Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Abinaya R
File is unjustifiably FULLY trusted !!!
PUA.Adware.Variant.InstallCore - Certificate “issued” by Symantec & “countersigned” by Symantec & Thawte
Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : MS Visual 10.0 , Packer: NSIS , File has multiple binary anomalies ( File ignores Code Integrity , The file contains another files ( type: Nullsoft, location: overlay, file-offset: 0x00014208 & type: Flash, location: overlay, file-offset: 0x003CF598 , PE file has unusual entropy sections , The count “8” of libraries is suspicious , Contains zero-size sections , CRC value set in PE header does not match actual value , Found PE timestamp using the buggy magic timestamp “0x2A425E19” ) , Found possibly Anti-VM Strings ( Checks amount of system memory , Queries the disk size ) , Found a cryptographic related string ( Indicator: “rc6”; File: “PowerISO.exe.2600991351” ) , Contains ability to check the local/global descriptor table , Contains ability to start/interact with device drivers , Contains native function calls , Contains ability to download files from the internet , Contains ability to open the clipboard , Modifies auto-execute functionality , Checks if a debugger is present , Expects Administrative permission , Reads the active computer name , Reads the cryptographic machine GUID , Reads the registry for installed applications , Reads Windows Trust Settings , Queries the internet cache settings , Scanning for window names , Drops multiple executable files , Drops system driver , Duplicates the process handle of an other process to obtain access rights to that process ( 21 events ) , Writes data to a “another” process ( “regsvr32.exe” & “itself” ) , Creates a suspicious process ( regsvr32.exe /s /u “C:\Program Files\PowerISO\PWRISOSH.DLL” ) , Installs hooks/patches multiple running processes , Opens the Kernel Security Device Driver , Modifies proxy settings , Queries sensitive IE security settings , Accesses Software Policy Settings , Accesses System Certificates Settings , Found possibly suspicious/malicious network releated activity >>> GETs data from "50.62.134.113 ( “poweriso.com” ) , Found malicious artifacts related to “50.62.134.113” >>> VirusTotal
Certificate Details :
Algorithm: rsaEncryption
Version: 3
Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 SHA256 Code Signing CA
Serial: 118202670773406737515473305365598042868
Serial (Hex): 58ed019dda867257493e61e5f18dfaf4
Valid from: May 17 00:00:00 2017 GMT
Valid until: Aug 15 23:59:59 2020 GMT
C (countryName): HK [484B]
CN (commonName): Power Software Limited [506F77657220536F667477617265204C696D69746564]
L (localityName): North Point [4E6F72746820506F696E74]
O (organizationName): Power Software Limited [506F77657220536F667477617265204C696D69746564]
ST (stateOrProvinceName): Hong Kong [486F6E67204B6F6E67]
Hi,pio
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Chunli.chen
Doesn´t seem to be processed yet ! Please take a look at this ! Thanks !
Hi, pio
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Chunli.chen
File is unjustifiably FULLY trusted !!!
MSIL.PUA.Downloader.Variant.WebCompanion - Certificate “issued” by GlobalSign
Some suspicious/malicious Indicators : Compiler/Packer/Crypter signature > Compiler : MS Visual C++ 5.0 - 6.0 , Packer/Crypter : 7Z , Armadillo 1.71 , File has multiple binary anomalies ( File ignores Code Integrity , File ignores DEP , Contains unknown resources , CRC value set in PE header does not match actual value , Contains another file ( type: 7zSFX, location: overlay, file-offset: “0x000284BA” ) , Found possibly Anti-VM Strings ( Checks amount of system memory , Found VM detection artifact “CPUID trick”, Detect VM environment via file property > GetFileAttributesEx: FileName = C:\WINDOWS\system32\VBoxDisp.dll ) , Found cryptographic related strings , Tries to sleep a long time ( “WebCompanionInstaller.exe” tried to sleep 2076 seconds ) , Attempts to identify installed AV products by installation directory (5 events) , Reads the active computer name , Reads the cryptographic machine GUID , Reads terminal service related keys , Drops executable files , Creates guarded memory sections , Executes WMI queries ( SELECT * FROM Win32_OperatingSystem ) , Looks for the Windows Idle Time to determine the uptime , Allocates virtual memory in a remote process , Installs hooks/patches the running process ( “WSHIP6.DLL” , “WSHTCPIP.DLL” , “USER32.DLL” , “SHFOLDER.DLL” , “MSCORWKS.DLL” , “NSI.DLL” , “WEBCOMPANIONINSTALLER.EXE” ) , Opens the Kernel Security Device Driver , Reads sensitive internet explorer settings , Reads Internet Cache Settings , Changes internet zones settings , Modifies System certificates , Found possibly suspicious/malicious network releated activity >>> Creates windows services ( “WebCompanionInstaller.exe” (Access type: “CREATE”; Path: “HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS”) , POSTs data to > “72.55.154.82” (“wc-tracking.lavasoft.com”) >>> VirusTotal
Certificate Details :
Algorithm: rsaEncryption
Version: 3
Issuer: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign CodeSigning CA - G3
Serial: 34009650070827778648131810261
Serial (Hex): 6de41f889cf84643f324b3d5
Valid from: Jul 20 14:12:37 2016 GMT
Valid until: Jul 21 14:12:37 2018 GMT
C (countryName): CA [4341]
CN (commonName): Lavasoft Software Canada
L (localityName): Saint-Laurent
O (organizationName): Lavasoft Software Canada
ST (stateOrProvinceName): Quebec
emailAddress (emailAddress): itcontracts[at]lavasoft.com
Hi pio,
Thank you for your submission.
We’ll check them and if found to be malware detection will be added.
Best regards
Ananthalakshmi M
Hi Ananthalakshmi M ,
the Valkyrie and the VT links has been corrected !
Thank you!
Spyshetler’s testing app is reported as trusted, making Comodo fail the test.
Hi,
Thank you for your submission.
We’ll check it.
Kind Regards,
Erik M.
From a fake virus site
SHA1: a6d7af8ce2ae317d2fe637d0aca5fd971315cb7b
no signature by Comodo
Hi,
Thank you for your submission.
We’ll check it.
Kind Regards,
Erik M.
7c9e99c81c628eb2d9722d1ccf07f71e203d12c2
This is probably trusted malicious/PUP file.
Hi,
Thank you for your submission.
We’ll check it.
Kind Regards,
Erik M.
Trusted PUP (Digital signature is trusted as well!)
f7156011539f0439a77dacb1c860b4ef7301e580
Valkyrie Verdict (27/68)
Hi,
Thank you for your submission.
We’ll check it.
Kind Regards,
Andrei P.