Manalyze report for 7dd5f9ab4fb9c71419af973fcf2e973d

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2026-Feb-17 20:06:17
Detected languages	English - United States
Debug artifacts	MpWUStub.pdb
CompanyName	Microsoft Corporation
FileDescription	Microsoft Antimalware WU Stub
InternalName	AM_Delta_Patch_1.445.111.0.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	AM_Delta_Patch_1.445.111.0.exe
ProductName	Microsoft Malware Protection
FileVersion	`1.445.113.0`
ProductVersion	`1.445.113.0`
StubName	WuStubFinal
StubVersion	1.1.24010.2001

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 8.0`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Can access the registry: RegCreateKeyExW RegSetValueExW RegOpenKeyExW RegQueryValueExW RegCloseKey` `Possibly launches other programs: CreateProcessW` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken CheckTokenMembership` `Manipulates other processes: Process32NextW Process32FirstW OpenProcess`
Malicious	The PE is possibly a dropper.	`Resource UPDATEPAYLOAD detected as a CAB Installer file.`
Info	The PE is digitally signed.	`Signer: Microsoft Corporation` `Issuer: Microsoft Windows Code Signing PCA 2024`
Safe	VirusTotal score: 0/72 (Scanned on 2026-02-17 23:03:13)	`All the AVs think this file is safe.`

Hashes

MD5	`7dd5f9ab4fb9c71419af973fcf2e973d`
SHA1	`478ce80692ac8100a94c7f16567416496a469796`
SHA256	`3baecba683419cd7ab2451439e0b2689ce30b8748ece7c356712ad24f15b313d`
SHA3	`805f1c86ee4bbb3e59a366740a036e03da30455863cb6e70a552804b56ffa9d1`
SSDeep	`6144:3rCFuGeF7SsncR9klvkRS6E/9+9ECJwTdcYQpG:bkIFuus9klvkRSPKiT0pG`
Imports Hash	`52cee9c1bc4bda1f4f98a36e5ef61615`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2026-Feb-17 20:06:17
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x2c000`
SizeOfInitializedData	`0x26000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000007770 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x55000`
SizeOfHeaders	`0x1000`
Checksum	`0x58c10`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x80000`
SizeofStackCommit	`0x2000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`76710c3d5f1d50f5e4331c654bc11c99`
SHA1	`bfacc68dd76d730616d367a4c5472fea35454b82`
SHA256	`4126a5ae7cbe6e44224fb3d9607b86c041a13595bfce720d53784e12e561bae2`
SHA3	`b5c855023dde98adc48dc4ad7de96c997926472a4979139912b04f90bf591e10`
VirtualSize	`0x2bc62`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2c000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.46837`

.rdata

MD5	`1bdc066dbbd26cb28726389287a5ba99`
SHA1	`374e724ddb40218f206764b5a171a0fd363b6836`
SHA256	`1769658b0cb15d00c3ef5ce0b004061caf2d03a300877fedf43bf17cf3165b91`
SHA3	`3c99f558beefab47ee9b252d9038b729f0a17bdd8cb8196896df391e865b53bc`
VirtualSize	`0xdeec`
VirtualAddress	`0x2d000`
SizeOfRawData	`0xe000`
PointerToRawData	`0x2d000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.06487`

.data

MD5	`cdea481a7fd962cbae3eced6666c8b15`
SHA1	`2b136a04ea4ee200bd99fc17f6b6873b3838a1a5`
SHA256	`d7d7df901258d03810560fd8d7e44e32211ecd304e4461497c3a51b356ea14aa`
SHA3	`883c7d0023104d418581663a272f145afbc29864771951e13ba7fb98d58c38b2`
VirtualSize	`0x24e0`
VirtualAddress	`0x3b000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x3b000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.6641`

.pdata

MD5	`febe8f1985b0cdd587d5c9e9a6502085`
SHA1	`71a0d54326d226cf505e0c54608929397281c04b`
SHA256	`b206505eb6315b4ada04aaa30046726fe5f936d7c3ce7a15d715a950d75804ae`
SHA3	`e112edb8c2704cc878cc5a2272961e2b2814f2bbba24b22a771941855d848f20`
VirtualSize	`0x20c4`
VirtualAddress	`0x3e000`
SizeOfRawData	`0x3000`
PointerToRawData	`0x3c000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.0596`

.rsrc

MD5	`657863da63060f991dd955b849b54a27`
SHA1	`01eb2fcc3cd567dd170cf7345b72eb0f1b65039c`
SHA256	`f5d7207fa736d4dd004f4ffe3c515e18fcccdfe9b27d59b18a3323e2b6625e66`
SHA3	`2977c3002c73271870a592462539ce11df019837d841903fab27e8bf377ac172`
VirtualSize	`0x12224`
VirtualAddress	`0x41000`
SizeOfRawData	`0x13000`
PointerToRawData	`0x3f000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.93175`

.reloc

MD5	`c4c9c12741319b959b0e3d96f105e282`
SHA1	`87cae12cd59c24dbfddf69f34a042c6b74372c24`
SHA256	`2dff5bfd87ecd4f14694a854b8820b09ccb00201449e36e21c1ca1384e55b4af`
SHA3	`cb66eb01cc5b785326abaf1a630d37d9cc55ec72a5400dcdc635b8b8b7d4efec`
VirtualSize	`0x610`
VirtualAddress	`0x54000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x52000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`2.91245`

Imports

ADVAPI32.dll	`UnregisterTraceGuids` `RegisterTraceGuidsW` `GetTraceEnableLevel` `GetTraceEnableFlags` `GetTraceLoggerHandle` `TraceMessage` `EventWriteTransfer` `RegCreateKeyExW` `RegSetValueExW` `RegOpenKeyExW` `RegQueryValueExW` `LookupPrivilegeValueW` `AdjustTokenPrivileges` `RegCloseKey` `EventUnregister` `EventRegister` `OpenThreadToken` `OpenProcessToken` `GetLengthSid` `CheckTokenMembership` `FreeSid` `CopySid` `AllocateAndInitializeSid`
KERNEL32.dll	`CloseHandle` `IsDebuggerPresent` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetLastError` `SetLastError` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `GetCurrentThread` `GetCurrentThreadId` `HeapAlloc` `HeapFree` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `InitializeCriticalSectionAndSpinCount` `GetSystemTimeAsFileTime` `FreeLibrary` `GetProcAddress` `LoadLibraryExW` `CompareStringW` `LCMapStringW` `IsValidCodePage` `GetACP` `GetOEMCP` `GetCPInfo` `GetStringTypeW` `MultiByteToWideChar` `ExitProcess` `GetModuleHandleW` `GetModuleHandleExW` `GetProcessHeap` `WideCharToMultiByte` `HeapSize` `HeapReAlloc` `GetStartupInfoW` `QueryPerformanceCounter` `GetCurrentProcessId` `InitializeSListHead` `EncodePointer` `RaiseException` `InitializeCriticalSectionEx` `CallNamedPipeW` `InitializeProcThreadAttributeList` `CreateToolhelp32Snapshot` `UpdateProcThreadAttribute` `Process32NextW` `Process32FirstW` `DeleteProcThreadAttributeList` `WaitNamedPipeW` `VirtualQuery` `FlushFileBuffers` `GetProcessId` `GetProcessTimes` `GetCommandLineW` `GetThreadTimes` `GetModuleFileNameW` `GetEnvironmentVariableW` `GetSystemDirectoryW` `HeapSetInformation` `CreateProcessW` `GetExitCodeProcess` `FindNextFileW` `WriteFile` `SetEnvironmentVariableW` `FindClose` `WaitForSingleObject` `CreateFileW` `GetFileAttributesW` `OpenProcess` `CreateEventW` `SetEvent` `WaitForSingleObjectEx` `ResetEvent` `SetFilePointerEx` `QueryFullProcessImageNameW` `VirtualLock` `GetStdHandle` `GetCommandLineA` `FindFirstFileExW` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetStdHandle` `GetFileType` `GetConsoleOutputCP` `GetConsoleMode` `WriteConsoleW` `DecodePointer`
RPCRT4.dll	`UuidCreate`
ntdll.dll	`RtlNtStatusToDosError` `RtlGetVersion` `RtlPcToFileHeader` `RtlUnwindEx` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext` `RtlUnwind`

Delayed Imports

MPSIGSTUB

Type	`BINARY`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`55a54008ad1ba589aa210d2629c1df41`
SHA1	`bf8b4530d8d246dd74ac53a13471bba17941dff7`
SHA256	`4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a`
SHA3	`2767f15c8af2f2c7225d5273fdd683edc714110a987d1054697c348aed4e6cc7`

UPDATEPAYLOAD

Type	`CABINET`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x116ed`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99511`
Detected Filetype	CAB Installer file
MD5	`4aaea226cf3db8eb0f8def97281f9dd3`
SHA1	`5c151bd3c5f6cfb4ca4a5a63a6a80f0899519f9a`
SHA256	`3630c0e433271fdfc129f2b666f33ef3047c551a8b1139779c0279abc454f748`
SHA3	`0261a3b6f3fcfdbebc48122f73735d2f44aed1c200d25517ba3de41b1e5cde6f`

1

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x60c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.55836`
MD5	`92810a8646d2a7bcc34a1f42b95b56dd`
SHA1	`d7866cca926f6e101eaf10242101866fb7a5bea7`
SHA256	`42591cf1a640232e95cf2ef1def4476d364fad1baad44eea0fb5e78ef6743de3`
SHA3	`9879a4876af596ebbd0c165d1f0410230f992863f4376e2d87d0f27f0872a2d3`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x3a3`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.18049`
MD5	`4c290cccee6b1740db25a4286268aa95`
SHA1	`c50afa17ee803e822f9cf86c79a10d6bfe626186`
SHA256	`b72cc375901723273dd49e172d85838172f940dafbb61db30da5a3ea1b0ed9b9`
SHA3	`b980d3edf3c1c5cc89be7932187926e299439c4f5bc4e7e1946f1f7ce25fd576`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.445.113.0
ProductVersion	1.445.113.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Microsoft Antimalware WU Stub
InternalName	AM_Delta_Patch_1.445.111.0.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	AM_Delta_Patch_1.445.111.0.exe
ProductName	Microsoft Malware Protection
FileVersion (#2)	1.445.113.0
ProductVersion (#2)	1.445.113.0
StubName	WuStubFinal
StubVersion	1.1.24010.2001

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2036-Jan-17 14:41:28
Version	`0.0`
SizeofData	`37`
AddressOfRawData	`0x37974`
PointerToRawData	`0x37974`
Referenced File	MpWUStub.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2036-Jan-17 14:41:28
Version	`0.0`
SizeofData	`1204`
AddressOfRawData	`0x3799c`
PointerToRawData	`0x3799c`

UNKNOWN

Characteristics	`0`
TimeDateStamp	2036-Jan-17 14:41:28
Version	`0.0`
SizeofData	`36`
AddressOfRawData	`0x37e78`
PointerToRawData	`0x37e78`

UNKNOWN (#2)

Characteristics	`0`
TimeDateStamp	2036-Jan-17 14:41:28
Version	`0.0`
SizeofData	`4`
AddressOfRawData	`0x37e9c`
PointerToRawData	`0x37e9c`

TLS Callbacks

StartAddressOfRawData	`0x140037ec0`
EndAddressOfRawData	`0x140037ec8`
AddressOfIndex	`0x14003d188`
AddressOfCallbacks	`0x14002f968`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14003bc18`
GuardCFCheckFunctionPointer	`5368903824`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0xc022b7f8`
Unmarked objects	`0`
C objects (32595)	`26`
ASM objects (32595)	`17`
C++ objects (32595)	`207`
Imports (32595)	`9`
Total imports	`295`
C++ objects (LTCG) (32595)	`74`
Resource objects (32595)	`1`
Linker (32595)	`1`

7dd5f9ab4fb9c71419af973fcf2e973d

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.rsrc

.reloc

Imports

Delayed Imports

MPSIGSTUB

UPDATEPAYLOAD

1

1 (#2)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_POGO

UNKNOWN

UNKNOWN (#2)

TLS Callbacks

Load Configuration

RICH Header

Errors