Manalyze report for d9e813b7c59a7c4789085f42edfdc37dc31403ae4d1dc8d1bde1bad6ae578e98

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2026-Mar-23 03:07:21
Detected languages	English - United States
Debug artifacts	MpWUStub.pdb
CompanyName	Microsoft Corporation
FileDescription	Microsoft Antimalware WU Stub
InternalName	AM_Delta_Patch_1.445.708.0.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	AM_Delta_Patch_1.445.708.0.exe
ProductName	Microsoft Malware Protection
FileVersion	`1.445.713.0`
ProductVersion	`1.445.713.0`
StubName	WuStubFinal
StubVersion	1.1.24010.2001

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 8.0`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Can access the registry: RegCreateKeyExW RegSetValueExW RegOpenKeyExW RegQueryValueExW RegCloseKey` `Possibly launches other programs: CreateProcessW` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken CheckTokenMembership` `Manipulates other processes: Process32NextW Process32FirstW OpenProcess`
Malicious	The PE is possibly a dropper.	`Resource UPDATEPAYLOAD detected as a CAB Installer file.`
Info	The PE is digitally signed.	`Signer: Microsoft Corporation` `Issuer: Microsoft Windows Code Signing PCA 2024`
Safe	VirusTotal score: 0/71 (Scanned on 2026-03-23 08:04:32)	`All the AVs think this file is safe.`

Hashes

MD5	`f6bf3b4ce2b46a9d4319bb635e815ff7`
SHA1	`e32817e003508971f9cca6f7db7355979d22e371`
SHA256	`d9e813b7c59a7c4789085f42edfdc37dc31403ae4d1dc8d1bde1bad6ae578e98`
SHA3	`f9a40f685f1cfc1e46338ff46c3c7e1e1dd7741134337a18dd907daa5982f995`
SSDeep	`6144:crCFuGeF7SsncR9klvkRS6E/9+9ECqbRo+G6zWqiU:gkIFuus9klvkRSPKqbn/zwU`
Imports Hash	`52cee9c1bc4bda1f4f98a36e5ef61615`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2026-Mar-23 03:07:21
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x2c000`
SizeOfInitializedData	`0x2b000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000007770 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x5a000`
SizeOfHeaders	`0x1000`
Checksum	`0x62246`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x80000`
SizeofStackCommit	`0x2000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`76710c3d5f1d50f5e4331c654bc11c99`
SHA1	`bfacc68dd76d730616d367a4c5472fea35454b82`
SHA256	`4126a5ae7cbe6e44224fb3d9607b86c041a13595bfce720d53784e12e561bae2`
SHA3	`b5c855023dde98adc48dc4ad7de96c997926472a4979139912b04f90bf591e10`
VirtualSize	`0x2bc62`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2c000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.46837`

.rdata

MD5	`1bdc066dbbd26cb28726389287a5ba99`
SHA1	`374e724ddb40218f206764b5a171a0fd363b6836`
SHA256	`1769658b0cb15d00c3ef5ce0b004061caf2d03a300877fedf43bf17cf3165b91`
SHA3	`3c99f558beefab47ee9b252d9038b729f0a17bdd8cb8196896df391e865b53bc`
VirtualSize	`0xdeec`
VirtualAddress	`0x2d000`
SizeOfRawData	`0xe000`
PointerToRawData	`0x2d000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.06487`

.data

MD5	`cdea481a7fd962cbae3eced6666c8b15`
SHA1	`2b136a04ea4ee200bd99fc17f6b6873b3838a1a5`
SHA256	`d7d7df901258d03810560fd8d7e44e32211ecd304e4461497c3a51b356ea14aa`
SHA3	`883c7d0023104d418581663a272f145afbc29864771951e13ba7fb98d58c38b2`
VirtualSize	`0x24e0`
VirtualAddress	`0x3b000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x3b000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.6641`

.pdata

MD5	`febe8f1985b0cdd587d5c9e9a6502085`
SHA1	`71a0d54326d226cf505e0c54608929397281c04b`
SHA256	`b206505eb6315b4ada04aaa30046726fe5f936d7c3ce7a15d715a950d75804ae`
SHA3	`e112edb8c2704cc878cc5a2272961e2b2814f2bbba24b22a771941855d848f20`
VirtualSize	`0x20c4`
VirtualAddress	`0x3e000`
SizeOfRawData	`0x3000`
PointerToRawData	`0x3c000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.0596`

.rsrc

MD5	`911bafcb9a0d105c831e973205ccb9b3`
SHA1	`7803ab80240ba7ba6c4ec7728e82e8ac2d22fc6c`
SHA256	`154196a9199d8da4e01fb804609af206e9562a920cffc05a1cc43fd07a600a10`
SHA3	`b76fead471e4b65c2963decdfa20367e2c5796fd798b7cb8dc576d92df562ff1`
VirtualSize	`0x179e4`
VirtualAddress	`0x41000`
SizeOfRawData	`0x18000`
PointerToRawData	`0x3f000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.97246`

.reloc

MD5	`c4c9c12741319b959b0e3d96f105e282`
SHA1	`87cae12cd59c24dbfddf69f34a042c6b74372c24`
SHA256	`2dff5bfd87ecd4f14694a854b8820b09ccb00201449e36e21c1ca1384e55b4af`
SHA3	`cb66eb01cc5b785326abaf1a630d37d9cc55ec72a5400dcdc635b8b8b7d4efec`
VirtualSize	`0x610`
VirtualAddress	`0x59000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x57000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`2.91245`

Imports

ADVAPI32.dll	`UnregisterTraceGuids` `RegisterTraceGuidsW` `GetTraceEnableLevel` `GetTraceEnableFlags` `GetTraceLoggerHandle` `TraceMessage` `EventWriteTransfer` `RegCreateKeyExW` `RegSetValueExW` `RegOpenKeyExW` `RegQueryValueExW` `LookupPrivilegeValueW` `AdjustTokenPrivileges` `RegCloseKey` `EventUnregister` `EventRegister` `OpenThreadToken` `OpenProcessToken` `GetLengthSid` `CheckTokenMembership` `FreeSid` `CopySid` `AllocateAndInitializeSid`
KERNEL32.dll	`CloseHandle` `IsDebuggerPresent` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetLastError` `SetLastError` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `GetCurrentThread` `GetCurrentThreadId` `HeapAlloc` `HeapFree` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `FlsAlloc` `FlsGetValue` `FlsSetValue` `FlsFree` `InitializeCriticalSectionAndSpinCount` `GetSystemTimeAsFileTime` `FreeLibrary` `GetProcAddress` `LoadLibraryExW` `CompareStringW` `LCMapStringW` `IsValidCodePage` `GetACP` `GetOEMCP` `GetCPInfo` `GetStringTypeW` `MultiByteToWideChar` `ExitProcess` `GetModuleHandleW` `GetModuleHandleExW` `GetProcessHeap` `WideCharToMultiByte` `HeapSize` `HeapReAlloc` `GetStartupInfoW` `QueryPerformanceCounter` `GetCurrentProcessId` `InitializeSListHead` `EncodePointer` `RaiseException` `InitializeCriticalSectionEx` `CallNamedPipeW` `InitializeProcThreadAttributeList` `CreateToolhelp32Snapshot` `UpdateProcThreadAttribute` `Process32NextW` `Process32FirstW` `DeleteProcThreadAttributeList` `WaitNamedPipeW` `VirtualQuery` `FlushFileBuffers` `GetProcessId` `GetProcessTimes` `GetCommandLineW` `GetThreadTimes` `GetModuleFileNameW` `GetEnvironmentVariableW` `GetSystemDirectoryW` `HeapSetInformation` `CreateProcessW` `GetExitCodeProcess` `FindNextFileW` `WriteFile` `SetEnvironmentVariableW` `FindClose` `WaitForSingleObject` `CreateFileW` `GetFileAttributesW` `OpenProcess` `CreateEventW` `SetEvent` `WaitForSingleObjectEx` `ResetEvent` `SetFilePointerEx` `QueryFullProcessImageNameW` `VirtualLock` `GetStdHandle` `GetCommandLineA` `FindFirstFileExW` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetStdHandle` `GetFileType` `GetConsoleOutputCP` `GetConsoleMode` `WriteConsoleW` `DecodePointer`
RPCRT4.dll	`UuidCreate`
ntdll.dll	`RtlNtStatusToDosError` `RtlGetVersion` `RtlPcToFileHeader` `RtlUnwindEx` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext` `RtlUnwind`

Delayed Imports

MPSIGSTUB

Type	`BINARY`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`55a54008ad1ba589aa210d2629c1df41`
SHA1	`bf8b4530d8d246dd74ac53a13471bba17941dff7`
SHA256	`4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a`
SHA3	`2767f15c8af2f2c7225d5273fdd683edc714110a987d1054697c348aed4e6cc7`

UPDATEPAYLOAD

Type	`CABINET`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x16eae`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99647`
Detected Filetype	CAB Installer file
MD5	`a38ffd6c65ac5a4312fc556ed66c768c`
SHA1	`6619ada0244124d064858f0f1e14eb903500cd2b`
SHA256	`f2a5b91bada3a93b57bf505e757bcc3c5b8d383e5342fc6ee341d28ed76c62c3`
SHA3	`39a30bacbef5c839fdecc91d1741fe65ca7f78aec2b87dca63f66a9c608e1d30`

1

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x60c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.58394`
MD5	`41b245a6036401db7eb3b4446f4ca78c`
SHA1	`1413787ef11387953af4a3d1af49f4a473b95df4`
SHA256	`fd8b199204bd0920be8886194cfaf83917e6cc35153d16b45ef6b331a9e3116a`
SHA3	`5bbfd1508eb8a63bf975b9b1e7d3185fb1838acbd6c85dfe55fd857c67198ee2`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x3a3`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.18049`
MD5	`4c290cccee6b1740db25a4286268aa95`
SHA1	`c50afa17ee803e822f9cf86c79a10d6bfe626186`
SHA256	`b72cc375901723273dd49e172d85838172f940dafbb61db30da5a3ea1b0ed9b9`
SHA3	`b980d3edf3c1c5cc89be7932187926e299439c4f5bc4e7e1946f1f7ce25fd576`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.445.713.0
ProductVersion	1.445.713.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Microsoft Antimalware WU Stub
InternalName	AM_Delta_Patch_1.445.708.0.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	AM_Delta_Patch_1.445.708.0.exe
ProductName	Microsoft Malware Protection
FileVersion (#2)	1.445.713.0
ProductVersion (#2)	1.445.713.0
StubName	WuStubFinal
StubVersion	1.1.24010.2001

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2036-Jan-17 14:41:28
Version	`0.0`
SizeofData	`37`
AddressOfRawData	`0x37974`
PointerToRawData	`0x37974`
Referenced File	MpWUStub.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2036-Jan-17 14:41:28
Version	`0.0`
SizeofData	`1204`
AddressOfRawData	`0x3799c`
PointerToRawData	`0x3799c`

UNKNOWN

Characteristics	`0`
TimeDateStamp	2036-Jan-17 14:41:28
Version	`0.0`
SizeofData	`36`
AddressOfRawData	`0x37e78`
PointerToRawData	`0x37e78`

UNKNOWN (#2)

Characteristics	`0`
TimeDateStamp	2036-Jan-17 14:41:28
Version	`0.0`
SizeofData	`4`
AddressOfRawData	`0x37e9c`
PointerToRawData	`0x37e9c`

TLS Callbacks

StartAddressOfRawData	`0x140037ec0`
EndAddressOfRawData	`0x140037ec8`
AddressOfIndex	`0x14003d188`
AddressOfCallbacks	`0x14002f968`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14003bc18`
GuardCFCheckFunctionPointer	`5368903824`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0xc022b7f8`
Unmarked objects	`0`
C objects (32595)	`26`
ASM objects (32595)	`17`
C++ objects (32595)	`207`
Imports (32595)	`9`
Total imports	`295`
C++ objects (LTCG) (32595)	`74`
Resource objects (32595)	`1`
Linker (32595)	`1`

Errors

Leave a comment

No comments yet.