Doesn´t seem to be processed yet ! Please take a look at this ! Thanks !
Hello,
Thanks for your submission, I’ll have a look and add detection if necesarry.
Best regards,
Andrei Savin
PUA.Variant.InstallCore - Certificate “issued” by Comodo - The File certificate was not successfully recognized by Valkyrie !!!
Some suspicious/malicious Indicators : Compiler/Packer/Protector/Crypter Signature > Compiler : Borland Delphi , Packer: Inno Setup Installer 5.50 , File has multiple binary anomalies ( File ignores Code Integrity , File ignores DEP , Entrypoint is outside of first section , Checksum mismatches the PE header value , Contains zero-size sections , Contains another file ( type: InnoSetup, location: overlay, file-offset: 0x00033C00 ) , Has “2” executable sections ) , Contains ability to start/interact with device drivers , Contains ability to retrieve keyboard strokes , References Windows built-in privileges , Drops multiple executable files , Creates guarded memory sections , Process deletes itself , Reads the active computer name , Scanning for window names , Reads the registry for installed applications , Duplicates the process handle of an other process , Hooks/patches the running process ( “MSIMG32.DLL” ) , Makes a code branch decision directly after an API that is environment aware ( Found API call GetDiskFreeSpaceW[at]kernel32.dll directly followed by “cmp byte ptr [ebp-02h], 00h” and “je 004B0181h” ) , Touches files in the Windows system directory , Opens the Kernel Security Device Driver
Algorithm: rsaEncryption
Version: 3
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA
Serial: 17435140106306245640973187730099565231
Serial (Hex): 0d1de2c682ba42a48358f001a37a72af
Valid from: Nov 7 00:00:00 2017 GMT
Valid until: Nov 7 23:59:59 2018 GMT
C (countryName): MX [4D58]
CN (commonName): DS NET CORP SA DE CV
L (localityName): BENITO JUAREZ
O (organizationName): DS NET CORP SA DE CV
OU (organizationalUnitName): IT [4954]
ST (stateOrProvinceName): MEXICO CITY
postOfficeBox (postOfficeBox): 03020 [3033303230]
postalCode (postalCode): 03020 [3033303230]
street (streetAddress): XOCHICALCO 392 INT 3
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Regards,
Abinaya R
Hi abinaya ,
thank you and welcome to Comodo! 
Detected as trusted by Comodo Cloud AV.
Hi morphiusz,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
Hi, Felipe Oliveira
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
Human Expert Analysis: Clean
Trusted Verdict
Only 41/67 in VirusTotal
Hello Felipe Oliveira,
Thank you for sharing this. We’ll check it and take the appropriate actions.
Best regards,
FlorinG
File is unjustifiably FULLY trusted !!!
MSIL.PUA.Variant.WebCompanion - Certificate “issued” by Entrust & “countersigned” by GlobalSign
Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : MS Visual 6.0 , Packer: Armadillo 1.71 , File has multiple binary anomalies ( File ignores DEP , File ignores Code Integrity , CRC value set in PE header does not match actual value , Embeds another file ( type: 7zSFX , location: overlay , file-offset: 0x00022C6B ) , Contains a known anti-VM trick ( “CPUID trick” in “op.exe.bin” ) , Executes WMI queries ( NetworkAdapterConfiguration WHERE IPEnabled=True , VideoController , DiskDrive , Bios , BaseBoard , Processor ) , Tries to implement anti-virtualization techniques ( against “virtualbox” ) , Checks if debugger is present , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol , Looks for the Windows Idle Time to determine the uptime , Checks for an ADS , Creates guarded memory sections , Spawns a lot of processes , Reads the active computer name , Reads the cryptographic machine GUID , Reads terminal service related keys , Reads the registry for installed applications , Reads Windows Trust Settings , Opens the Kernel Security Device Driver , Accesses System Certificates Settings , Modifies Software Policy Settings , Modifies proxy settings , Queries sensitive IE security settings , Found possibly malicious network releated activity >>> HTTP request contains Base64 encoded artifacts , Executable Retrieved With Minimal HTTP Headers , Creates windows services ( Access type: “CREATE”; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS ") , POSTs data to “104.17.61.19:80” (flow.lavasoft.com) , “72.55.154.82:80” (wc-tracking.lavasoft.com) , “72.55.154.81:80” (wc-update-service.lavasoft.com) , GETs data from “104.17.61.19:80” (wcdownloadercdn.lavasoft.com) , “104.17.112.51:80” (webcompanion.com)
Certificate Details :
Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/O=Entrust, Inc./OU=See - entrust.net/legal-terms/OU=(c) 2015 Entrust, Inc. - for authorized use only/CN=Entrust Code Signing CA - OVCS1
Serial: 339887834564985863534598956474935165154
Serial (Hex): ffb4040d93a323a500000000556640e2
Valid from: Aug 21 14:25:44 2017 GMT
Valid until: Aug 21 14:55:34 2020 GMT
C (countryName): DE [4445]
CN (commonName): pdfforge GmbH
L (localityName): Hamburg
O (organizationName): pdfforge GmbH
ST (stateOrProvinceName): Hamburg
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
Hi prodex,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Ananthalakshmi M
File is unjustifiably FULLY trusted !!!
Riskware.PUA.Generic - Certificate “issued” by VeriSign & “countersigned” by Symantec & Thawte
Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : MS-VC 8.0 , Packer: UPX 3.08 , File has multiple binary anomalies ( File ignores Code Integrity , Entrypoint is outside of first section , The File code is self-modifying , The file has “2” writable and executable sections , The file-ratio “76%” of the resources is suspicious , The count “16” of libraries is suspicious , Imports sensitive Libaries ( Process Status Helper , OLE32 Extensions for Win32 , Userenv , Internet Extensions for Win32 , Windows Socket 2.0 32-Bit DLL , Win32 LDAP API DLL ) , Contains ability to start/interact with device drivers , Contains ability to reboot/shutdown the operating system , Contains ability to write to memory of another process ( WriteProcessMemory[at]KERNEL32.dll ) , Contains ability to retrieve keyboard strokes , Contains ability to register hotkeys , Contains ability to lookup the windows account name , Contains ability to query the value of any user atom ( GetClipboardFormatNameA[at]USER32.DLL from frt_auto.exe ) , Checks if a debugger is present , Has no visible windows , Creates guarded memory sections , Opens a file in a system directory , Queries process information , Reads terminal service related keys , Scanning for window names , Scans for the windows taskbar , Reads the keyboard layout followed by a significant code branch decision , Opens a file in a system directory , Opens the Kernel Security Device Driver , File is hosted by a suspicious server ( “183.91.33.45” >>> VirusTotal )
Certificate Deatails :
Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=T 10/CN=VeriSign Class 3 Code Signing 2010 CA
Serial: 128303042479937921492611790609463368101
Serial (Hex): 60864463bbbc2e4e67d42771e4cbd9a5
Valid from: Apr 21 00:00:00 2017 GMT
Valid until: Feb 4 23:59:59 2020 GMT
(countryName): CN
CN (commonName): Zhuhai Kingsoft Office Software Co., Ltd.
L (localityName): Zhuhai
O (organizationName): Zhuhai Kingsoft Office Software Co., Ltd.
OU (organizationalUnitName): RD Department
ST (stateOrProvinceName): Guangdong
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Ananthalakshmi M
Valkyrie Signature Detection and Final Verdict = CLEAN
PUA.Toolbar.Asparnet - Certificate “issued” by VeriSign & “countersigned” by Symantec , Thawte & VeriSign
Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : MS-VC 8.0 , Packer: Morphine v. 3.3 , File has multiple binary anomalies ( File ignores Code Integrity , Foreign language identified in PE resource ( Chinese ) , The certificate issuer ( VeriSign ) has expired (31/12/2012) , The certificate subject ( Symantec ) has expired (31/12/2012) , Imports sensitive Libaries ( Remote Procedure Call Runtime , Internet Extensions for Win32 , OLE32 Extensions for Win32 , Windows Installer , Crypto API32 , Microsoft Trust Verification APIs ) , References an Object Indentifier (2.5.4.11 & 1.3.6.1.4.1.311.2.1.12) , Has no visible windows , Checks if a debugger is present , Tries to dealy the analysis , Contains ability to read the monitor info , Expects Administrative permission , Reads the active computer name , Reads the cryptographic machine GUID , Checks adapter addresses , Scanning for window names , Reads the registry for installed applications , Opens the Kernel Security Device Driver , Touches multiple files in the Windows directory , Accesses potentially sensitive information from local browsers , Modifies proxy settings , Queries sensitive IE security settings , Found possibly malicious network releated activity >>> , Found more than one unique User-Agent ( Mozilla/4.0 ) , HTTP request contains Base64 encoded artifacts , Creates windows services ( Access type: “CREATE”; Path: “HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS” ) , POSTs data to “199.36.100.103” (pipoffers.apnpartners.com) , GETs data from “23.43.122.119” (ak.pipoffers.apnpartners.com) & “199.36.100.103” (pipoffers.apnpartners.com)
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Qiuhui.■■■■
Valkyrie Signature Detection and Final Verdict = CLEAN
PUA.myPCBackup
Some suspicious/malicious Indicators : Compiler/Packer/Crypter/Protector signature > Compiler: Microsoft Visual C v7.0 , Protector: ConfuserEx , File has multiple binary anomalies ( File ignores Code Integrity, Digisig is expired: Jun 21 12:00:00 2016 , The certificate was explicitly revoked by its issuer ( DigiCert ) , Imports count “1” is very low , Input file contains API references not part of its Import Address Table ( Found string “QueueUserWorkItem” ( Source: “mypcbackup.1.5.0.2.97.exe”, API is part of module: “KERNEL32.DLL” ) , Found Anti-VM Strings ( Found VM detection artifact “RDTSCP trick” , Checks amount of system memory , Checks adapter addresses ) , Reads the active computer name , Reads the cryptographic machine GUID , Reads Windows Trust Settings , Uses Windows APIs to generate a cryptographic key ( 2 events ) , Queries kernel debugger information , Creates guarded memory sections , Drops cabinet archive files , Creates new processes ( “Input Sample” is creating a new process ( Name: “%WINDIR%\System32\conhost.exe” ) , Duplicates the process handle of an other process to obtain access rights to that process ( 321 events ) , Writes data to a another process ( “Input Sample” wrote bytes to process > “%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\dw20.exe” ), Opened the service control manager , Touches multiple files in the Windows directory , Opens the Kernel Security Device Driver , Accesses System Certificates Settings , Modifies Software Policy Settings , Found possibly suspicious/malicious network releated activity >>> “Input Sample” & “dw20.exe” creates windows services ( Access type: “CREATE”; Path: “HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS” ) , Connects to an IP address that is no longer responding to requests > “40.70.13.248:80”