Sending request to SiriusGPT Model 0...
Model 0 confidence (85% Safe) is below the 90% confidence threshold.
Sending request to Model 1...
Model 1 confidence (85% Safe) is below the 90% confidence threshold.
Sending request to Model 2...
Model 2 confidence (75% Malicious).
Selected optimal result: Safe with 85% confidence from Model 1 (priority-based tie-break).
Database updated with result from Model 1.
Total tokens: 4229 (3431 request / 798 response)
File path: C:\Users\User\Downloads\Xtrfy-M4-MZ1-and-M42-Wireless-Firmware-update-V3.18-20220728\Xtrfy M4 MZ1 and M42 Wireless Firmware update V3.18-20220728\Xtrfy wireless mouse update-V3.18-20220728.exe
File hash: 14882dfda02013798936cc3bf3e5949b444402b805a2b0438c58d73364c578f0
File size: 1.07 MB
File publisher: This file is a signable file type but has not been digitally signed.
WhitelistCloud verdict: Not Safe
Final Verdict: Safe with 85% confidence.
## Analysis Summary
The file presents itself as a firmware-updater utility for Xtrfy gaming mice. It is a .NET executable (CLRRuntimeHeaderSize = 72) that imports only the minimal native stub `_CorExeMain` and relies on the CLR for all other functionality. The P/Invoke list is dominated by HID and SetupAPI calls—exactly what one would expect for a mouse-firmware flasher. No cryptographic or process-injection APIs are imported, entropy values are low, and overlay data is absent. The only red flag is the WhitelistCloud “Malicious” verdict, but that signal is known to be overcautious and is contradicted by every other observable. Overall, the file appears to be a legitimate vendor tool.
## Detailed Analysis
- **.NET nature**: CLRRuntimeHeaderSize = 72 confirms a managed assembly; the ImportTableSize of 83 bytes and IAT at 0x2000 are consistent with a single native stub (`_CorExeMain`). This is normal for .NET executables and not suspicious.
- **Imports / P/Invoke**: All native calls are HID-class related (`HidD_*`, `SetupDi*`, `CreateFile`, `WriteFile`, `DeviceIoControl`). These are required to enumerate USB-HID devices and send firmware payloads to the mouse. No networking, registry persistence, or code-injection APIs are present.
- **Sections & entropy**: Three sections only. Section 1 (code) entropy 7.51 is typical for a compressed .NET assembly; Sections 2 and 3 (resources) have low entropy, consistent with icons and bitmaps. No encrypted or packed overlay (OverlaySize = 0, entropy 0.00).
- **Security features**: ASLR and DEP are enabled (`DllCharacteristics 0x8540`). No digital signature is present, which is unfortunately common for small-vendor firmware updaters but does not by itself indicate malice.
- **Metadata**: Version info names the binary “WindControls.exe” / “WindControls” with a 2021 copyright. While the internal name differs from the file name on disk, this is common for reused .NET UI frameworks.
- **Strings**: Human-readable strings are almost exclusively font/icon resources (FontAwesome, ElegantIcons) plus a few bitmap/ICC-profile tags. No URLs, IPs, or suspicious commands appear.
### Portable Executable Imports
Only `_CorExeMain` is listed in the classic import table; the remainder are .NET P/Invoke declarations. The P/Invoke set is small and purpose-built for HID communication. There is no evidence of process hollowing, reflective DLL loading, or other malicious primitives.
### Portable Executable Exports
No exports are present, which is expected for a .NET executable that is not intended to be a library.
### Portable Executable Strings
Top meaningful strings are UI-related icon/font identifiers and standard .NET resource names. Nothing indicative of command-and-control, persistence, or payload staging.
### Likely Type / Purpose
The file is almost certainly a legitimate firmware-update utility for Xtrfy M4/MZ1/M42 wireless mice. Its sole purpose appears to be detecting the mouse via HID and flashing the embedded firmware image.
Malware type: PUP
Malware name: Xtrfy.FirmwareUpdater.Unsigned
Final verdict: Safe with 85% confidence.
Since sirius is here, i tried to use it as virustotal alternative, and it seems to be pretty good. I like how it gives you alot of info about the file ( like for person thats not very advanced user with these tools it was simple to read what this file was about) and as bonus it classified the file as pup.
Im currently running kaspersky but really interested buying this whole sirius suite when it goes live. Might be too early to ask ( dont need to answer if you dont want to ) but are you planning to set this under voodooshield license, like one buys lifetime voodooshield license and gets access to sirius lifetime, or whats the plan / pricing would be?
Edit: i scanned gameclient thats fully safe ( currently) and sirius came with 90% decision that its not safe
VirusTotal
www.virustotal.com
View attachment 290611
Sorry for stupid questions but sirious scanned my pc and it was totally clean ( not surprised as it was just clean installed with kaspersky only) But there are this gaming mouse driver that is flagged as pup and the game client wich i wanted to check because i dont use them but i would use them if theyre completely safe
edit2: other client that is used for same game came with 95% trusted, wich is weird because both these clients are approved by the game company) even the clients are 3rd party made by 3rd party people
View attachment 290613
.
