Manalyze report for 715b4174065916a6412f60b3c10664b323dc737fd717ab09627083be34626fe0

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2026-Jun-04 09:29:02
Detected languages	English - United States
Debug artifacts	MpDlpService.pdb
CompanyName	Microsoft Corporation
FileDescription	Microsoft Data Loss Prevention Service
InternalName	MpDlpService.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	MpDlpService.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
FileVersion	`4.18.23110.3 (9ebb3643d539a6fc4659898b1df3124d5da4c0a9)`
ProductVersion	`4.18.23110.3`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 8.0`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to security software: MsMpEng.exe` `May have dropper capabilities: CurrentControlSet\Services` `Miscellaneous malware strings: Cmd.exe`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to RC5 or RC6` `Microsoft's Cryptography API`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryW LoadLibraryExW GetProcAddress` `Functions which can be used for anti-debugging purposes: NtQueryInformationProcess` `Can access the registry: RegCloseKey RegQueryValueExW RegOpenKeyExW RegSetValueExW` `Possibly launches other programs: CreateProcessAsUserW CreateProcessW` `Uses Microsoft's cryptographic API: CryptCATAdminCalcHashFromFileHandle CryptCATAdminAcquireContext CryptCATCatalogInfoFromContext CryptCATAdminReleaseCatalogContext CryptCATAdminReleaseContext CryptCATAdminEnumCatalogFromHash` `Functions related to the privilege level: CheckTokenMembership AdjustTokenPrivileges OpenProcessToken` `Interacts with services: OpenSCManagerW OpenServiceW QueryServiceStatus ChangeServiceConfigW QueryServiceConfigW` `Enumerates local disk drives: GetDriveTypeW` `Manipulates other processes: OpenProcess` `Changes object ACLs: SetNamedSecurityInfoW SetSecurityInfo`
Info	The PE is digitally signed.	`Signer: Microsoft Windows Publisher` `Issuer: Microsoft Windows Production PCA 2011`
Safe	VirusTotal score: 0/71 (Scanned on 2026-05-02 02:01:49)	`All the AVs think this file is safe.`

Hashes

MD5	`6669e10c960f6c2297bcd3d5a27412aa`
SHA1	`73bee544b24312d0057d9ce5e62daa9f73243d00`
SHA256	`715b4174065916a6412f60b3c10664b323dc737fd717ab09627083be34626fe0`
SHA3	`6eb496748e925ea5464565df7de071762911650edcd66d04a3e2fc9450a2fc96`
SSDeep	`12288:tiGbyLR32C4NHhZoLCZcvDaLgf5pB6Nwi5//E7soazN0uahRg:MGboR3P4NHboLCevWLGL6//E7sTN0hhC`
Imports Hash	`7a6da7c5d1116b706b7932d3f11a50c9`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2026-Jun-04 09:29:02
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x74000`
SizeOfInitializedData	`0x34000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000000053E0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`6.2`
Win32VersionValue	`0`
SizeOfImage	`0xa9000`
SizeOfHeaders	`0x1000`
Checksum	`0xafe0f`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x80000`
SizeofStackCommit	`0x2000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`ebaa9f28edc84b0744098ab7232bcfb1`
SHA1	`fe89ecbc8baca25843f65019b5477cdbd62dce90`
SHA256	`4ae88029c01cee7a8da63e7a20ec8194eeb102dc11726d58cf9dd7ddc1ff08cf`
SHA3	`c7bbd3ce6df3244992b1c303efa289b2ee0c674eeb864831025544d462cd0bbe`
VirtualSize	`0x735b2`
VirtualAddress	`0x1000`
SizeOfRawData	`0x74000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.4431`

.rdata

MD5	`59a90ef43b56764a255484360cd9cfa4`
SHA1	`ba18c41ec852a5ae932c33e5002465b38f75e566`
SHA256	`a5052fc06b1c11f546dc09cc7351dc15904c1339d7981252a8841c1c92bd2950`
SHA3	`ad1c65e1016f72a7223eedcd2f4fb6f83dfe322c3d076814080835598a799c14`
VirtualSize	`0x2576c`
VirtualAddress	`0x75000`
SizeOfRawData	`0x26000`
PointerToRawData	`0x75000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.09669`

.data

MD5	`d7dd41c77069c63d138a814ca01d6bb0`
SHA1	`6b0f5483093d51255a8a2b6a66c9053934806e7b`
SHA256	`ae58588c058290b63486b9cf4bab4c181a80e33193c6750f1fab05aa3079dcec`
SHA3	`b2986205ba13860c86d83c1cd3e2e59c2791ddedf54d59a669543b5d2835585d`
VirtualSize	`0x44f0`
VirtualAddress	`0x9b000`
SizeOfRawData	`0x3000`
PointerToRawData	`0x9b000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.75454`

.pdata

MD5	`9aa2d6a4e350e8f98358064dccd095ec`
SHA1	`25cc4903125c19cb56bfd8083d258fa490e88de8`
SHA256	`96ee7db5ac4454f7d8f47d4362c83a8469319c491ad8f8e4ca34e3dc08904832`
SHA3	`c6fd7f1d111ad30efc0aeea3b55d4699f5575fadcbc361a4aa5b4123f7bc7d2d`
VirtualSize	`0x5028`
VirtualAddress	`0xa0000`
SizeOfRawData	`0x6000`
PointerToRawData	`0x9e000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.10302`

.rsrc

MD5	`457ee047677c07e85dbdc7ea57aa92a7`
SHA1	`c977712bf9cce0eeec7f017f8cdf0f02ab434b32`
SHA256	`61d0055f0b163ff19a92e077711ece46aad6e617021178dbb6cb072afe24aab8`
SHA3	`61ac1f085aa5daf3b701e2ad6419900a573b6a0cfcdbcfc719246572cb370340`
VirtualSize	`0x828`
VirtualAddress	`0xa6000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xa4000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.8621`

.reloc

MD5	`7dd938f7c27073eef2e2abd570bc5076`
SHA1	`9a7f92fbbd32906395d11cefa611283318acdd26`
SHA256	`6fba39c8ed5598adde1e9e3fadf1cb6dadbbf0626fc978e8bbbf04383d56178a`
SHA3	`64a254ca3283a935780b34f540d905be35eaa4448d03c5127dd92d71da13e277`
VirtualSize	`0x1070`
VirtualAddress	`0xa7000`
SizeOfRawData	`0x2000`
PointerToRawData	`0xa5000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`3.69726`

Imports

ADVAPI32.dll	`UnregisterTraceGuids` `RegisterTraceGuidsW` `GetTraceEnableLevel` `GetTraceEnableFlags` `GetTraceLoggerHandle` `TraceMessage` `RegCloseKey` `GetSecurityDescriptorSacl` `AllocateAndInitializeSid` `SetEntriesInAclW` `SetNamedSecurityInfoW` `CopySid` `FreeSid` `CheckTokenMembership` `EventUnregister` `EventRegister` `EventWriteTransfer` `ChangeServiceConfig2W` `LookupPrivilegeValueW` `AdjustTokenPrivileges` `CloseServiceHandle` `OpenSCManagerW` `OpenServiceW` `QueryServiceStatus` `NotifyServiceStatusChangeW` `StartServiceW` `CreateProcessAsUserW` `ConvertStringSecurityDescriptorToSecurityDescriptorW` `ConvertStringSidToSidW` `GetLengthSid` `RegQueryValueExW` `RegOpenKeyExW` `RegSetValueExW` `OpenProcessToken` `ChangeServiceConfigW` `QueryServiceConfigW` `StartServiceCtrlDispatcherW` `SetServiceStatus` `RegisterServiceCtrlHandlerExW` `GetTokenInformation` `ConvertSidToStringSidW` `SetSecurityInfo` `InitializeAcl`
KERNEL32.dll	`CloseHandle` `EnterCriticalSection` `LeaveCriticalSection` `InitializeCriticalSectionAndSpinCount` `DeleteCriticalSection` `SetEvent` `ResetEvent` `WaitForSingleObjectEx` `CreateEventW` `GetModuleHandleW` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetStartupInfoW` `IsProcessorFeaturePresent` `GetCurrentProcess` `TerminateProcess` `RaiseException` `GetLastError` `SetLastError` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `EncodePointer` `InitializeCriticalSectionEx` `DebugBreak` `GetFileAttributesW` `WaitForSingleObject` `GetTickCount64` `OutputDebugStringW` `FormatMessageW` `GetProcessTimes` `ProcessIdToSessionId` `LoadLibraryW` `GetFileInformationByHandle` `AcquireSRWLockShared` `ReleaseSRWLockShared` `AcquireSRWLockExclusive` `ReleaseSRWLockExclusive` `ExpandEnvironmentStringsW` `QueryDosDeviceW` `CreateSemaphoreExW` `HeapFree` `ReleaseSemaphore` `GetModuleHandleExW` `ReleaseMutex` `OpenSemaphoreW` `CreateMutexExW` `GetProcessHeap` `CompareFileTime` `lstrcmpW` `DeleteFileW` `FindClose` `OpenProcess` `SleepEx` `CreateFileW` `LocalFree` `GetDriveTypeW` `DeleteTimerQueueTimer` `LCMapStringW` `UnregisterWaitEx` `MultiByteToWideChar` `WideCharToMultiByte` `FormatMessageA` `GetModuleFileNameW` `GetSystemDirectoryW` `HeapSetInformation` `CreateProcessW` `CreateDirectoryW` `ReadFile` `FindFirstFileW` `GetFileSizeEx` `CreateTimerQueueTimer` `FindNextFileW` `WriteFile` `RegisterWaitForSingleObject` `SetEnvironmentVariableW` `SetFilePointerEx` `LoadLibraryExW` `FileTimeToSystemTime` `GetLocalTime` `GetSystemTime` `DeviceIoControl` `HeapAlloc` `GetFinalPathNameByHandleW` `WriteConsoleW` `SetEndOfFile` `ReadConsoleW` `GetConsoleMode` `GetConsoleOutputCP` `FlushFileBuffers` `HeapSize` `CompareStringW` `EnumSystemLocalesW` `GetUserDefaultLCID` `IsValidLocale` `GetLocaleInfoW` `GetFileType` `SetStdHandle` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `FindFirstFileExW` `HeapReAlloc` `GetOEMCP` `GetACP` `IsValidCodePage` `FreeLibraryAndExitThread` `ExitThread` `CreateThread` `GetCommandLineW` `GetCommandLineA` `ExitProcess` `GetStdHandle` `GetCPInfo` `LCMapStringEx` `DecodePointer` `InitOnceComplete` `InitOnceBeginInitialize` `GetLocaleInfoEx` `SetErrorMode` `GetProcAddress` `FreeLibrary` `GetModuleFileNameA` `GetStringTypeW` `VirtualLock`
mpclient.dll	`MpConfigUninitialize` `MpClientUtilExportFunctions` `MpFreeMemory` `MpAllocMemory` `MpConfigRegisterForNotifications` `MpConfigGetValue` `MpConfigOpen` `MpConfigUnregisterNotifications` `MpConfigClose` `MpConfigGetValueAlloc` `MpConfigSetValue` `MpConfigInitialize`
WTSAPI32.dll	`WTSQueryUserToken`
ntdll.dll	`RtlUnwind` `RtlPcToFileHeader` `RtlUnwindEx` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext` `RtlNtStatusToDosError` `NtQueryInformationProcess` `RtlGetVersion`
CRYPT32.dll	`CertVerifyCertificateChainPolicy`
ole32.dll	`CreateBindCtx` `CoSetProxyBlanket` `CoTaskMemFree` `CoCreateInstance`
RPCRT4.dll	`RpcImpersonateClient` `RpcBindingToStringBindingW` `RpcStringBindingParseW` `RpcBindingInqAuthClientW` `RpcStringFreeW` `RpcServerRegisterAuthInfoW` `RpcServerUseProtseqW` `RpcRevertToSelf` `RpcServerInqBindings` `RpcEpRegisterW` `RpcServerRegisterIfEx` `RpcBindingVectorFree` `RpcEpUnregister` `RpcServerUnregisterIf` `NdrServerCallAll` `NdrServerCall2`
USERENV.dll	`CreateEnvironmentBlock` `DestroyEnvironmentBlock` `ExpandEnvironmentStringsForUserW`
WINTRUST.dll	`WTHelperGetProvSignerFromChain` `CryptCATAdminCalcHashFromFileHandle` `CryptCATAdminAcquireContext` `WinVerifyTrust` `CryptCATCatalogInfoFromContext` `CryptCATAdminReleaseCatalogContext` `CryptCATAdminReleaseContext` `WTHelperProvDataFromStateData` `CryptCATAdminEnumCatalogFromHash`
urlmon.dll	`MkParseDisplayNameEx`

Delayed Imports

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3ec`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.54642`
MD5	`e8b408c07c9b77763f8bea08cd85d371`
SHA1	`3e2b912b97d05194b6ede52f2767847d9e4670aa`
SHA256	`3662ece79f8ff0179bee260f6a4d1d2b1b36e14b2fa21d7f6cb76c5e8c38e857`
SHA3	`6d698fe8e4c28f381c91d92bd1dcaab3f0ab41201ae33e76983705845504b9da`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x398`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.18559`
MD5	`a722525c336a5248738bc1fb4cb17285`
SHA1	`be3c018e5e0a5b1f6488f744343c984482a17261`
SHA256	`88b94126201e8539bea2b7934b1645456162f53d2d7aa0e279a89e7d48686bb1`
SHA3	`b2ba6f8946b209dc0fe5be5878b7daf5bd2e122e3cb7b794b9a3abfb393a136e`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	4.18.23110.3
ProductVersion	4.18.23110.3
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Microsoft Data Loss Prevention Service
InternalName	MpDlpService.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	MpDlpService.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
FileVersion (#2)	4.18.23110.3 (9ebb3643d539a6fc4659898b1df3124d5da4c0a9)
ProductVersion (#2)	4.18.23110.3

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2026-Jun-04 09:29:02
Version	`0.0`
SizeofData	`41`
AddressOfRawData	`0x91c1c`
PointerToRawData	`0x91c1c`
Referenced File	MpDlpService.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2026-Jun-04 09:29:02
Version	`0.0`
SizeofData	`1264`
AddressOfRawData	`0x91c48`
PointerToRawData	`0x91c48`

UNKNOWN

Characteristics	`0`
TimeDateStamp	2026-Jun-04 09:29:02
Version	`0.0`
SizeofData	`36`
AddressOfRawData	`0x92160`
PointerToRawData	`0x92160`

UNKNOWN (#2)

Characteristics	`0`
TimeDateStamp	2026-Jun-04 09:29:02
Version	`0.0`
SizeofData	`4`
AddressOfRawData	`0x92184`
PointerToRawData	`0x92184`

TLS Callbacks

StartAddressOfRawData	`0x1400921a8`
EndAddressOfRawData	`0x1400921b0`
AddressOfIndex	`0x14009d2a8`
AddressOfCallbacks	`0x14007b908`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14009c690`
GuardCFCheckFunctionPointer	`5369214640`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0xb256641e`
Unmarked objects	`0`
C objects (32595)	`37`
C++ objects (32595)	`229`
ASM objects (32595)	`23`
Imports (32595)	`31`
Total imports	`434`
126 (VS2012 build 50727 / VS2005 build 50727)	`10`
C++ objects (LTCG) (32595)	`175`
Resource objects (32595)	`1`
Linker (32595)	`1`

Errors

Leave a comment

No comments yet.