Exemple de rapport (ici, PCCleaner.exe, un inutilitaire - Analyse VirusTotal)

Submission Summary:

• Submission details:
  • Submission received: 4 March 2016, 07:55:09
  • Processing time: 8 min 18 sec
  • Submitted sample:
    • File MD5: 0x9E02E9BC593BF6754C59F08BF69591D2
    • File SHA-1: 0x00207DAC5DEC3CB7C3DFEB4716A207CB52E41E7D
    • Filesize: 2 035 144 bytes

• Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Downloads/requests other files from Internet.
Creates a startup registry entry.

Technical Details:

File System Modifications

• The following files were created in the system:

• Notes:
  • %CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
  • %DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
  • %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

• The following directories were created:
  • %CommonPrograms%\PC Cleaner
  • %AppData%\PC Cleaner
  • %AppData%\PC Cleaner\Backup
  • %AppData%\PC Cleaner\Log
  • %AppData%\PC Cleaner\Undo
  • %ProgramFiles%\PC Cleaner

• Notes:
  • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

Memory Modifications

• There were new processes created in the system:

• Notes:
  • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Registry Modifications

• The following Registry Keys were created:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1
  • HKEY_CURRENT_USER\Software\PC Cleaner

• The newly created Registry Values are:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner_is1]
    • Inno Setup: Setup Version = "5.5.3 (a)"
    • Inno Setup: App Path = "%ProgramFiles%\PC Cleaner"
    • InstallLocation = "%ProgramFiles%\PC Cleaner\"
    • Inno Setup: Icon Group = "PC Cleaner"
    • Inno Setup: User = "%UserName%"
    • Inno Setup: Selected Tasks = "desktopicon"
    • Inno Setup: Deselected Tasks = ""
    • Inno Setup: Language = "en"
    • DisplayName = "PC Cleaner v4.0"
    • UninstallString = ""%ProgramFiles%\PC Cleaner\unins000.exe""
    • QuietUninstallString = ""%ProgramFiles%\PC Cleaner\unins000.exe" /SILENT"
    • DisplayVersion = "4.0"
    • Publisher = "PCHelpSoft"
    • NoModify = 0x00000001
    • NoRepair = 0x00000001
    • InstallDate = "20160304"
    • MajorVersion = 0x00000004
    • MinorVersion = 0x00000000
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    • PC Cleaner = "%ProgramFiles%\pc cleaner\PCCSchedule.exe"
      so that PCCSchedule.exe runs every time Windows starts
  • [HKEY_CURRENT_USER\Software\PC Cleaner]
    • LastScanDate = 21 D4 E3 9A 2A B8 E4 40
    • LastScanFound = 0x000001B8
    • ItemsToFix = 0x00000119
    • ItemsToClean = 0x0000009F
    • JunkFiles = 0x00000075
    • ItemsFixed = 0x00000000
    • ItemsCleaned = 0x00000000
    • ResidualFilesCleaned = 0x00000000
    • LastScanChecked = "1110011"
    • DisplayName = "PC Cleaner"
    • Version = "4.0"
    • InstallationDate = 1E 03 64 93 2A B8 E4 40
    • AppStart = 0x00000003
    • LastUpdateChecking = 1E 03 64 93 2A B8 E4 40
    • UpdateReminderDisabled = 0x00000000
    • LogDir = "%AppData%\PC Cleaner\Log"
    • UndoDir = "%AppData%\PC Cleaner\Undo"
    • ItemsToRegistryScan = "1111111111"
    • ItemsToPrivacyScan = "1111"
    • ItemsToRecoveryScan = "1111"
    • UseExclusions = 0x00000001
    • ShowRebootMessage = 0x00000001
    • ShowRecycleBin = 0x00000001
    • StartWithWindows = 0x00000001
    • Reminder = 0x00000001
    • StartupNotifier = 0x00000001
    • CacheNotifier = 0x00000000
    • s_SmartMode = 0x00000000
    • s_SmartScan = 0x00000001
    • s_SmartDate = 2B 27 65 93 0A B8 E4 40
    • s_Enable = 0x00000000
    • s_Time = 2B 27 65 93 2A B8 E4 40
    • BuildID = "PCHS_PCC40"
    • UpgradeID = "PCHS_PCC40"
    • UpgradeIDPro = "PCHS_PCC40_PLAT"
    • InstallStat = 0x00000001

Other details

• Analysis of the file resources indicate the following possible countries of origin:

	Russian Federation
	Netherlands

• To mark the presence in the system, the following Mutex objects were created:
  • PCCSchedule
  • madExceptSettingsMtx$41c
  • PCCleaner
  • madExceptSettingsMtx$5d0
  • HookTThread$5d0
  • _!SHMSFTHISTORY!_
  • madExceptSettingsMtx$778
  • PCCUninstaller
  • madExceptSettingsMtx$e4
  • HookTThread$e4

• The following Host Names were requested from a host database:
  • service.smartpcupdate.com
  • localhost

• The following Internet Connection was established:

• The following GET requests were made:
  • pc-cleaner/uninstall-offer/?ver=410
  • pc-cleaner/uninstall-offer/index.jpg

• The following HTTP URLs were started reading:
  • https://service.smartpcupdate.com/rpc/sendspminstall?partner=PCHS_PCC4_EN_ID410&build=4.0&compiler=June2014
  • https://service.smartpcupdate.com/rpc/sendspmuninstall?partner=PCHS_PCC4_EN_ID410&build=4.0&compiler=June2014
  • https://service.smartpcupdate.com/rpc/sendspminstall?partner=PCHS_PCC40&build=4.0&compiler=