0a95935e558c8c7d34071b85b244bb68506b29ce5dd13f076b20a4f8246c182d

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2026-Apr-06 18:07:48
Detected languages English - United States
Debug artifacts MpAdlElvtStub.pdb
CompanyName Microsoft Corporation
FileDescription AntiMalware Platform Update (amd64fre)
InternalName UpdatePlatform.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename UpdatePlatform.exe
ProductName Microsoft Malware Protection
FileVersion 4.18.26030.3011
ProductVersion 4.18.26030.3011
StubVersion 1.1.26030.3011

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to security software:
  • MsMpEng.exe
 Miscellaneous malware strings:
  • Cmd.exe
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to MD5
Uses constants related to SHA1
Uses constants related to SHA256
Suspicious The PE is possibly packed. Unusual section name found: .fptable
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryExW
  • GetProcAddress
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
 Can access the registry:
  • RegSetValueExW
  • RegQueryValueExW
  • RegOpenKeyExW
  • RegCreateKeyExW
  • RegCloseKey
 Possibly launches other programs:
  • CreateProcessW
 Can create temporary files:
  • GetTempPathW
  • CreateFileW
 Functions related to the privilege level:
  • CheckTokenMembership
  • AdjustTokenPrivileges
  • OpenProcessToken
 Manipulates other processes:
  • OpenProcess
  • Process32FirstW
  • Process32NextW
Malicious The PE is possibly a dropper. Resource UPDATEPAYLOAD detected as a CAB Installer file.
Resources amount for 97.3226% of the executable.
Info The PE is digitally signed. Signer: Microsoft Windows Publisher
Issuer: Microsoft Windows Production PCA 2011
Safe VirusTotal score: 0/70 (Scanned on 2026-05-04 14:50:29) All the AVs think this file is safe.

Hashes

MD5 65eba30ca06271ac66cd636f9be35a97
SHA1 ef488e855b50b875137a5d335e4a6a76c186992a
SHA256 0a95935e558c8c7d34071b85b244bb68506b29ce5dd13f076b20a4f8246c182d
SHA3 027f84274af28d818a46d65f827fb66a5837d9fba21dbd356189ce660cf1d5f7
SSDeep 393216:QSJ1fcE82hdnRT1J/s42YIpbMqKdW8/yhvGa04PeoHw2q+GCL:p1x/nl1JSYobMqB8/EGa04PFw2q+GO
Imports Hash 0a451026a25565b06ae9a2d773eefdfc

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x120

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 7
TimeDateStamp 2026-Apr-06 18:07:48
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x38000
SizeOfInitializedData 0x121c000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000011C40 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion A.0
ImageVersion A.0
SubsystemVersion 6.1
Win32VersionValue 0
SizeOfImage 0x1256000
SizeOfHeaders 0x1000
Checksum 0x1287839
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x80000
SizeofStackCommit 0x2000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 421b88e897ac6d317f9c2938a116a681
SHA1 cf624b3c721754c888b550d88fb06a458cc6bf06
SHA256 906f17c17a83f7499d9d66877cde456ab833bb4ef125b862356fea57312d8bcd
SHA3 773e4596dd6e0675ac753dc3f902af49ebac150973664bc74beef952cfde6aaf
VirtualSize 0x3757f
VirtualAddress 0x1000
SizeOfRawData 0x38000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.43097

.rdata

MD5 fe2867fe9285093b7b0b296761b16f7c
SHA1 85b3faacbbdb69d5ca7cc2d97ffae80d71f6b5c7
SHA256 3b498f8aa068d01ee6d199c666be3f2ef73dfb0621d8e10fdab1df85fda2fcb1
SHA3 1cb14d67b0d4b96f21da403115f51bbeb3ba0d29f1144796d5bb12402fc9ca8c
VirtualSize 0x12658
VirtualAddress 0x39000
SizeOfRawData 0x13000
PointerToRawData 0x39000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.02921

.data

MD5 e5e1fff94af45c36cca170a0b8d1f00e
SHA1 27e69d4d39a3a893278def01343b9a0ed341936a
SHA256 17991dd2370484be7c5f57ea46d6c6bc47980b9cd048fdb82bb1edd97a060d1c
SHA3 11eaacab39b5bbc9c30b4f78699975fd403977026823fca60312b9230621ccbe
VirtualSize 0x2d98
VirtualAddress 0x4c000
SizeOfRawData 0x2000
PointerToRawData 0x4c000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.478

.pdata

MD5 afafa6d741c73bc19fc95844cc6064e9
SHA1 d3adad2b394a851857e00081e1c7666294d6968e
SHA256 095c97c710428e6f2b33cd2b4fac111a46815ad993c1d8f9052f2fa76dd59731
SHA3 7f2b86ec599208e819cff297b7b52cce127549dd67aad661ead1ed4864ba657d
VirtualSize 0x2e98
VirtualAddress 0x4f000
SizeOfRawData 0x3000
PointerToRawData 0x4e000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.34877

.fptable

MD5 620f0b67a91f7f74151bc5be745b7110
SHA1 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d
SHA256 ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7
SHA3 a99f9ed58079237f7f0275887f0c03a0c9d7d8de4443842297fceea67e423563
VirtualSize 0x100
VirtualAddress 0x52000
SizeOfRawData 0x1000
PointerToRawData 0x51000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0

.rsrc

MD5 d5cc3c24edaf18503cd5e1fc5e80fa71
SHA1 76de91ab20a861e8a271f0bd5c431d1d74dc4746
SHA256 5790d67bd449189a632e3bbb33ec81f2fd3e7c93599bb7289df0dfa9a3c3d65b
SHA3 6a88418113ef0d93d7228436a44fb9214be02c7f7f38cecb971d938fe4bb8671
VirtualSize 0x1201e08
VirtualAddress 0x53000
SizeOfRawData 0x1202000
PointerToRawData 0x52000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.99991

.reloc

MD5 c17410163411a372b5fd51d8d968de78
SHA1 34d3ee49fe5a08703838904082b71a0694623411
SHA256 955b1697d1ea8f7b5c04fdbaabe792ef4f2f70ec863612ea70ba081a5cfd80e9
SHA3 7156d610963f44adc73e7b2b10fa2a7172bd2357db9ee053f2a42621a7cafa8c
VirtualSize 0x830
VirtualAddress 0x1255000
SizeOfRawData 0x1000
PointerToRawData 0x1254000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 3.62162

Imports

RPCRT4.dll UuidCreate
ntdll.dll RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlUnwindEx
RtlPcToFileHeader
RtlGetVersion
RtlNtStatusToDosError
NtSetInformationFile
KERNEL32.dll GetFileSizeEx
RemoveDirectoryW
SetFilePointerEx
WriteFile
SetLastError
WaitForSingleObject
OpenProcess
LoadLibraryExW
GetEnvironmentVariableW
GetCurrentDirectoryW
GetTempPathW
HeapSetInformation
GetExitCodeProcess
CreateProcessW
GetSystemDirectoryW
GetModuleHandleW
HeapAlloc
HeapFree
GetProcessHeap
GetFileAttributesW
EncodePointer
DecodePointer
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
MultiByteToWideChar
WideCharToMultiByte
GetSystemTimeAsFileTime
QueryFullProcessImageNameW
VirtualLock
HeapReAlloc
HeapSize
FlsFree
FindNextFileW
FindFirstFileExW
FindClose
DeleteFileW
CreateFileW
CreateDirectoryW
ExpandEnvironmentStringsW
SetEnvironmentVariableW
GetProcAddress
GetThreadTimes
FlushFileBuffers
VirtualQuery
DosDateTimeToFileTime
GetSystemTime
FreeLibrary
SystemTimeToFileTime
FindResourceW
LoadResource
LockResource
SetFilePointer
VirtualUnlock
SetFileTime
SizeofResource
GetProcessTimes
Process32FirstW
Process32NextW
GetLastError
CreateToolhelp32Snapshot
GetCurrentProcessId
GetCommandLineW
Sleep
SetFileAttributesW
ReadFile
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
GetCurrentThreadId
GetCurrentThread
GetCurrentProcess
CloseHandle
GetModuleHandleExW
GetModuleFileNameW
RemoveVectoredExceptionHandler
AddVectoredExceptionHandler
SetErrorMode
SetUnhandledExceptionFilter
GetStringTypeW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetConsoleOutputCP
GetConsoleMode
ReadConsoleW
SetEndOfFile
WriteConsoleW
EnterCriticalSection
FlsSetValue
LCMapStringW
CompareStringW
VirtualProtect
TerminateProcess
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
UnhandledExceptionFilter
IsProcessorFeaturePresent
QueryPerformanceCounter
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
RaiseException
SetConsoleCtrlHandler
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetStdHandle
ExitProcess
GetCommandLineA
GetFileType
FlsAlloc
FlsGetValue
InitializeCriticalSectionEx
ADVAPI32.dll SetSecurityDescriptorControl
RegSetValueExW
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyExW
LookupPrivilegeValueW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
InitializeAcl
GetTokenInformation
GetLengthSid
FreeSid
CopySid
CheckTokenMembership
AllocateAndInitializeSid
AdjustTokenPrivileges
AddAccessAllowedAceEx
OpenThreadToken
OpenProcessToken
RegCloseKey
TraceMessage
GetTraceLoggerHandle
GetTraceEnableFlags
GetTraceEnableLevel
RegisterTraceGuidsW
UnregisterTraceGuids
EventWriteTransfer
EventSetInformation
EventUnregister
EventRegister

Delayed Imports

UPDATEPAYLOAD

Type CABINET
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x12014cd
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.99992
Detected Filetype CAB Installer file
MD5 992e97450aa5fb1995a9920057dd017a
SHA1 7d7a0d8daad4c9de880f809c2f4106b53aab23cc
SHA256 13f00176eeffc7c270331440aedb9e0cc079e9e710084e1d07295dfb13315c07
SHA3 5ee5b11ec38af9878d8d846386a6cd12edfa183b751a749f0156995f125a79be

1

Type RT_VERSION
Language English - United States
Codepage Latin 1 / Western European
Size 0x3d8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.49877
MD5 62727d6856c7f875f3de6a8ac049f912
SHA1 9cead5ccf570663cd83beb66f5de4a05fa1a8c93
SHA256 759d7e8cbc52dfab48f8fadb5af19f409e3a35332368e241d8c4e46559f650f3
SHA3 7710f0cb9660c7631ff621796a029dd08b21b62ee9e49a86cdb6425759eb5750

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x44a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.15207
MD5 dcc46155b038277634160ea968c877af
SHA1 3e66ca84eda2c4364bba1fd24b68248f341ba6c0
SHA256 d97fbdb9d1df7e53739519f21024bee3081c7aba1f415a67c32b5be0d0444a48
SHA3 2e76f2516ab0cbb842084d8370e22a14a4714a29f71138c3ec3efd7140b386d5

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 4.18.26030.3011
ProductVersion 4.18.26030.3011
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Microsoft Corporation
FileDescription AntiMalware Platform Update (amd64fre)
InternalName UpdatePlatform.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename UpdatePlatform.exe
ProductName Microsoft Malware Protection
FileVersion (#2) 4.18.26030.3011
ProductVersion (#2) 4.18.26030.3011
StubVersion 1.1.26030.3011
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 1971-Jun-05 02:18:39
Version 0.0
SizeofData 42
AddressOfRawData 0x46b94
PointerToRawData 0x46b94
Referenced File MpAdlElvtStub.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 1971-Jun-05 02:18:39
Version 0.0
SizeofData 20
AddressOfRawData 0x46bc0
PointerToRawData 0x46bc0

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 1971-Jun-05 02:18:39
Version 0.0
SizeofData 1264
AddressOfRawData 0x46bd4
PointerToRawData 0x46bd4

UNKNOWN

Characteristics 0
TimeDateStamp 1971-Jun-05 02:18:39
Version 0.0
SizeofData 36
AddressOfRawData 0x470ec
PointerToRawData 0x470ec

UNKNOWN (#2)

Characteristics 0
TimeDateStamp 1971-Jun-05 02:18:39
Version 0.0
SizeofData 4
AddressOfRawData 0x47110
PointerToRawData 0x47110

TLS Callbacks

StartAddressOfRawData 0x140047138
EndAddressOfRawData 0x140047140
AddressOfIndex 0x14004dba0
AddressOfCallbacks 0x1400395c8
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x14004c1c0
GuardCFCheckFunctionPointer 5368943880
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0x80a50d87
Unmarked objects 0
C++ objects (33145) 161
C objects (33145) 13
ASM objects (33145) 8
ASM objects (35207) 9
C objects (35207) 17
C++ objects (35207) 52
ASM objects (35222) 1
C objects (35222) 10
Imports (33145) 9
Total imports 299
C++ objects (35222) 54
C++ objects (LTCG) (35222) 10
Resource objects (35222) 1
151 1
Linker (35222) 1

Errors

Leave a comment

No comments yet.