Manalyze report for 4779db5eb5116033e0f2e5d7fda041a4887830c778319d55b0bbbef55a6a0e7f

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2025-Aug-02 11:07:59
Detected languages	English - United States
CompanyName	WORK PRODUCT, INC.
FileDescription	OneBrowser Installer
FileVersion	`1.3.81.10`
InternalName	OneBrowser Installer
LegalCopyright	Copyright 2025 WORK PRODUCT, INC.
OriginalFilename	OBUpdateService.exe
ProductName	OneBrowser Update
ProductVersion	`1.3.81.10`

Plugin Output

Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryW GetProcAddress LoadLibraryA LoadLibraryExW` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Can access the registry: RegQueryValueExA RegEnumValueW RegEnumKeyW RegQueryValueExW RegCloseKey RegEnumKeyExW RegOpenKeyExW SHGetValueW SHGetValueA` `Possibly launches other programs: CreateProcessW` `Uses Microsoft's cryptographic API: CryptSignHashW CryptDecrypt CryptExportKey CryptGetUserKey CryptGetProvParam CryptSetHashParam CryptDestroyKey CryptDestroyHash CryptHashData CryptCreateHash CryptGetHashParam CryptReleaseContext CryptAcquireContextW CryptEnumProvidersW` Leverages the raw socket API to access the Internet: getservbyport gethostbyname gethostbyaddr inet_ntoa inet_addr shutdown WSASetLastError WSAIoctl getservbyname inet_pton inet_ntop send WSACloseEvent WSACreateEvent WSAEnumNetworkEvents WSAEventSelect WSAResetEvent WSAWaitForMultipleEvents closesocket WSAGetLastError recv bind connect getpeername getsockname getsockopt htons ntohs setsockopt WSAStartup ioctlsocket freeaddrinfo getaddrinfo listen htonl accept select __WSAFDIsSet WSACleanup socket `Functions related to the privilege level: OpenProcessToken` `Interacts with services: OpenSCManagerW QueryServiceStatus OpenServiceW` `Enumerates local disk drives: GetDriveTypeW` `Manipulates other processes: Process32FirstW OpenProcess Process32NextW` `Interacts with the certificate store: CertOpenStore CertOpenSystemStoreW`
Info	The PE is digitally signed.	`Signer: WORK PRODUCT` `Issuer: SSL.com EV Code Signing Intermediate CA RSA R3`

Hashes

MD5	`758ad54819cf8626d26ae1fee346a503`
SHA1	`1ab72015f2bbb7ec1b156e00816aaf5b0630aad2`
SHA256	`4779db5eb5116033e0f2e5d7fda041a4887830c778319d55b0bbbef55a6a0e7f`
SHA3	`308a791584920dbf761a8067338c73cb67c31589120058f99d0b9db474aa70ef`
SSDeep	`49152:kGpY9P8hL9oYuWdUpo6ajB5FHC+Wisfo2cLubQ38WkxoWRpSzFvPbsL+D6NQ2kVR:kGpY3YMpo6apKwR3mRpaQL+DB`
Imports Hash	`9351496ea92c820d7d298a44eb3d943a`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x128`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2025-Aug-02 11:07:59
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x262400`
SizeOfInitializedData	`0xc7000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000B998A (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x264000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x32e000`
SizeOfHeaders	`0x400`
Checksum	`0x330768`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`4ca13814c88b71ef8d8b69bfe205b4b2`
SHA1	`28686c6f9189b47470cffbbe4f9f0b4cce462372`
SHA256	`424422901d41f32aa82d0ebc6ec4525b2de02ad002144b9acee0ea2bf54ee687`
SHA3	`1d9b1640b15eef5ddc8d0c4e490fe5627bb522436ead20ec7f477b41e1bcc185`
VirtualSize	`0x262246`
VirtualAddress	`0x1000`
SizeOfRawData	`0x262400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.75231`

.rdata

MD5	`fb68414cb609c190bc5141112f482de7`
SHA1	`5df397a1edfd1412a3f10cf0c14cdc5d1614f348`
SHA256	`fe5c60484e311cbb84b09ad870614d2e9f7f4f1c35b843ec4a3108e8719341a8`
SHA3	`b7f8f8b82663fd99f106c49322b9ab82e34a600cd7583aa4ea84cfdcffd83b2b`
VirtualSize	`0xa0044`
VirtualAddress	`0x264000`
SizeOfRawData	`0xa0200`
PointerToRawData	`0x262800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.85108`

.data

MD5	`937a9b869e2ce2f8452b2b3c11f04646`
SHA1	`43125941532d53d0c724d1da6d9c73baaa926593`
SHA256	`708b5c7de25a439667a529d48e54ad6afd091dbb963232c9478b5f87f7d76373`
SHA3	`d68d30f6ba89d676c8cc926b06337a50f7bd6fa31d07efa5f4b7b919771be16d`
VirtualSize	`0xa544`
VirtualAddress	`0x305000`
SizeOfRawData	`0x7a00`
PointerToRawData	`0x302a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.02572`

.rsrc

MD5	`6d1dacc8925e724e364b66db91545b5b`
SHA1	`c300d11688e8c98c09395a348f28989dd406dce8`
SHA256	`f9b99e8939d86ec161fc0d62e0722f4a8291391699418ddbe11380b723c61ef5`
SHA3	`375f0ececfb6f099d512800bf85ea9d5f3c93516517eeae1195534fa9269f798`
VirtualSize	`0x550`
VirtualAddress	`0x310000`
SizeOfRawData	`0x600`
PointerToRawData	`0x30a400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.85587`

.reloc

MD5	`e267ae501b1073192ae7046b5d16e308`
SHA1	`67c3b01ecbd55dd2fc90aa734e75ea57d8984eba`
SHA256	`370b9bfb2091609b18a3483b0706e8fb942ebada7e3c2950b370f3c8f8e21a85`
SHA3	`31bbfdd93dc7bfcc90687e795219019fa5fd755b6183d34bd84e3a3dfbe75618`
VirtualSize	`0x1c0ac`
VirtualAddress	`0x311000`
SizeOfRawData	`0x1c200`
PointerToRawData	`0x30aa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.64043`

Imports

VERSION.dll	`GetFileVersionInfoW` `VerQueryValueW` `GetFileVersionInfoSizeW`
WTSAPI32.dll	`WTSQueryUserToken` `WTSEnumerateSessionsW` `WTSQuerySessionInformationW` `WTSFreeMemory`
CRYPT32.dll	`CertOpenStore` `CertCloseStore` `CertEnumCertificatesInStore` `CertFreeCertificateContext` `CertFindCertificateInStore` `CertGetCertificateContextProperty` `CertGetEnhancedKeyUsage` `CertGetIntendedKeyUsage` `CertOpenSystemStoreW` `CertDuplicateCertificateContext`
WS2_32.dll	`getservbyport` `gethostbyname` `gethostbyaddr` `inet_ntoa` `inet_addr` `shutdown` `WSASetLastError` `WSAIoctl` `getservbyname` `inet_pton` `inet_ntop` `send` `WSACloseEvent` `WSACreateEvent` `WSAEnumNetworkEvents` `WSAEventSelect` `WSAResetEvent` `WSAWaitForMultipleEvents` `closesocket` `WSAGetLastError` `recv` `bind` `connect` `getpeername` `getsockname` `getsockopt` `htons` `ntohs` `setsockopt` `WSAStartup` `ioctlsocket` `freeaddrinfo` `getaddrinfo` `listen` `htonl` `accept` `select` `__WSAFDIsSet` `WSACleanup` `socket`
KERNEL32.dll	`CreateFiberEx` `DeleteFiber` `SwitchToFiber` `CreateThread` `WaitForSingleObject` `CloseHandle` `HeapDestroy` `HeapSize` `HeapReAlloc` `HeapFree` `HeapAlloc` `GetProcessHeap` `SizeofResource` `LockResource` `LoadResource` `FindResourceW` `FindResourceExW` `WideCharToMultiByte` `GetModuleFileNameW` `MultiByteToWideChar` `CreateFileW` `GetFileSize` `ReadFile` `LoadLibraryW` `GetProcAddress` `FreeLibrary` `GetCurrentProcess` `IsWow64Process` `GetBinaryTypeW` `WTSGetActiveConsoleSessionId` `CreateToolhelp32Snapshot` `Process32FirstW` `OpenProcess` `LocalFree` `Process32NextW` `GetFileTime` `GetWindowsDirectoryW` `QueryFullProcessImageNameW` `FindFirstFileW` `FindNextFileW` `FindClose` `GlobalMemoryStatusEx` `GetDiskFreeSpaceExW` `GetTickCount` `Sleep` `WriteFile` `GetModuleFileNameA` `DeleteFileA` `CreateFileA` `GetCommandLineA` `CreateMutexA` `GetLastError` `DeleteFileW` `CreateProcessW` `GetProcessId` `OpenEventA` `CreateEventW` `SetEvent` `GetCurrentProcessId` `ConvertFiberToThread` `InitializeCriticalSectionEx` `DecodePointer` `DeleteCriticalSection` `ReleaseSRWLockExclusive` `AcquireSRWLockExclusive` `EnterCriticalSection` `LeaveCriticalSection` `SleepEx` `QueryPerformanceFrequency` `GetSystemDirectoryW` `GetModuleHandleW` `QueryPerformanceCounter` `SetLastError` `FormatMessageW` `MoveFileExW` `WaitForSingleObjectEx` `CompareFileTime` `GetSystemTimeAsFileTime` `GetEnvironmentVariableA` `VerSetConditionMask` `GetModuleHandleA` `VerifyVersionInfoW` `GetDateFormatW` `GetTimeZoneInformation` `GetConsoleOutputCP` `VirtualFree` `GetUserDefaultLCID` `ReleaseSRWLockShared` `InitializeSRWLock` `ReadConsoleA` `SetConsoleMode` `GetEnvironmentVariableW` `SystemTimeToFileTime` `GetSystemTime` `WriteConsoleW` `SetEnvironmentVariableW` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `GetCommandLineW` `GetOEMCP` `GetACP` `GetSystemDirectoryA` `ConvertThreadToFiberEx` `GetTimeFormatW` `CompareStringW` `LCMapStringW` `ReadConsoleW` `GetConsoleMode` `GetStdHandle` `IsValidCodePage` `FindFirstFileExW` `SetConsoleCtrlHandler` `ExitProcess` `GetModuleHandleExW` `FreeLibraryAndExitThread` `ExitThread` `FileTimeToSystemTime` `SystemTimeToTzSpecificLocalTime` `PeekNamedPipe` `GetFileInformationByHandle` `GetDriveTypeW` `GetFileAttributesExW` `GetFullPathNameW` `GetCurrentDirectoryW` `GetLocaleInfoW` `IsValidLocale` `TerminateProcess` `AcquireSRWLockShared` `SetEndOfFile` `SetStdHandle` `FlushFileBuffers` `GetFileSizeEx` `SetFilePointerEx` `EnumSystemLocalesW` `LoadLibraryA` `IsDebuggerPresent` `OutputDebugStringW` `RaiseException` `FormatMessageA` `EncodePointer` `LCMapStringEx` `GetStringTypeW` `GetCPInfo` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsProcessorFeaturePresent` `WakeAllConditionVariable` `SleepConditionVariableSRW` `GetStartupInfoW` `GetCurrentThreadId` `InitializeSListHead` `RtlUnwind` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `LoadLibraryExW` `GetFileType`
USER32.dll	`CharLowerW` `MessageBoxW` `GetProcessWindowStation` `GetUserObjectInformationW`
ADVAPI32.dll	`OpenSCManagerW` `CryptSignHashW` `CryptDecrypt` `CryptExportKey` `CryptGetUserKey` `CryptGetProvParam` `CryptSetHashParam` `CryptDestroyKey` `ReportEventW` `RegisterEventSourceW` `DeregisterEventSource` `GetUserNameW` `CryptDestroyHash` `CryptHashData` `CryptCreateHash` `CryptGetHashParam` `CryptReleaseContext` `CryptAcquireContextW` `CloseServiceHandle` `QueryServiceStatus` `OpenServiceW` `CryptEnumProvidersW` `SetServiceStatus` `RegisterServiceCtrlHandlerW` `StartServiceCtrlDispatcherW` `RegQueryValueExA` `RegEnumValueW` `RegEnumKeyW` `RegQueryValueExW` `ConvertSidToStringSidW` `GetTokenInformation` `OpenProcessToken` `RegCloseKey` `RegEnumKeyExW` `RegOpenKeyExW`
SHELL32.dll	`SHGetKnownFolderPath` `SHGetFolderPathW`
ole32.dll	`CoCreateGuid` `CoTaskMemFree`
SHLWAPI.dll	`SHDeleteValueA` `SHSetValueA` `SHSetValueW` `PathAppendW` `PathFileExistsW` `SHGetValueW` `PathFindFileNameW` `PathRemoveFileSpecA` `PathRemoveFileSpecW` `SHGetValueA`
bcrypt.dll	`BCryptGenRandom`

Delayed Imports

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x32c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.48174`
MD5	`8e8cc70403752439dfc5ad001442e367`
SHA1	`c47a19f5afb7c415e6ec441690ead5de81cf4606`
SHA256	`dfaf1e844e1d267247eb94c9293fac7b5043d6521e6863808cdcf245f3f514dd`
SHA3	`6bb63bc711c641026dc5ddced8d5ac4d827e3185d52a7ce41c5935719b8ff22d`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.3.81.10
ProductVersion	1.3.81.10
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_UNKNOWN`
Language	English - United States
CompanyName	WORK PRODUCT, INC.
FileDescription	OneBrowser Installer
FileVersion (#2)	1.3.81.10
InternalName	OneBrowser Installer
LegalCopyright	Copyright 2025 WORK PRODUCT, INC.
OriginalFilename	OBUpdateService.exe
ProductName	OneBrowser Update
ProductVersion (#2)	1.3.81.10

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2025-Aug-02 11:07:59
Version	`0.0`
SizeofData	`980`
AddressOfRawData	`0x2fe454`
PointerToRawData	`0x2fcc54`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2025-Aug-02 11:07:59
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

StartAddressOfRawData	`0x6fe838`
EndAddressOfRawData	`0x6fe840`
AddressOfIndex	`0x70cfac`
AddressOfCallbacks	`0x6644e8`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0xc0`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x7050c0`
SEHandlerTable	`0x6fe078`
SEHandlerCount	`180`

RICH Header

XOR Key	`0xc4b3485b`
Unmarked objects	`0`
ASM objects (27412)	`14`
C++ objects (27412)	`201`
C objects (27412)	`22`
253 (35207)	`6`
ASM objects (35207)	`25`
C objects (35207)	`20`
C++ objects (35207)	`84`
Imports (27412)	`23`
Total imports	`283`
Unmarked objects (#2)	`23`
C objects (VS2022 Update 4 (17.4.2) compiler 31935)	`871`
C++ objects (LTCG) (35209)	`33`
Resource objects (35209)	`1`
151	`1`
Linker (35209)	`1`

Errors

[*] Warning: Please edit the configuration file with your VirusTotal API key.
[!] Error: Could not load yara_rules/bitcoin.yara!
[!] Error: Could not load yara_rules/monero.yara!
[!] Error: Could not load yara_rules/compilers.yara!
[!] Error: Could not load yara_rules/findcrypt.yara!
[!] Error: Could not load yara_rules/suspicious_strings.yara!
[!] Error: Could not load yara_rules/domains.yara!
[!] Error: Could not load yara_rules/peid.yara!

Leave a comment

No comments yet.