| Architecture |
IMAGE_FILE_MACHINE_AMD64
|
|---|---|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| Compilation Date | 2022-Sep-21 02:16:46 |
| Detected languages |
English - United States
|
| CompanyName | Wondershare |
| FileDescription | wsUpgrade |
| FileVersion | 1.4.3.5 |
| InternalName | wsUpgrade.dll |
| LegalCopyright | Copyright © 2022 Wondershare. All rights reserved. |
| OriginalFilename | wsUpgrade.dll |
| ProductName | wsUpgrade |
| ProductVersion | 1.4.3.5 |
| Info | Interesting strings found in the binary: |
Contains domain names:
|
| Info | Cryptographic algorithms detected in the binary: |
Uses constants related to SHA1
Uses constants related to SHA256 |
| Suspicious | The PE is possibly packed. |
Unusual section name found:
Section is both writable and executable. Unusual section name found: Section is both writable and executable. Unusual section name found: Section is both writable and executable. Unusual section name found: Section is both writable and executable. Unusual section name found: Section is both writable and executable. Unusual section name found: Section is both writable and executable. Section .rsrc is both writable and executable. Unusual section name found: Section is both writable and executable. Unusual section name found: Section is both writable and executable. |
| Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
| Suspicious | The file contains overlay data. |
21336 bytes of data starting at offset 0x357200.
The overlay data has an entropy of 7.64801 and is possibly compressed or encrypted. |
| Malicious | VirusTotal score: 44/72 (Scanned on 2025-11-17 06:49:38) |
ALYac:
Gen:Variant.Application.FCA.5576
AhnLab-V3: Unwanted/Win.Crack.R674423 Alibaba: Packed:Win64/Enigma.af12f091 Arcabit: Trojan.Application.FCA.D15C8 BitDefender: Gen:Variant.Application.FCA.5576 Bkav: W64.AIDetectMalware CAT-QuickHeal: Trojan.Ghanarava.17183469547a1358 CTX: dll.trojan.enigma CrowdStrike: win/malicious_confidence_100% (W) Cylance: Unsafe Cynet: Malicious (score: 100) DeepInstinct: MALICIOUS Elastic: malicious (high confidence) Emsisoft: Gen:Variant.Application.FCA.5576 (B) Fortinet: W32/PossibleThreat GData: Gen:Variant.Application.FCA.5576 Google: Detected Gridinsoft: Malware.Win64.Wacatac.cc Ikarus: Trojan.Win64.Enigma K7AntiVirus: Trojan ( 005822311 ) K7GW: Riskware ( 005d33251 ) Lionic: Trojan.Win32.Enigma.4!c Malwarebytes: Trojan.MalPack MaxSecure: Trojan.Malware.218686975.susgen McAfeeD: ti!30F58DEA31A4 MicroWorld-eScan: Gen:Variant.Application.FCA.5576 Microsoft: Trojan:Win64/Tedy.MR!MTB Paloalto: generic.ml Panda: PUP/Generic Rising: Trojan.BadProtect@XH.E639 (TAGGANT:3I/0cs8pJWoNr59Fx+mO7g) SentinelOne: Static AI - Suspicious PE Skyhigh: BehavesLike.Win64.Generic.wc Sophos: Mal/Generic-S Symantec: Trojan Horse TrellixENS: Artemis!87805DB2B17D TrendMicro: Trojan.Win32.POSSIBLETHREAT.USBLCP24 TrendMicro-HouseCall: Trojan.Win32.POSSIBLETHREAT.USBLCP24 VBA32: Trojan.Win64.Enigma VIPRE: Gen:Variant.Application.FCA.5576 Varist: W64/Enigma.G.gen!Eldorado Webroot: W32.Trojan.Gen Yandex: Trojan.Enigma!kzQNNgiZMJM Zillya: Trojan.Enigma.Win64.3056 alibabacloud: VirTool:Win/Packed.Enigma.BY |
| e_magic | MZ |
|---|---|
| e_cblp | 0x90 |
| e_cp | 0x3 |
| e_crlc | 0 |
| e_cparhdr | 0x4 |
| e_minalloc | 0 |
| e_maxalloc | 0xffff |
| e_ss | 0 |
| e_sp | 0xb8 |
| e_csum | 0 |
| e_ip | 0 |
| e_cs | 0 |
| e_ovno | 0 |
| e_oemid | 0 |
| e_oeminfo | 0 |
| e_lfanew | 0x128 |
| Signature | PE |
|---|---|
| Machine |
IMAGE_FILE_MACHINE_AMD64
|
| NumberofSections | 9 |
| TimeDateStamp | 2022-Sep-21 02:16:46 |
| PointerToSymbolTable | 0 |
| NumberOfSymbols | 0 |
| SizeOfOptionalHeader | 0xf0 |
| Characteristics |
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
| Magic | PE32+ |
|---|---|
| LinkerVersion | 12.0 |
| SizeOfCode | 0x89a00 |
| SizeOfInitializedData | 0x34a00 |
| SizeOfUninitializedData | 0 |
| AddressOfEntryPoint | 0x0000000000EF8BC4 (Section: ) |
| BaseOfCode | 0x1000 |
| ImageBase | 0x180000000 |
| SectionAlignment | 0x1000 |
| FileAlignment | 0x200 |
| OperatingSystemVersion | 6.0 |
| ImageVersion | 0.0 |
| SubsystemVersion | 6.0 |
| Win32VersionValue | 0 |
| SizeOfImage | 0xefc000 |
| SizeOfHeaders | 0x400 |
| Checksum | 0xc494f |
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
|
| SizeofStackReserve | 0x200000 |
| SizeofStackCommit | 0x2000 |
| SizeofHeapReserve | 0x200000 |
| SizeofHeapCommit | 0x2000 |
| LoaderFlags | 0 |
| NumberOfRvaAndSizes | 16 |
| kernel32.dll |
GetModuleHandleA
GetProcAddress ExitProcess LoadLibraryA |
|---|---|
| user32.dll |
MessageBoxA
|
| advapi32.dll |
RegCloseKey
|
| oleaut32.dll |
SysFreeString
|
| gdi32.dll |
CreateFontA
|
| shell32.dll |
ShellExecuteA
|
| version.dll |
GetFileVersionInfoA
|
| ole32.dll |
OleInitialize
|
| cdndown.dll |
set_callback_complete
|
| MSVCP120.dll |
?_Xlength_error@std@@YAXPEBD@Z
|
| MSVCR120.dll |
atoi
|
| SHLWAPI.dll |
PathFileExistsW
|
| CRYPT32.dll |
CertCreateCertificateChainEngine
|
| WLDAP32.dll |
#27
|
| WS2_32.dll |
WSACleanup
|
| Ordinal | 1 |
|---|---|
| Address | 0x7ee98 |
| Ordinal | 2 |
|---|---|
| Address | 0x7ef98 |
| Ordinal | 3 |
|---|---|
| Address | 0x7f2d8 |
| Ordinal | 4 |
|---|---|
| Address | 0x7f3d8 |
| Ordinal | 5 |
|---|---|
| Address | 0x7f56c |
| Ordinal | 6 |
|---|---|
| Address | 0x7f12c |
| Ordinal | 7 |
|---|---|
| Address | 0x7fa90 |
| Ordinal | 8 |
|---|---|
| Address | 0x7f718 |
| Ordinal | 9 |
|---|---|
| Address | 0x7f8c8 |
| Ordinal | 10 |
|---|---|
| Address | 0x7fc88 |
| Ordinal | 11 |
|---|---|
| Address | 0x802f8 |
| Ordinal | 12 |
|---|---|
| Address | 0x8020c |
| Ordinal | 13 |
|---|---|
| Address | 0x800c4 |
| Ordinal | 14 |
|---|---|
| Address | 0x7fd30 |
| Ordinal | 15 |
|---|---|
| Address | 0x7fe9c |
| Ordinal | 16 |
|---|---|
| Address | 0x7ffb0 |
| Ordinal | 17 |
|---|---|
| Address | 0x7fba4 |
| Signature | 0xfeef04bd |
|---|---|
| StructVersion | 0x10000 |
| FileVersion | 1.4.3.5 |
| ProductVersion | 1.4.3.5 |
| FileFlags | (EMPTY) |
| FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
| FileType |
VFT_DLL
|
| Language | English - United States |
| CompanyName | Wondershare |
| FileDescription | wsUpgrade |
| FileVersion (#2) | 1.4.3.5 |
| InternalName | wsUpgrade.dll |
| LegalCopyright | Copyright © 2022 Wondershare. All rights reserved. |
| OriginalFilename | wsUpgrade.dll |
| ProductName | wsUpgrade |
| ProductVersion (#2) | 1.4.3.5 |
| Resource LangID | English - United States |
|---|
| XOR Key | 0xf2b220e0 |
|---|---|
| Unmarked objects | 0 |
| 199 (41118) | 7 |
| ASM objects (20806) | 2 |
| C objects (20806) | 13 |
| 221 (20806) | 4 |
| C++ objects (20806) | 8 |
| C objects (27045) | 5 |
| C objects (VS2010 SP1 build 40219) | 110 |
| Imports (65501) | 22 |
| 221 (VS2013 UPD5 build 40629) | 3 |
| Total imports | 464 |
| 229 (VS2013 UPD5 build 40629) | 17 |
| Exports (VS2013 UPD5 build 40629) | 1 |
| Resource objects (VS2013 build 21005) | 1 |
| 151 | 1 |
| Linker (VS2013 UPD5 build 40629) | 1 |
No comments yet.