloc	0x14002d1b8
WriteConsoleW	0x14002d1c0
SetEndOfFile	0x14002d1c8
GetDriveTypeW	0x14002d1d0
IsDebuggerPresent	0x14002d1d8
RtlCaptureContext	0x14002d1e0
RtlLookupFunctionEntry	0x14002d1e8
RtlVirtualUnwind	0x14002d1f0
UnhandledExceptionFilter	0x14002d1f8
SetUnhandledExceptionFilter	0x14002d200
IsProcessorFeaturePresent	0x14002d208
GetCurrentThreadId	0x14002d210
GetSystemTimeAsFileTime	0x14002d218
InitializeSListHead	0x14002d220
GetModuleHandleW	0x14002d228
RtlUnwindEx	0x14002d230
SetLastError	0x14002d238
EnterCriticalSection	0x14002d240
LeaveCriticalSection	0x14002d248
DeleteCriticalSection	0x14002d250
InitializeCriticalSectionAndSpinCount	0x14002d258
TlsAlloc	0x14002d260
TlsGetValue	0x14002d268
TlsSetValue	0x14002d270
TlsFree	0x14002d278
EncodePointer	0x14002d280
RaiseException	0x14002d288
RtlPcToFileHeader	0x14002d290
GetFileInformationByHandle	0x14002d298
GetFileType	0x14002d2a0
PeekNamedPipe	0x14002d2a8
SystemTimeToTzSpecificLocalTime	0x14002d2b0
FileTimeToSystemTime	0x14002d2b8
ReadFile	0x14002d2c0
GetFullPathNameW	0x14002d2c8
SetStdHandle	0x14002d2d0
GetStdHandle	0x14002d2d8
WriteFile	0x14002d2e0
ExitProcess	0x14002d2e8
GetModuleHandleExW	0x14002d2f0
GetCommandLineA	0x14002d2f8
HeapFree	0x14002d300
GetConsoleMode	0x14002d308
ReadConsoleW	0x14002d310
SetFilePointerEx	0x14002d318
GetConsoleOutputCP	0x14002d320
GetFileSizeEx	0x14002d328
HeapAlloc	0x14002d330
FlsAlloc	0x14002d338
FlsGetValue	0x14002d340
FlsSetValue	0x14002d348
FlsFree	0x14002d350
CompareStringW	0x14002d358
LCMapStringW	0x14002d360
GetCurrentDirectoryW	0x14002d368
FlushFileBuffers	0x14002d370
SetEnvironmentVariableW	0x14002d378

Function	Address	Souspicious	Anti Debug
TranslateMessage	0x14002d388
ShutdownBlockReasonCreate	0x14002d390
GetWindowThreadProcessId	0x14002d398
SetWindowLongPtrW	0x14002d3a0
GetWindowLongPtrW	0x14002d3a8
MsgWaitForMultipleObjects	0x14002d3b0
ShowWindow	0x14002d3b8
DestroyWindow	0x14002d3c0
CreateWindowExW	0x14002d3c8
RegisterClassW	0x14002d3d0
DefWindowProcW	0x14002d3d8
PeekMessageW	0x14002d3e0
DispatchMessageW	0x14002d3e8
GetMessageW	0x14002d3f0

Name	Latest seen	MD5
FreeMenuF7.exe?ex=670c6a4f&is=670b18cf&hm=708940c07a26aaf3672b4ecc443356a73d7db9284ddace557e866ab656ed23b4&	2024-10-13 17:37:02	1069ade6b99d29bfe4d0526e23ed714d
oconsole.exe	2024-10-16 08:19:03	a6ff47344d0188ec4c26dc435698a477

RezWareUpdater.exe?ex=670cae4b&is=670b5ccb&hm=6b7767e2959bba7239b160100573375d95ac04f204f064ca6d9161caf5dd4d0e&

File details

File features detected

OSINT Enrichments

URLs, FQDN and IP indicators 1

PE Sections 1 suspicious

PE Resources 3

Packers detected 2

Anti debug functions 7

Strings analysis - File found

Strings analysis - Possible URLs found 1

Import functions

Related files by ImpHash 2 a06f302f71edd380da3d5bf4a6d94ebd