Manalyze report for f1ddb7461a886af858fcf5e6e964d2d6c32d545a09fe94df1a3dbfbd0cfa05cd

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2018-Jan-16 07:18:14
Detected languages	English - United States
Debug artifacts	C:\Users\paulb\code\Squirrel\squirrel.windows\src\Setup\bin\Release\Setup.pdb
FileDescription	SourceTree
FileVersion	`3.4.26`
InternalName	Setup.exe
LegalCopyright	Copyright Â© Atlassian
OriginalFilename	Setup.exe
ProductName	SourceTree
ProductVersion	`3.4.26`
SquirrelAwareVersion	1
CompanyName	Atlassian

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Looks for Qemu presence: QeMu` `May have dropper capabilities: CurrentVersion\Run` `Contains domain names: go.microsoft.com http://go.microsoft.com http://go.microsoft.com/fwlink/?LinkId microsoft.com`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryW LoadLibraryExW GetProcAddress` `Can access the registry: RegOpenKeyExW RegDeleteValueW RegCreateKeyExW RegEnumKeyExW RegQueryInfoKeyW RegDeleteKeyW RegCloseKey RegSetValueExW RegQueryValueExW` `Possibly launches other programs: CreateProcessW ShellExecuteW` `Can create temporary files: CreateFileW GetTempPathW` `Has Internet access capabilities: URLDownloadToFileW` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Can shut the system down or lock the screen: ExitWindowsEx`
Suspicious	The PE is possibly a dropper.	`Resources amount for 99.325% of the executable.`
Info	The PE is digitally signed.	`Signer: Atlassian Pty Ltd` `Issuer: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1`
Suspicious	VirusTotal score: 1/71 (Scanned on 2026-02-25 15:55:29)	`Trapmine: suspicious.low.ml.score`

Hashes

MD5	`5ef86bb284ae7ff6178c8727ff8e1f89`
SHA1	`c2b259fc498381111a97e132e0d3324cb2511f74`
SHA256	`f1ddb7461a886af858fcf5e6e964d2d6c32d545a09fe94df1a3dbfbd0cfa05cd`
SHA3	`3f105cdd42c4c8b4f3361f109c076ae35e3a2965039690f4ef6b039af47e149c`
SSDeep	`786432:I3miQa479lqP/PoT98hwa9INJItQtdo1KxuvEfRTB:IWiQNwo98aNcQroEt`
Imports Hash	`6b4d5c8216d450ee5a7c849b21ee169d`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x118`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2018-Jan-16 07:18:14
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x1bc00`
SizeOfInitializedData	`0x185e200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00009E92 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x1d000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x187e000`
SizeOfHeaders	`0x400`
Checksum	`0x187c6a9`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`b0ddfaf7b6d057e16337add779e8ead4`
SHA1	`c91c42f056469526b33156421bc49c22ba786e12`
SHA256	`8ec246677b4b8860da3601767fec083fefc47a469056fec0d034b8f917cbfbe8`
SHA3	`1899d3e92e27a1eb266dd0653b76c54ed6efa337836278296b4740ed9f331182`
VirtualSize	`0x1ba5e`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1bc00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.6538`

.rdata

MD5	`72916ad0b9e643fa0b839eb81a139257`
SHA1	`e6ea0389354935636e85d9e88c7023f312cad160`
SHA256	`cd846c93a174f91e8dd5eaeb0eed6542d18d5fdb96b9f28e11ca7401ee6b4476`
SHA3	`35769e4875d20be98e4e53f47edf40a1eed2682abf1183a8bb32903fc2b78063`
VirtualSize	`0xa8b0`
VirtualAddress	`0x1d000`
SizeOfRawData	`0xaa00`
PointerToRawData	`0x1c000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.94586`

.data

MD5	`fc45425f147a542d3bcb77aaec700cf8`
SHA1	`bc2ff5ea0c6ef38c88f1b26607e6712b85b984c7`
SHA256	`2741eccde7f8369edea81d21be7db0c3f9c66383e010cd14ac82e6d5e289f12b`
SHA3	`df3f0b68cdb97e6590cd4cee79d8dd3fba9c17c9e519833eb80a85751967d4cc`
VirtualSize	`0x1668`
VirtualAddress	`0x28000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x26a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.00731`

.rsrc

MD5	`52ce64d07dbb9c113929db2a96a68fc8`
SHA1	`60c3d59ae6fe19c775eee6b11ac97f599d7edc1a`
SHA256	`9cc985934f9b7e506fd895ebed553a72d8f53a81efb52f584db7c31d3e527bec`
SHA3	`86cd2127e01b651905e531af669c1f63e5a89b52101ba14b281ee5dbfa3b61e1`
VirtualSize	`0x1851218`
VirtualAddress	`0x2a000`
SizeOfRawData	`0x1851400`
PointerToRawData	`0x27600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.99911`

.reloc

MD5	`4a7e92b9b9dd48c253926dfccdac39e6`
SHA1	`a0b88d3ab8896378f7be9cb48dcd05dd234c3f31`
SHA256	`cfdc5a6393d398b6b7424592085e66703519af1659334abb2623e169f0f67a65`
SHA3	`2790815f0251b4e0ad1488b9cb4006482ffbbe22fb0df37064beb74af91365fb`
VirtualSize	`0x17c8`
VirtualAddress	`0x187c000`
SizeOfRawData	`0x1800`
PointerToRawData	`0x1878a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.59879`

Imports

KERNEL32.dll	`GetCurrentProcess` `LoadLibraryW` `FreeLibrary` `InitializeCriticalSectionEx` `GetFileAttributesW` `CreateFileW` `SetFilePointer` `ReadFile` `SystemTimeToFileTime` `GetCurrentDirectoryW` `MultiByteToWideChar` `LocalFileTimeToFileTime` `WideCharToMultiByte` `CreateDirectoryW` `WriteFile` `SetFileTime` `FreeResource` `SizeofResource` `LockResource` `CreateProcessW` `GetCurrentThreadId` `DecodePointer` `RaiseException` `LeaveCriticalSection` `EnterCriticalSection` `lstrcmpiW` `LoadLibraryExW` `SetFilePointerEx` `GetModuleFileNameW` `GetConsoleCP` `FlushFileBuffers` `GetStringTypeW` `SetStdHandle` `DeleteFileW` `CloseHandle` `GetExitCodeProcess` `WaitForSingleObject` `MoveFileW` `GetTempFileNameW` `GetLastError` `GetTempPathW` `DeleteCriticalSection` `GetModuleHandleW` `GetProcAddress` `lstrlenW` `FindResourceW` `LoadResource` `VerSetConditionMask` `GetProcessHeap` `SetEnvironmentVariableW` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `GetCommandLineW` `GetCommandLineA` `GetCPInfo` `GetOEMCP` `WriteConsoleW` `IsValidCodePage` `FindNextFileW` `FindFirstFileExW` `FindClose` `HeapReAlloc` `HeapSize` `GetConsoleMode` `VerifyVersionInfoW` `IsDebuggerPresent` `OutputDebugStringW` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `TerminateProcess` `IsProcessorFeaturePresent` `GetStartupInfoW` `QueryPerformanceCounter` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `InitializeSListHead` `RtlUnwind` `SetLastError` `EncodePointer` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `ExitProcess` `GetModuleHandleExW` `GetStdHandle` `GetACP` `HeapFree` `HeapAlloc` `GetFileType` `CompareStringW` `LCMapStringW`
USER32.dll	`CharNextW` `ExitWindowsEx` `wsprintfW` `MessageBoxW` `DestroyWindow` `LoadStringW` `GetActiveWindow`
ADVAPI32.dll	`GetUserNameW` `RegOpenKeyExW` `RegDeleteValueW` `RegCreateKeyExW` `RegEnumKeyExW` `RegQueryInfoKeyW` `RegDeleteKeyW` `GetTokenInformation` `RegCloseKey` `AdjustTokenPrivileges` `OpenProcessToken` `LookupPrivilegeValueW` `RegSetValueExW` `RegQueryValueExW`
SHELL32.dll	`SHGetFolderPathW` `ShellExecuteExW` `ShellExecuteW`
ole32.dll	`CoTaskMemRealloc` `CoTaskMemFree` `CoCreateInstance` `CoTaskMemAlloc` `CoInitialize`
OLEAUT32.dll	`VariantInit` `SysFreeString` `SysAllocString` `VarUI4FromStr` `VariantClear`
urlmon.dll	`URLDownloadToFileW`
SHLWAPI.dll	`PathIsUNCW`
COMCTL32.dll	`InitCommonControlsEx`

Delayed Imports

131

Type	`DATA`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x184e83d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99911`
Detected Filetype	Zip Compressed Archive
MD5	`39f382a8ca08796338efa773afe622ff`
SHA1	`1b571aa34851d9ad2a78bcaaaa8764a6b26ef76e`
SHA256	`b6ab2b5ab7b15051688025cbd5d11b1ff018b3532310e57b9accdfb2624d21e2`
SHA3	`bf59ae42ae861b4dc912ce9393290c60dabd1e4b4f672ea137130bb9d244144b`

132

Type	`FLAGS`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0xc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.94734`
MD5	`b68200a712bcead87897deca6a51f2b0`
SHA1	`8a16e6f12c2a1c538faac31e7f0e85e4abbd0f2e`
SHA256	`73a13748a4a02a80d7ffceb873c81286647fe742f90eff8df47502a87b694aa8`
SHA3	`bdbfefdb871b0ae09b0d4b360fb44b09809294f7847c359838f4ccec2687982f`

1

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.93257`
MD5	`9672b12784736875de8a7a86503b8d7d`
SHA1	`26a01ce5a289eeac83a0060261dfe32deba5ef54`
SHA256	`324507bcd33928c54048fb142e9bb62bde80fa019dd00c4d3ca9ed1e06546f2e`
SHA3	`4b63398972bf65536792431db1bcb31d2926bdd58f3ee8cbac6d1e958490d18d`

2

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.14675`
MD5	`fd881fe96555c23177aea9a3369e20a6`
SHA1	`5d442cef57659136446e782f3449c33586bd2795`
SHA256	`a134a35831460694ce4583e9faf788061ca7c2035436c1aba3c45128fe636153`
SHA3	`e3484617787a838496ec6cccf2bbfd05d815ea49642cf26569c0e24b03464345`

3

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.93257`
MD5	`9672b12784736875de8a7a86503b8d7d`
SHA1	`26a01ce5a289eeac83a0060261dfe32deba5ef54`
SHA256	`324507bcd33928c54048fb142e9bb62bde80fa019dd00c4d3ca9ed1e06546f2e`
SHA3	`4b63398972bf65536792431db1bcb31d2926bdd58f3ee8cbac6d1e958490d18d`

4

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.14675`
MD5	`fd881fe96555c23177aea9a3369e20a6`
SHA1	`5d442cef57659136446e782f3449c33586bd2795`
SHA256	`a134a35831460694ce4583e9faf788061ca7c2035436c1aba3c45128fe636153`
SHA3	`e3484617787a838496ec6cccf2bbfd05d815ea49642cf26569c0e24b03464345`

7

Type	`RT_STRING`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x418`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.42628`
MD5	`b3929f22874681b61a010f8f75f65fd1`
SHA1	`49b8c83a2b4f01b11375fb6d77fa96a28728cf21`
SHA256	`0006cad215def152b7dcb1273af6eeba52177405104408622881fa740a45bcca`
SHA3	`0e6c15af28c413bcb291e146ab7e5301386907050357b8266e350d6e920a3272`

8

Type	`RT_STRING`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x472`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.32213`
MD5	`8a1122b792cb09a177bb9c04e0be76b8`
SHA1	`1146483be76573637a22b929c8651e95b416d6c4`
SHA256	`c5bdefb999b11c0a16c8d67f5935cd703de1094d2579683083da336101ab6663`
SHA3	`1c6076ec0152e309e83f0ec47c5c06484d558523cad0bcd5f32853deca4484a0`

107

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x22`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.37447`
Detected Filetype	Icon file
MD5	`e9ef6e365b9e8c9654a9ece0c4ea75d0`
SHA1	`9c6f76521ef851a7bcc221d9da02d6e210bc0dc1`
SHA256	`9f8d3c735f57ec1d0c60b9429f4c64eb1adec6e77084b89d55cd188897e494c2`
SHA3	`611781bb034b1bb9193a0e98403412e253f2cb932dde330edf53e98debca11e6`

108

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x22`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.49212`
Detected Filetype	Icon file
MD5	`cf3085ea1b910041caf08edc245b714a`
SHA1	`25f85c0fa63f5d273720ce9636d1504ebcd5d53e`
SHA256	`e3a01fe1922074f8dff9e049cd64133d77d1d6a9f008da9ba06baf49f8d1a679`
SHA3	`d95e4c37fe246069c5207e11709ff8e4564c1df28ce7b254a7facb3f98dc4f70`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x2e0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.3355`
MD5	`dad02a5ac02d4cd0feec806fa1a6a30a`
SHA1	`0a4641407d5b0548425d7828630238ea167a8c89`
SHA256	`25c3e022ad31d728c2f450ebc2d6d803c69959abb899df17a453e2ed46fe8a43`
SHA3	`4ad182330f827512a85685dc0d240b37d2de89fde3c13232c6a28aaf837d682a`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x3e7`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.31968`
MD5	`cbf1999e86cc16eecf938cd04af0d4c6`
SHA1	`122d3576bdbf673d455d670471ffe6798d05da93`
SHA256	`4efcab28b7b3bc5b6c4f7450d0fd4f4bc780710013e898cf70fcac63b8619e28`
SHA3	`ee23027959eda5f0bce255c1db79d06eea3b34f89426b0c9f41c7f0ab321e28f`

String Table contents

Setup
http://go.microsoft.com/fwlink/?LinkId=397707
http://go.microsoft.com/fwlink/?LinkId=780596
Install .NET 4.5
Install .NET 4.6
This application requires the .NET Framework 4.5. Click the Install button to get started.
SETUP
This application requires the .NET Framework 4.6. Click the Install button to get started.
This application requires the .NET Framework 4.5 or above. Clicking the Install button will download the latest version of this operating system component from Microsoft and install it on your PC.
This application requires the .NET Framework 4.6 or above. Clicking the Install button will download the latest version of this operating system component from Microsoft and install it on your PC.
net46
net47
This application requires the .NET Framework 4.7 or above. Clicking the Install button will download the latest version of this operating system component from Microsoft and install it on your PC.
This application requires the .NET Framework 4.7. Click the Install button to get started.
Install .NET 4.7
http://go.microsoft.com/fwlink/?LinkId=825298

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	3.4.26.0
ProductVersion	3.4.26.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
FileDescription	SourceTree
FileVersion (#2)	3.4.26
InternalName	Setup.exe
LegalCopyright	Copyright Â© Atlassian
OriginalFilename	Setup.exe
ProductName	SourceTree
ProductVersion (#2)	3.4.26
SquirrelAwareVersion	1
CompanyName	Atlassian

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2018-Jan-16 07:18:14
Version	`0.0`
SizeofData	`102`
AddressOfRawData	`0x25bf4`
PointerToRawData	`0x24bf4`
Referenced File	C:\Users\paulb\code\Squirrel\squirrel.windows\src\Setup\bin\Release\Setup.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2018-Jan-16 07:18:14
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x25c5c`
PointerToRawData	`0x24c5c`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2018-Jan-16 07:18:14
Version	`0.0`
SizeofData	`820`
AddressOfRawData	`0x25c70`
PointerToRawData	`0x24c70`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2018-Jan-16 07:18:14
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

Size	`0x98`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x428004`
SEHandlerTable	`0x425b80`
SEHandlerCount	`29`

RICH Header

XOR Key	`0x26aebe28`
Unmarked objects	`0`
241 (40116)	`9`
243 (40116)	`123`
242 (40116)	`24`
ASM objects (VS2015 v14.0.? compiler 25305)	`18`
C objects (VS2015 v14.0.? compiler 25305)	`20`
C++ objects (VS2015 v14.0.? compiler 25305)	`48`
C objects (65501)	`2`
208 (65501)	`1`
Imports (65501)	`19`
Total imports	`148`
C++ objects (LTCG) (VS2017 v15.3.* compiler 25508)	`6`
Resource objects (VS2017 v15.3.* compiler 25508)	`1`
151	`1`
Linker (VS2017 v15.3.* compiler 25508)	`1`

Errors

Leave a comment

No comments yet.