See below the explanation I used.
I'll post any updates here, if they answer.
TLDR: this is very-very sure a false positive. It is produced from known sources, of a reputable open source project, built in the cloud on a GitHub owned runner, at a known git tag, digitally signed by a member of the ICU team, all artifacts traceable.
---
This is an utility that is part of the official release of the International Components for Unicode library.
It is inside the official zip file icu4c-77_1-Win64-MSVC2022.zip at
https://github.com/unicode-org/icu/releases/tag/release-77-1PGP signed by a member of the ICU team (icu4c-77_1-Win64-MSVC2022.zip.asc)
It was built from the sources here:
https://github.com/unicode-org/icu/tree/main/icu4c/source/tools/gencfuAt Git tag `release-77-1`
And it was built "in the cloud", on a GitHub runner, not on some local dev machine that might be infected.
You can even download the artifact of the cloud run here:
https://github.com/unicode-org/icu/actions/runs/13841950059Download icu4c.Win64.run_#2386 and unzip it, it contains an icu4c-77_1-Win64-MSVC2022.zip file that is byte to byte identical to the one in the GitHub release.