ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 2 October 2012, 00:09:44
Processing time: 10 min 30 sec
Submitted sample:

File MD5: 0xED09CAFDB2179A2AE9FE9B75EDF9C140
File SHA-1: 0xF415FAA9371367411F536BD0AEB4491B56932664
Filesize: 4,370,664 bytes

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%CommonPrograms%\Remote Administrator Control\RAC Server.lnk	744 bytes	MD5: 0xF290FA8F377B271D51906FA250A233D0 SHA-1: 0x20286E3074CEB411FFB2DCC7CC16270411B79979
2	%CommonPrograms%\Remote Administrator Control\Uninstall\Uninstall RAC Server.lnk	774 bytes	MD5: 0x80AFC455C957063E8917BA15F81F0ACD SHA-1: 0xDC6169209F3AC0633818427F9C7382602B7C1251
3	%DesktopDir%\RAC Server.lnk	732 bytes	MD5: 0x227236F36E3F04B681216F73F48240DC SHA-1: 0xEB2289053DDD6D0955E550327A87B04F3A73CBC1
4	%ProgramFiles%\PCNetSoftware\RAC Server\InstallKernel.dll	137,072 bytes	MD5: 0x392F8E7CA09245019698AC22D8A9B056 SHA-1: 0xF7FAA3D95695350EC414AB7672DA1762FB587E8C
5	%ProgramFiles%\PCNetSoftware\RAC Server\InstallPPM.exe	263,536 bytes	MD5: 0x7E5F71FD866D3EB3A242F61954A9DC18 SHA-1: 0xCC90FE7325153639D23CAE105121F97067C8FAEE
6	%ProgramFiles%\PCNetSoftware\RAC Server\LicenseCSY.txt	2,749 bytes	MD5: 0x3C0B6A168208DFAA8038FE588E0371E0 SHA-1: 0x146B12650A5AE0083C2722D8334181E245016522
7	%ProgramFiles%\PCNetSoftware\RAC Server\LicenseDEU.txt	2,810 bytes	MD5: 0xCC562B1295E7D728AE374131E2FFBE6A SHA-1: 0xB0DC6C98EA03D8912BB01E6451234431D960D094
8	%ProgramFiles%\PCNetSoftware\RAC Server\LicenseENG.txt	2,706 bytes	MD5: 0x9254F2BCFEDDD3A224985D37685815AD SHA-1: 0xD3D6E556367ED18CD5D945FBA0C4AAAE35769A07
9	%ProgramFiles%\PCNetSoftware\RAC Server\LicenseESP.txt	3,023 bytes	MD5: 0xAC02EA497F0EAA34A0592395A5FCEEBB SHA-1: 0xBB50667A75AB03132CC3F6555904D319DD66FE63
10	%ProgramFiles%\PCNetSoftware\RAC Server\LicenseFRA.txt	3,151 bytes	MD5: 0x9AF7E217908470EFCF272CD674FD9C01 SHA-1: 0x6ED43B771A73B8C4D0EE8B79BC76DF5D6A868BB8
11	%ProgramFiles%\PCNetSoftware\RAC Server\LicenseITA.txt	2,696 bytes	MD5: 0x80826082ADB576121AC27BF5D6A6721E SHA-1: 0xABD2B3EE94C22824745DA7204254FB6BFCDD228B
12	%ProgramFiles%\PCNetSoftware\RAC Server\LicensePTG.txt	2,661 bytes	MD5: 0xA0DD6EE103B2FCA33B00A5B42DADC7DE SHA-1: 0x10BEF4FBE0DC5CC18D3D3329A68C1B71331FA5DE
13	%ProgramFiles%\PCNetSoftware\RAC Server\msvcr80.dll	802,640 bytes	MD5: 0x8BC7F8F0B7AE856D910B3FDD895EC50E SHA-1: 0x8A45BF996C84BD88E9172B49FD6D36BADB31B0F0
14	%ProgramFiles%\PCNetSoftware\RAC Server\nph-index.cgi	110,592 bytes	MD5: 0xBF41152DC7ECE06224A5155C18A56531 SHA-1: 0x5E807B006E086552A24177473A9BD61A9A248EC3
15	%ProgramFiles%\PCNetSoftware\RAC Server\RACDriver.sys	7,680 bytes	MD5: 0xAB771E5A1E2C1CE7E9C0A43CBADA9684 SHA-1: 0x1302A4C7852184C65D42BE9161DDEACE744353D8
16	%ProgramFiles%\PCNetSoftware\RAC Server\RACh.dll	59,248 bytes	MD5: 0x9DCA815787AAE146A2A28A11F2D50C2F SHA-1: 0x985E4873DBFEFEF730B41AB38746410419E7BBA1
17	%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\MirrInst.exe	128,368 bytes	MD5: 0x63A03D34F06E3150653A61EB17F19CEA SHA-1: 0x3D649FFDC545125B59C4F38EEAD779D133368E32
18	%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\MirrInst64.exe	179,056 bytes	MD5: 0x64805E39F87F6F35CBAC1D4EF66E5356 SHA-1: 0x4C70CDF50A72B9AD2DEB994BD666074C7541EEB4
19	%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\racmirror.cat	12,064 bytes	MD5: 0x4475F538A3FDBA8F434B9E49107E57A7 SHA-1: 0x6C60ADEC976CA562C82224C03440BD9C1BFBEB0F
20	%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\racmirror.inf	2,391 bytes	MD5: 0x8B4E4C76FB364A072503335A2D1EC30D SHA-1: 0xAF4BA84DCB58477316853FD0B7B4053122C6714B
21	%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\racmirror_e2.cat	8,243 bytes	MD5: 0x6BB10DADB26BBF624405681DC2FBA2B9 SHA-1: 0x38ACA5F12094D2369BF98189B8396F47FBD82352
22	%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\racmirror_e2.inf	2,394 bytes	MD5: 0x9B5489BFE8D564DD88D1A1D9D088CA24 SHA-1: 0xAE59FCFC01C18513F1AE0BF0EE7A06029C2DE0EE
23	%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\Win2000\dfmirage.cat	8,253 bytes	MD5: 0xAFEF1312CAE788A9F09D8699B5250063 SHA-1: 0xD615DF58D9BAD8C7DC8331EFAD32F0658CC4F5A7
24	%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\Win2000\dfmirage.dll	30,360 bytes	MD5: 0xA4A694AAE06237D3CA749BEEEAA34290 SHA-1: 0xF742567A9754EF7B4301AE86249C9C65F4B809AE
25	%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\Win2000\dfmirage.inf	2,375 bytes	MD5: 0xD3D04423BB0342591A5B1447B7C5375E SHA-1: 0x217C86943605EC32E23276188F44AAC2B4D031A3
26	%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\Win2000\dfmirage.sys	31,896 bytes	MD5: 0xD8CD6A2A94F545858EEC6117F0D5DFF4 SHA-1: 0x959023731BBCD12BBA2224FEE809B70C4AB3CFDB
27	%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\x64\racmirror.dll	39,696 bytes	MD5: 0x808B129AB55182A76BE57923D3021B09 SHA-1: 0xCFA83EE7D96B959F57D40A7B80A93547B72F0DED
28	%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\x64\racmirror.sys	35,088 bytes	MD5: 0x3C7D75D3FFB4B20C75026E26F5AE562F SHA-1: 0xA980CC3206F105ABD771066316BBDA15C158F395
29	%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\x86\racmirror.dll	32,016 bytes	MD5: 0xE342E020CF4F5F5EBDEBE8B5B68D2119 SHA-1: 0x0FF68AD39C238339C81BEB6FDA6F3B176EF22CEF
30	%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\x86\racmirror.sys	32,784 bytes	MD5: 0xF93448159064B0E3E225F44E134DDA9B SHA-1: 0x072E302B96A4A57F1B9891164F0041944D5A5F0F
31	%ProgramFiles%\PCNetSoftware\RAC Server\RACPlaySound.exe	124,784 bytes	MD5: 0xD5008AF3A415867454E5D91E8268090E SHA-1: 0x3C6CF4DE50537A8F1CD0D873FB4555B8A4ED95CA
32	%ProgramFiles%\PCNetSoftware\RAC Server\RACppm.dll %System%\RACppm.dll	83,824 bytes	MD5: 0xF025D75F1F863248AAB1EBD9D054DB1D SHA-1: 0x318BEC3CCB015187C27310455B11B2C4D5E8C294
33	%ProgramFiles%\PCNetSoftware\RAC Server\RACppm64.dll	103,792 bytes	MD5: 0x4A85C379A7CB79009B045A978A82DFC3 SHA-1: 0xEFD3DF2E423231D9F8C82B43D3E271114207FF51
34	%ProgramFiles%\PCNetSoftware\RAC Server\RACRelation.exe	1,189,744 bytes	MD5: 0x9812B7DA2D2F2A4CE52556D1492C163E SHA-1: 0x947BD669C5615EE4815075D62060BFA46F8F9FF6
35	%ProgramFiles%\PCNetSoftware\RAC Server\RACs.CSY.lng	98 bytes	MD5: 0x1F5194A3A4BDF9C6D3BF7CD3CF9C3FFD SHA-1: 0x5F8454213BD8410E8DD31D3C65E637C1AC81BED2
36	%ProgramFiles%\PCNetSoftware\RAC Server\RACs.DEU.lng	702,320 bytes	MD5: 0x6DC5063E2B3CB6C4239D5B4D633B87DB SHA-1: 0x79AE6C52D191448B23BEF18CBDB897F6F55CA44B
37	%ProgramFiles%\PCNetSoftware\RAC Server\RACs.ENG.lng	677,744 bytes	MD5: 0xAB9DCE5E161EB0512E4490A8C84BC8D1 SHA-1: 0x1BB71FAD9B68B04959E6582034DC1CAF3174F6EC
38	%ProgramFiles%\PCNetSoftware\RAC Server\RACs.ESP.lng	714,608 bytes	MD5: 0x425DABE1EC6012AB55F68BED1CCAC8AF SHA-1: 0xE342288C23FB5EA3109FFB0DA7A7FCAFB45FD474
39	%ProgramFiles%\PCNetSoftware\RAC Server\RACs.exe	4,487,024 bytes	MD5: 0x7CA6994387A1888A027ADCD651689F54 SHA-1: 0xDBE7143CDBF6B70FABD32574D135321BD90C8A80
40	%ProgramFiles%\PCNetSoftware\RAC Server\RACs.exe.manifest	898 bytes	MD5: 0x866E2AC5A1E7089A1F7EB958B9EF8326 SHA-1: 0x485B51381D7CDDDE5712E301E730A56E3C01DF76
41	%ProgramFiles%\PCNetSoftware\RAC Server\RACs.FRA.lng	718,704 bytes	MD5: 0x4926D10B0840AFB123736F8A7D2ED81A SHA-1: 0x356B8A1452AF853074DF0E5F70FD24E81E5F938D
42	%ProgramFiles%\PCNetSoftware\RAC Server\RACs.INI	405 bytes	MD5: 0x0264F8B06EBC3E9BE32AA19877F023BD SHA-1: 0x9BA5B2AEA780C0F361B2254C8239F5F423E2F9F9
43	%ProgramFiles%\PCNetSoftware\RAC Server\RACs.ITA.lng	714,608 bytes	MD5: 0x4765A45F258A4CC6E971767ECC54F51D SHA-1: 0xDD3F9A1919D36232AB5C086C36264C36A02E8E9F
44	%ProgramFiles%\PCNetSoftware\RAC Server\RACs.PTG.lng	702,320 bytes	MD5: 0x74D9C49629AA19A1A0973DFDD331B0B4 SHA-1: 0x74024E6757AD1B7C6159A2AC5465AB5D2B77E73E
45	%ProgramFiles%\PCNetSoftware\RAC Server\RACServerLogon.dll %System%\RACServerLogon.dll	63,344 bytes	MD5: 0xBA0A2BC9E6ABE788FA2EF7FB481F4ACE SHA-1: 0x60A9C79596BD9CE96A9F46446E222C4E9A58FDFA
46	%ProgramFiles%\PCNetSoftware\RAC Server\RACSessionService.exe	161,648 bytes	MD5: 0x1B57044E53C184E02E9F04A890089F95 SHA-1: 0x4E4F95884A35C665BD99B8B205289D20F2502D21
47	[pathname with a string SHARE]\RACShared.dll	218,992 bytes	MD5: 0x174C34B76A4442EF79D2817E8B310F6C SHA-1: 0xF21181B42FE8D3489E6DBCCA474A5129F1D978EA
48	%ProgramFiles%\PCNetSoftware\RAC Server\RACs_log.txt	1,588 bytes	MD5: 0x5A7E28A08CBC762947CE08A26FFA3D3F SHA-1: 0x8BEE58B899081EEA4D02D5E839114E2084A030DC
49	%ProgramFiles%\PCNetSoftware\RAC Server\RCommands.ini	7,628 bytes	MD5: 0x9B66BD12073B39EB9775D4B67AA9E757 SHA-1: 0x75999FE05D72B2858B7AD40AE7FC42576ACFD727
50	%ProgramFiles%\PCNetSoftware\RAC Server\unins000.dat	53,887 bytes	MD5: 0x954DBAD0890B25DCD7DE9F4D46FA38A6 SHA-1: 0x08513A97EC2CBED5997E668087B506DEC2B39976
51	%ProgramFiles%\PCNetSoftware\RAC Server\unins000.exe	707,354 bytes	MD5: 0x79E1962B821CAFAEDDB2F66E67BA8BFE SHA-1: 0x90105E40D2F8743970AE4FA2B123A96991C0259D
52	%ProgramFiles%\PCNetSoftware\RAC Server\update.exe	124,784 bytes	MD5: 0x157D5832247D493BF759C14AEA101BCD SHA-1: 0x3A3AC7831293703BD7DB8BFB1663B643EF7D8ABD
53	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\address.txt	17 bytes	MD5: 0x8758857A33C2603EE008FB39B3006030 SHA-1: 0x6B8AED9BA623E512AF7DE3F3A07CA063FB9D7884
54	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\authorization_error.txt	510 bytes	MD5: 0x0C3B3E61492BDC0D57E7F9FAE575F739 SHA-1: 0xF95B5F91CDE2B90BF98B03B8EEEE1A8E1356BCA3
55	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\change_email.txt	414 bytes	MD5: 0x0E96C9B14CA8E8BC95605C3DCC51188C SHA-1: 0x8D61140567369612241B4DC6844005E382654CA6
56	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\change_password.txt	339 bytes	MD5: 0x854017CC60116F7461E074CCA691A017 SHA-1: 0x3AAFFB6746138A72D31E07DFB8BF9C585C7DCBEC
57	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\connect.txt	699 bytes	MD5: 0x2C97BDB5C928F27FF1B913E31D493E58 SHA-1: 0x61DCCACD8DBED37032F475D300B0E4C7BC0EAE8E
58	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\connect_vpc.txt	482 bytes	MD5: 0xBADB4EB874A179D8D0CB1F2A32F0135E SHA-1: 0xA9FAE30B17D0780E8A21093641DDAB1B648F4FA2
59	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\disconnect.txt	748 bytes	MD5: 0x14B179769246B04101FD95255F57C9B6 SHA-1: 0xB21AF9EF04695018F6517B45CFB6C4FD7000AC4C
60	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\disconnect_vpc.txt	506 bytes	MD5: 0x407E2F93E41B3F7759A579E283B714FE SHA-1: 0xE03F0CAD389885292B34CC2C437012819D8DCAAF
61	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\forget_password.txt	365 bytes	MD5: 0x2A06F677BBA69E1B33BB2C0031AC602D SHA-1: 0x5E86D0AE90BBB3A2CECD5731B1FCF35D556F5175
62	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\remove_email.txt	390 bytes	MD5: 0x44EE20A63FA9E5ACA5AB83C6BA5416D3 SHA-1: 0x4238F564B7E9EA2804D9537FFBA17F8C111B33EB
63	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\rename.txt	348 bytes	MD5: 0xC87DD9B2C8B6B5C35CEA3E3C052F91B5 SHA-1: 0x6E1F4157AED382B6422CE2FF9C59B38E88721BC1
64	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\restart_server.txt	371 bytes	MD5: 0x043F4074C83942064ADD819F7EB492AB SHA-1: 0x7686FEE95D5984C8A138C9FFA1454FDB9B9BDE87
65	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\restart_VPC_server.txt	335 bytes	MD5: 0x6A65267E702AE7E1119EBEDAFB2BB5E0 SHA-1: 0x7982DC966B5F278F0FADB83CF9AD15DF1281AB9C
66	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\setting.ini	554 bytes	MD5: 0x1C3085B29A4CDC14CEEA1B709389BD0D SHA-1: 0x83FC20207CB1E2E01063BF7E316826661ADC64B6
67	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\set_email.txt	393 bytes	MD5: 0xB59FF55DB46F459B0388BBA43846888B SHA-1: 0x099A76DCDE2B62B97D38ACF86C38AF80BC7D0FC5
68	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\signature.txt	62 bytes	MD5: 0x9832E193C661CAEB20957DFF6D2C2DE6 SHA-1: 0xB58A4D7EC89AD087ED9018E056AB322F28FF488E
69	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\state_about_OS.txt	279 bytes	MD5: 0x0C962EB7103C623DF9125DCF084117FE SHA-1: 0xCF18A7E5E7CFC02AFB1E1260F0298A5C2D02097A
70	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech\subject_prefix.txt	22 bytes	MD5: 0xCA7FCB02B8DEBCB2F131207B3C0D4D89 SHA-1: 0x5DDAE334A73B737BEF6C269987F8820A2A60806C
71	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\address.txt	14 bytes	MD5: 0xBB369A018BFCAF1B347321008A0D4623 SHA-1: 0x98EDCE60B977F7A65A5AC4A4F9C6DEE94DEB3C89
72	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\authorization_error.txt	546 bytes	MD5: 0x46E173778C97358F6FCC6DD939E64DBD SHA-1: 0x769D84CB0E6F86C187FB721BC7BCE254242CCC2B
73	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\change_email.txt	434 bytes	MD5: 0x332C8B1C5BC596B860F6E7193932534B SHA-1: 0xC730102151C16E0B1C1713932C18F7863AB7606A
74	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\change_password.txt	395 bytes	MD5: 0x333A87BBEDEFF3F9193B5BEDB675808C SHA-1: 0x1426BD98918A22DBBC8F7281A6B126B1D7062538
75	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\connect.txt	667 bytes	MD5: 0xF30A9B11B92DB81B4762DCB341886DF7 SHA-1: 0x8900902A3BB89C6047F0EF01B3905BE29A875EEE
76	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\connect_vpc.txt	467 bytes	MD5: 0xF00BCB30CE75601D47ED25485DEDBDB5 SHA-1: 0xD415CE6FE2A5523544176917BEC492A17744BA52
77	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\disconnect.txt	702 bytes	MD5: 0x6BD81AFA3C348037C3E2AEF1848B0F06 SHA-1: 0xA1182CB4AAD5CCA9E9C3794AF83E3FB766069C3E
78	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\disconnect_vpc.txt	503 bytes	MD5: 0x7D53F5F3F4B6C717E5C272C0A0D10093 SHA-1: 0xF05A2B326D9AD8B876EE19EFE1D78AABC26CBB5E
79	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\forget_password.txt	380 bytes	MD5: 0xCC79B7CEBB605582445F29A3C07A0B88 SHA-1: 0x512D82C81C11804D9F72C0DB408189A4B893887D
80	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\remove_email.txt	401 bytes	MD5: 0xEE4DC0FA899DCC4DA4D0A83A182E69C0 SHA-1: 0xDBBB8F7323CC9C5E0F4D0883946DA15715E41D50
81	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\rename.txt	372 bytes	MD5: 0x56E6D3933860AC105395D8D497A48363 SHA-1: 0x01368B760570F260AD470C794CE76F4E9E3A9385
82	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\restart_server.txt	359 bytes	MD5: 0xEAD882552EA82877EBA56633FFC54631 SHA-1: 0xF687B6607DFE76F73E40C3283A83DA21CB0ECF48
83	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\restart_VPC_server.txt	332 bytes	MD5: 0x1866C1A8CF36C1CE947791491AAEBF14 SHA-1: 0xF1C7032F88B2B94335AD06BD964AF46ABAC048D7
84	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\setting.ini	642 bytes	MD5: 0xA6B04AAB8C16E485EAD7444A8C89B390 SHA-1: 0x60EFCBBAE4E6CF09A600E31578D20AF9C8B4D4EA
85	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\set_email.txt	406 bytes	MD5: 0xF429A88B66A6D053944915578B4BBD74 SHA-1: 0x114EC7BEA04A1961A1574FE18FD5CE4F2258535D
86	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\signature.txt	65 bytes	MD5: 0xF9F5DB6AD94212C0C4E0889A6C3CEC74 SHA-1: 0xD26012D10C3374D17E6D4D351C540E1362DA4DC6
87	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\state_about_OS.txt	293 bytes	MD5: 0x11971AAF48D6C28194CC21CEDD19922E SHA-1: 0x1356ED881DE88A9B737C0C8A52F35843055089FC
88	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english\subject_prefix.txt	27 bytes	MD5: 0xC7EBFBE90232CB19C882447F775BB3E1 SHA-1: 0x8CA1393D5A2C130A72F562140B4865FBCC367284
89	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\french\address.txt	12 bytes	MD5: 0x55C2E901AD55ADAE1BA1A42043247C51 SHA-1: 0x391DA72DD9E91F0DEE0E21CA81D3891500F93ABF
90	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\french\authorization_error.txt	567 bytes	MD5: 0xDAF329E4AEA50EA0E4945E5221FDD7CB SHA-1: 0xA3EBF2D607563E3B5F95C89C070561A60B6F8B0E
91	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\french\change_email.txt	460 bytes	MD5: 0x0E23E42EC5B75DDA798690A4857808C2 SHA-1: 0xB6CBCFCEE5708AB01CC5931E1045B89A8CE01E45
92	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\french\change_password.txt	428 bytes	MD5: 0x1F3806A9A38643E3FBE5B5090053840C SHA-1: 0x1A7CC36743C9FD13B305F84A872E86A04242A143
93	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\french\connect.txt	724 bytes	MD5: 0xBE6ECFE88030DE9D41FC748BC81DC746 SHA-1: 0x57090B2D5F461C33873F62A5766FDCEA0CAC01B3
94	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\french\connect_vpc.txt	482 bytes	MD5: 0x5D6A27963748A61AB774966C645D9B13 SHA-1: 0xB8C3E213E70676CE1E2D2765FD97C36C936D26F1
95	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\french\disconnect.txt	758 bytes	MD5: 0x8F97CAB2997302E760A9FE6BD7DDEEE2 SHA-1: 0xBEB5FACADDA7A5D9A12BA39B8D0C75DDC760B698
96	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\french\disconnect_vpc.txt	518 bytes	MD5: 0x80B3EE15878DEFF73A0780A06AC83CE7 SHA-1: 0x259D7C4935EB62DBFC1A459DAB5A9ACC4EB76537
97	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\french\forget_password.txt	474 bytes	MD5: 0x5000DC86BBD72440480177017A007DEB SHA-1: 0x12F14B55EE71871F25222CE575B6651EB6266A96
98	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\french\remove_email.txt	425 bytes	MD5: 0x1BE64C00A69BE5953FAE2C15F5EC142A SHA-1: 0x93089456E3F8C2030DCDF951080D02D7C63F19C5
99	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\french\rename.txt	423 bytes	MD5: 0x5CEACFF429A2DC575760434B00516718 SHA-1: 0x601FF57CCEE1EBA6921B1C2708E5CE4543A1D3D8
100	%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\french\restart_server.txt	440 bytes	MD5: 0x68FCFB2FA018690ACD4F728FB5EAEAA4 SHA-1: 0xA91447A733336B3D0CDA52F08FB336E054EE57E8

Notes:

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%CommonPrograms%\Remote Administrator Control
%CommonPrograms%\Remote Administrator Control\Uninstall
%ProgramFiles%\PCNetSoftware
%ProgramFiles%\PCNetSoftware\RAC Server
%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror
%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\Win2000
%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\x64
%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\x86
%ProgramFiles%\PCNetSoftware\RAC Server\UpdateVersion
%ProgramFiles%\PCNetSoftware\RAC Server\VPC
%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail
%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\czech
%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\english
%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\french
%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\german
%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\italian
%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\portuguese
%ProgramFiles%\PCNetSoftware\RAC Server\VPC\Mail\spanish
%Windir%\Temp\PCNetSoftware RAC Remote Print Monitor

Notes:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
MirrInst.exe	%ProgramFiles%\PCNetSoftware\RAC Server\RACMirror\MirrInst.exe	143,360 bytes
RACs.exe	%ProgramFiles%\PCNetSoftware\RAC Server\RACs.exe	4,530,176 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	81,920 bytes
racplaysound.exe	%ProgramFiles%\pcnetsoftware\rac server\racplaysound.exe	131,072 bytes
[filename of the sample #1 without extension].tmp	%Temp%\is-8NPQS.tmp\[filename of the sample #1 without extension].tmp	761,856 bytes
racrelation.exe	%ProgramFiles%\pcnetsoftware\rac server\racrelation.exe	1,216,512 bytes

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
RACppm.dll	%System%\RACppm.dll	Process name: spoolsv.exe Process filename: %System%\spoolsv.exe Address space: 0xEB0000 - 0xEC5000

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
PCNetSoftware RAC Server	PCNetSoftware RAC Server	"Running"	"%ProgramFiles%\PCNetSoftware\RAC Server\RACs.exe" -service

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Remote Administrator Control Server_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RACServerLogon
HKEY_LOCAL_MACHINE\SOFTWARE\PCNetSoftware
HKEY_LOCAL_MACHINE\SOFTWARE\PCNetSoftware\RAC Server
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\PCNetSoftware RAC Printer Port Monitor
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCNETSOFTWARE_RAC_SERVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCNETSOFTWARE_RAC_SERVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCNETSOFTWARE_RAC_SERVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RACDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RACDRIVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RACDRIVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCNetSoftware RAC Server
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCNetSoftware RAC Server\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCNetSoftware RAC Server\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RACDriver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RACDriver\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RACDriver\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\PCNetSoftware RAC Printer Port Monitor
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCNETSOFTWARE_RAC_SERVER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCNETSOFTWARE_RAC_SERVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCNETSOFTWARE_RAC_SERVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RACDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RACDRIVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RACDRIVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCNetSoftware RAC Server
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCNetSoftware RAC Server\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCNetSoftware RAC Server\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RACDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RACDriver\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RACDriver\Enum

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

RAC User Help Service = ""%ProgramFiles%\PCNetSoftware\RAC Server\RACSessionService.exe" -service"

so that RACSessionService.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Remote Administrator Control Server_is1]

Inno Setup: Setup Version = "5.3.6 (a)"
Inno Setup: App Path = "%ProgramFiles%\PCNetSoftware\RAC Server"
InstallLocation = "%ProgramFiles%\PCNetSoftware\RAC Server\"
Inno Setup: Icon Group = "Remote Administrator Control"
Inno Setup: User = "%UserName%"
Inno Setup: Selected Tasks = "desktopicon"
Inno Setup: Deselected Tasks = ""
DisplayName = "Remote Administrator Control Server 4.0.3"
DisplayIcon = "%ProgramFiles%\PCNetSoftware\RAC Server\RACs.exe"
UninstallString = ""%ProgramFiles%\PCNetSoftware\RAC Server\unins000.exe""
QuietUninstallString = ""%ProgramFiles%\PCNetSoftware\RAC Server\unins000.exe" /SILENT"
Publisher = "Monika Novotna"
URLInfoAbout = "http://www.remote-rac.com"
HelpLink = "http://www.remote-rac.com"
URLUpdateInfo = "http://www.remote-rac.com"
NoModify = 0x00000001
NoRepair = 0x00000001
InstallDate = "20121002"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RACServerLogon]

Asynchronous = 0x00000000
Impersonate = 0x00000001
DllName = "RACServerLogon.dll"
Startup = "Startup"

so that RACServerLogon.dll is installed as a Winlogon notification package

[HKEY_LOCAL_MACHINE\SOFTWARE\PCNetSoftware\RAC Server]

InstallPath = "%ProgramFiles%\PCNetSoftware\RAC Server"
InstallSetupVersion = "1"
MirrorDriverInstall = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\PCNetSoftware RAC Printer Port Monitor]

Driver = "RACppm.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCNETSOFTWARE_RAC_SERVER\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "PCNetSoftware RAC Server"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCNETSOFTWARE_RAC_SERVER\0000]

Service = "PCNetSoftware RAC Server"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "PCNetSoftware RAC Server"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCNETSOFTWARE_RAC_SERVER]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RACDRIVER\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "RACDriver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RACDRIVER\0000]

Service = "RACDriver"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "RAC driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RACDRIVER]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCNetSoftware RAC Server\Enum]

0 = "Root\LEGACY_PCNETSOFTWARE_RAC_SERVER\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCNetSoftware RAC Server\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCNetSoftware RAC Server]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = ""%ProgramFiles%\PCNetSoftware\RAC Server\RACs.exe" -service"
DisplayName = "PCNetSoftware RAC Server"
ObjectName = "LocalSystem"
Description = "Enables the authorized users remote computer control"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RACDriver\Enum]

0 = "Root\LEGACY_RACDRIVER\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RACDriver\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RACDriver]

Type = 0x00000001
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "\??\%ProgramFiles%\PCNetSoftware\RAC Server\RACDriver.sys"
DisplayName = "RAC driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\PCNetSoftware RAC Printer Port Monitor]

Driver = "RACppm.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCNETSOFTWARE_RAC_SERVER\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "PCNetSoftware RAC Server"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCNETSOFTWARE_RAC_SERVER\0000]

Service = "PCNetSoftware RAC Server"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "PCNetSoftware RAC Server"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCNETSOFTWARE_RAC_SERVER]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RACDRIVER\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "RACDriver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RACDRIVER\0000]

Service = "RACDriver"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "RAC driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RACDRIVER]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCNetSoftware RAC Server\Enum]

0 = "Root\LEGACY_PCNETSOFTWARE_RAC_SERVER\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCNetSoftware RAC Server\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCNetSoftware RAC Server]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = ""%ProgramFiles%\PCNetSoftware\RAC Server\RACs.exe" -service"
DisplayName = "PCNetSoftware RAC Server"
ObjectName = "LocalSystem"
Description = "Enables the authorized users remote computer control"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RACDriver\Enum]

0 = "Root\LEGACY_RACDRIVER\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RACDriver\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RACDriver]

Type = 0x00000001

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) =

Other details

To mark the presence in the system, the following Mutex objects were created:

Global\Win_Instance_Mutex_RAC_ServerService
Global\Win_Instance_Mutex_RAC_ServerReLoadDriver
Global\Win_Instance_Mutex_RAC_ServerWriteLog

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%ProgramFiles%\PCNetSoftware\RAC Server\RACh.dll

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.