highPhishing

RUGMI/IDAT Loader + Aurora Stealer — Multi-Stage DLL Sideloading Campaign

InvestigatedMarch 14, 2026PublishedMarch 14, 2026

phishingvidarsectopratdll-sideloadingcredential-theftc2apt

Executive Summary

This sample is a fully decrypted Stage 4 payload from the RUGMI/HijackLoader (also tracked as IDAT Loader) pay-per-install malware ecosystem, delivering an Aurora Stealer infostealer as the final payload. The container is a 4.1 MB custom binary bundle that uses aggressive DLL sideloading with legitimate signed binaries to evade detection, employs Living-off-the-Land (LoTL) techniques via MSBuild.exe, and installs persistence via the Windows Startup folder as RaScope.exe.

The campaign identifier embedded in the binary is xy_Alt_betav1, and the developer's username (xmr) is captured in a PDB path — a potential attribution indicator. Related infrastructure has been observed since early 2024; this specific deployment variant was first seen 2026-03-09, indicating active development and ongoing campaign operations.

Why this matters: RUGMI/IDAT Loader is a Malware-as-a-Service (MaaS) pay-per-install loader renting infrastructure to multiple threat actors. It has been linked to campaigns targeting Ukrainian government and energy entities, cryptocurrency theft, and widespread credential harvesting across Europe and North America.

Sample Metadata

Field	Value
Filename	`stage_4_decrypted_payload.bin`
SHA256	`c89f99602d833822c0954ac0266580919816da23b2adeb820dcf8b5639afb04a`
MD5	`cedce7db7b05ddf1f20e7177dcf2d03b`
SHA1	`421cce17a4a6281406d0766f127f12f592202f17`
File Type	Custom binary container (application/octet-stream)
File Size	4,335,774 bytes (4.1 MB)
VT Detections	0/76 (fresh sample, not in VT as of analysis)
First Seen	2026-03-14 00:42:09 UTC
Reporter	Lenard
Tags	decrypted-payload, DLL-sideloading, HijackLoader, IDAT-Loader, LZNT1, Rugmi, ShadowLadder, Sysinternals
Campaign ID	`xy_Alt_betav1`

Static Analysis

File Structure

The binary uses a custom container format — not a standard PE. The file is organized as follows:

Offset      Size       Description
─────────────────────────────────────────────────────────────
0x0000      1,264 B    Config header block (custom format)
0x04F0    202,672 B    tcpvcon.exe (Sysinternals v4.18, signed)
                         └─ Sections: .text .rdata .data .rsrc .reloc
                         └─ Authenticode cert: PKCS#7 (10,160 bytes)
0x31CA0     80,346 B   Malicious 32-bit DLL code (pla.dll body)
0x4567A    290,816 B   zip.exe (Info-ZIP for Win32, legitimate)
0x90B52      6,656 B   Small x64 PE (component loader)
0xDA905      3,072 B   Small x86 PE (tinyutilitymodule.dll x86)
0xDB505    113,152 B   tinystub64.bin / Register.dll (MALICIOUS, 7/75 VT)
0xF6F05      2,560 B   tinyutilitymodule.dll x86 (RUGMI utility)
0xF7905      3,072 B   tinyutilitymodule64.dll x64 (RUGMI utility)
0xF856D    732,672 B   EngineX-Aurora.exe (disguised jpegoptim.exe)
                         └─ PDB: C:\Users\xmr\Desktop\jpegoptim-windows\...
                         └─ Authenticode cert (10,216 bytes)
0x1ADB55 2,575,689 B   Main x64 malicious code (Aurora Stealer body +
                        encrypted payload blob, entropy 7.97)
─────────────────────────────────────────────────────────────
Total:   4,335,774 B

Config Header Block (0x0000–0x04EF)

The first 1,264 bytes contain a structured configuration in a custom format with null-padded UTF-16LE and ASCII string fields:

Field              Encoding   Value
────────────────────────────────────────────────────────────
Header magic       DWORD      0x08000004
Payload size       DWORD      0x927C0 (600,000)
Aux field          DWORD      0xF24D (62,029)
Export hook name   UTF-16LE   "UploadValidate"
Drop path          UTF-16LE   "%APPDATA%"
Reference DLL      ASCII      "%windir%\SysWOW64\pla.dll"
Entry count        DWORD      1
Exe size           DWORD      0x317B0 (202,672 bytes)
Exe name           ASCII      "tcpvcon.exe"
Exe args           ASCII      "/accepteula"
Component list:               d3d9.dll
                              EngineX-Aurora.exe
                              Register.dll
                              Tiegwak.gzz
                              Windpoulroul.rw
                              !EngineX-Aurora.exe (temp staging name)
                              ~Register.dll (temp staging name)

Key insight: The UploadValidate export hook is used for the malicious pla.dll sideloading. The config tells the loader to export UploadValidate while the legitimate %windir%\SysWOW64\pla.dll is used as a reference for export forwarding — a classic DLL sideloading setup.

Embedded Components

1. `tcpvcon.exe` — DLL Sideloading Launcher (Legitimate)

SHA256: e202f137869cce7fdea6b6cd1169f5e0b6a46cc2d89265a31f63484b0f48bb29
Description: Sysinternals TcpVcon v4.18 — TCP connection enumeration tool
Copyright: © 1996-2023 Mark Russinovich & Bryce Cogswell
PE timestamp: 2023-03-29
Authenticode: Valid Sysinternals certificate chain (DigiCert CA)
Purpose: RUGMI uses this signed binary to sideload pla.dll. When tcpvcon.exe runs, Windows loads pla.dll from the same directory (DLL search order hijack) instead of the system copy.
VT: 1/76 detections (CrowdStrike: 60% malicious confidence — contextual flag)
Also submitted as: i5qaz.exe, payload
First seen in VT: 2026-03-09 (5 days before this sample)

2. `pla.dll` body (Malicious 32-bit Code, 0x31CA0)

Size: 80,346 bytes
Entropy: 5.89
Description: The malicious 32-bit DLL that replaces pla.dll. Contains the RUGMI/IDAT core loader module names.

Key strings extracted:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
xy_Alt_betav1          ← campaign/version identifier
driverTool
LauncherLdr64
modCreateProcess / modCreateProcess64
eProcess64
modTask64
modUAC64
modWriteFile / modWriteFile64
rshell64
TinycallProxy / TinycallProxy64
tinystub / tinystub64
tinyutilitymodule.dll / tinyutilitymodule64.dll
COPYLIST
CUSTOMINJECT / CUSTOMINJECTPATH / MINJECTPATH
CoInitializeEx / CoCreateInstance   ← COM-based injection
%WINDIR%\Microsoft.NET\Framework\v2.0.50727
%WINDIR%\Microsoft.NET\Framework\v4.0.30319
MSBuild.exe                         ← LoTL technique
%windir%\SysWOW64 / %windir%\System32
%windir%\explorer.exe               ← process injection target

3. `zip.exe` — Info-ZIP Utility (Legitimate)

SHA256: a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0
Size: 290,816 bytes (x86)
Company: Info-ZIP (copyright 1997–2008)
VT: 0/77 (clean)
Purpose: Embedded as a utility tool for payload packing/unpacking operations

4. `tinyutilitymodule.dll` x86 + x64 (RUGMI Utility)

SHA256 x86: 68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe
SHA256 x64: b02b8547644bbfe77428e59c5ccec56c412e3c83aec44180e59110189a249956
Key export: _tiny_erase_
Purpose: Internal RUGMI utility module. The _tiny_erase_ export likely performs cleanup/memory wiping operations.

5. `tinystub64.bin` / `Register.dll` — IDAT Loader Core (MALICIOUS)

SHA256: 729e5965e43ff458f6da901536c9a43be52a3820718e2dd5456150e2d73bb97f
Size: 113,152 bytes (x64)
Sections: .text, .rdata, .data, .pdata, .gxfg, .gehcont, .rsrc, .reloc
Compiled with: Control Flow Guard (CFG) — .gxfg, .gehcont sections present
Import table: None (uses runtime API resolution — dynamic loading via hashed API names)
VT detections: 7/75 — flagged as:
- Sophos: Troj/Loader-GF
- ZoneAlarm: Troj/Loader-GF
- Google: Detected
- Bkav: W64.AIDetectMalware
- DeepInstinct: MALICIOUS
- MaxSecure: Trojan.Malware.218665838.susgen
- alibabacloud: Trojan
First seen in VT: 2024-01-10
Last seen in VT: 2026-03-19 (very recent — ongoing campaign)
VT campaign aliases: tinystub64.bin, IDAT_decompressed_payload.bin.00144c5f_0001ba00.exe, IDAT_decompressed_payload.bin.00144dfd_0001ba00.exe, carved_PE at 0x001063bc
IDAT attribution: The VT name IDAT_decompressed_payload.bin directly links this component to the IDAT Loader campaign
Purpose: Core loader/injector. Performs dynamic API resolution to evade imports-based detection. Spawns WER service and consolehost as cover processes during execution (per sandbox analysis).

6. `EngineX-Aurora.exe` (disguised as `jpegoptim.exe`) — Aurora Launcher

SHA256: c52664283a0dc2c3d500b236ce2d5379802c0d74d903da6b3e133b2de6e77949
Size: 732,672 bytes (x64)
PDB path: C:\Users\xmr\Desktop\jpegoptim-windows\Release\x64\jpegoptim.pdb
Sections: .text, .rdata, .data, .pdata, _RDATA, .rsrc, .reloc
VT: 0/0 (not in VT database)
Purpose: This binary is the legitimate jpegoptim JPEG optimizer tool used as a DLL sideloading host for d3d9.dll. When executed, Windows loads d3d9.dll from the working directory instead of the system DirectX DLL, executing the malicious payload.
Developer note: The PDB username xmr is a potential developer identifier. This binary is stored with a fake jpegoptim PDB to mislead forensic analysis.
Contents: Full jpegoptim utility strings, JPEG processing code, PDB ID: 74017e528ed731e76a8d244d80cf8db865aaaf76

7. Main x64 Payload Body (0x1ADB55–EOF)

Size: 2,575,689 bytes (2.46 MB)
Entropy: 7.97 (near-maximum — encrypted/compressed)
First visible string: %LOCALAPPDATA%\RaScope.exe — the installation/persistence path
Architecture: x64 code + encrypted data sections
Magic constant: 0x00AABBCC (appears in both x86 and x64 code — likely validation constant or decryption seed)
Purpose: The Aurora Stealer / RUGMI payload body. The bulk of this region contains encrypted payload data that is decrypted at runtime using a key derived from system fingerprinting or hardcoded AES/RC4 parameters.

Infection Chain / Kill Chain

DELIVERY (phishing / drive-by / cracked software)
    │
    ▼
Stage 1–3: RUGMI/HijackLoader initial stages
    │  (LZNT1-compressed, ShadowLadder crypter)
    ▼
Stage 4: This payload (stage_4_decrypted_payload.bin)
    │
    ├─ Parse config header
    │    ├─ Export hook: UploadValidate
    │    ├─ Drop path: %APPDATA%\
    │    └─ DLL reference: %windir%\SysWOW64\pla.dll
    │
    ├─ DROP Chain 1 (32-bit, tcpvcon sideloading):
    │    ├─ Write tcpvcon.exe → %APPDATA%\[dir]\tcpvcon.exe
    │    ├─ Write malicious pla.dll → %APPDATA%\[dir]\pla.dll
    │    └─ Execute: tcpvcon.exe /accepteula
    │         └─ Windows loads local pla.dll (hijacks DLL search)
    │              └─ pla.dll exports UploadValidate → RUGMI loader
    │
    ├─ DROP Chain 2 (64-bit, jpegoptim sideloading):
    │    ├─ Write EngineX-Aurora.exe → [dir]\EngineX-Aurora.exe
    │    ├─ Write d3d9.dll / Register.dll → [dir]\d3d9.dll
    │    └─ Execute: EngineX-Aurora.exe
    │         └─ Windows loads local d3d9.dll (DirectX DLL hijack)
    │              └─ Register.dll / tinystub64 → IDAT Loader core
    │
    ├─ LOADER BEHAVIOR (pla.dll / tinystub64):
    │    ├─ Persistence: copy self → %LOCALAPPDATA%\RaScope.exe
    │    ├─ Startup: add RaScope.exe to Startup folder
    │    ├─ LoTL: MSBuild.exe (.NET v2/v4) for code execution
    │    ├─ UAC bypass (modUAC64)
    │    ├─ Process injection into explorer.exe
    │    ├─ Decrypt and load final payload (entropy 7.97 blob)
    │    └─ Deploy tinyutilitymodule.dll (cleanup/erase utility)
    │
    └─ FINAL PAYLOAD (Aurora Stealer / InfoStealer):
         ├─ Browser credential theft (Chrome, Firefox, Edge)
         ├─ Cookie/session token harvesting
         ├─ Cryptocurrency wallet theft
         ├─ File exfiltration
         └─ C2 communication (encrypted, AES/RC4)

Behavioral Analysis (Inferred from Static + OSINT)

Persistence Mechanisms

Method	Detail
Startup Folder	`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup`
RaScope persistence	`%LOCALAPPDATA%\RaScope.exe` (copy of main payload)

Process Execution

Process	Purpose
`tcpvcon.exe /accepteula`	DLL sideloading launcher
`MSBuild.exe`	LoTL .NET code execution
`explorer.exe`	Process injection target
`svchost.exe -k WerSvcGroup`	Cover process (sandox observed)

DLL Sideloading Pairs

Launcher (Legitimate)	Malicious DLL	System DLL Hijacked
`tcpvcon.exe` v4.18	`pla.dll`	`%windir%\SysWOW64\pla.dll`
`EngineX-Aurora.exe` (jpegoptim)	`d3d9.dll`	`%windir%\System32\d3d9.dll`

File Operations

Drops: d3d9.dll, EngineX-Aurora.exe, Register.dll to working directory
Drops: Tiegwak.gzz, Windpoulroul.rw (temporary/obfuscated payload names)
Cleans up: !EngineX-Aurora.exe, ~Register.dll (temp staging files)
Uses _tiny_erase_ export for self-cleanup

Network Indicators

C2 Configuration Status

The C2 URLs/IPs are stored in the high-entropy encrypted blob (entropy: 7.97) and are not recoverable via static analysis without the runtime decryption key. The malware likely uses AES-128 or RC4 with a hardcoded key for C2 config decryption.

Magic constant found in code: 0x00AABBCC — present in both 32-bit and 64-bit code sections at key function entry points. This may be a decryption seed, API hash seed, or version marker.

Known Network Behaviors (from VT sandbox analysis)

Indicator	Type	Context
`res.public.onecdn.static.microsoft`	Microsoft CDN	WER telemetry (cover traffic)
`184.25.123.137`	IP	Akamai CDN (WER telemetry)

Aurora Stealer C2 Patterns (from threat intel)

Aurora Stealer variants have been observed communicating with:

HTTP POST to /api/ endpoints on actor-controlled servers
Common ports: 80, 443, 8080, 8443
User-Agent strings mimicking Chrome/Firefox

MITRE ATT&CK TTPs

Technique	ID	Tactic	Description
DLL Side-Loading	T1574.002	Persistence / Privilege Escalation	`tcpvcon.exe` → `pla.dll`; `EngineX-Aurora.exe` → `d3d9.dll`
Startup Folder	T1547.001	Persistence	`%APPDATA%\...\Startup\RaScope.exe`
MSBuild	T1218.004	Defense Evasion	LoTL via `MSBuild.exe`
Process Injection	T1055	Defense Evasion	`modCreateProcess`, `eProcess64` into `explorer.exe`
Bypass UAC	T1548.002	Privilege Escalation	`modUAC64` module
Obfuscated Files	T1027	Defense Evasion	LZNT1, AES/RC4 encryption, encrypted payload blob
Deobfuscate/Decode	T1140	Defense Evasion	Runtime decryption of config and final payload
Ingress Tool Transfer	T1105	Command and Control	Downloads additional payloads via C2
System Binary Proxy Exec	T1218	Defense Evasion	MSBuild.exe for code execution
Signed Binary Proxy Exec	T1218	Defense Evasion	tcpvcon.exe, jpegoptim.exe (signed/legitimate)
Modify Registry	T1112	Defense Evasion	Registry operations (inferred from modTask64)
Scheduled Task	T1053.005	Persistence	`modTask64` module for scheduled task creation
Credentials from Browsers	T1555.003	Credential Access	Aurora Stealer browser credential theft
Steal Web Session Cookie	T1539	Credential Access	Aurora Stealer cookie harvesting
File and Directory Discovery	E1083/T1083	Discovery	File system enumeration
Terminate Process	C0018	Defense Evasion	Self-termination to hinder analysis
Environment Variable Discovery	T1082	Discovery	Resolves %APPDATA%, %LOCALAPPDATA%, etc.
COM Object Hijacking	T1546.015	Persistence	`CoInitializeEx`/`CoCreateInstance` usage

Indicators of Compromise (IOCs)

File Hashes

Hash	Algorithm	Description
`c89f99602d833822c0954ac0266580919816da23b2adeb820dcf8b5639afb04a`	SHA256	Main container (this sample)
`cedce7db7b05ddf1f20e7177dcf2d03b`	MD5	Main container
`421cce17a4a6281406d0766f127f12f592202f17`	SHA1	Main container
`e202f137869cce7fdea6b6cd1169f5e0b6a46cc2d89265a31f63484b0f48bb29`	SHA256	tcpvcon.exe (Sysinternals v4.18)
`729e5965e43ff458f6da901536c9a43be52a3820718e2dd5456150e2d73bb97f`	SHA256	tinystub64.bin / Register.dll (MALICIOUS)
`c52664283a0dc2c3d500b236ce2d5379802c0d74d903da6b3e133b2de6e77949`	SHA256	EngineX-Aurora.exe (jpegoptim disguise)
`a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0`	SHA256	zip.exe (Info-ZIP, legitimate)
`68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe`	SHA256	tinyutilitymodule.dll x86
`b02b8547644bbfe77428e59c5ccec56c412e3c83aec44180e59110189a249956`	SHA256	tinyutilitymodule64.dll x64
`8e8e43a2f0069f081f5ffb77237faebcda9a46e8f8fd0e128500e74bbc9ea3a5`	SHA256	Small x64 loader component

File Paths

Path	Description
`%LOCALAPPDATA%\RaScope.exe`	Persistence/installation path
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\`	Startup folder persistence
`%APPDATA%\[var]\tcpvcon.exe`	Sideloading launcher
`%APPDATA%\[var]\pla.dll`	Malicious DLL (sideloaded by tcpvcon)
`[dir]\EngineX-Aurora.exe`	Second sideloading launcher
`[dir]\d3d9.dll`	Malicious DirectX DLL (second sideloading)
`[dir]\Register.dll`	IDAT Loader core component
`[dir]\tinyutilitymodule.dll`	RUGMI utility (32-bit)
`[dir]\tinyutilitymodule64.dll`	RUGMI utility (64-bit)
`[dir]\Tiegwak.gzz`	Encrypted/compressed payload
`[dir]\Windpoulroul.rw`	Encrypted/compressed payload

Strings / Behavioral IOCs

Indicator	Type	Description
`UploadValidate`	Export hook name	pla.dll DLL sideloading export
`xy_Alt_betav1`	Campaign ID	Internal version/campaign identifier
`RaScope.exe`	Process name	Malware persistence executable name
`driverTool`	Module name	Internal RUGMI module
`LauncherLdr64`	Module name	64-bit launcher loader
`modCreateProcess64`	Module name	Process creation module
`modUAC64`	Module name	UAC bypass module
`modTask64`	Module name	Scheduled task module
`rshell64`	Module name	Remote shell module
`TinycallProxy64`	Module name	Code injection proxy
`tinystub64`	Module name	Stub loader module
`CUSTOMINJECT`	Config key	Custom injection technique
`0x00AABBCC`	Magic constant	Code marker / possible decryption seed
`_tiny_erase_`	Export name	Cleanup/wipe function export

PDB Path (Attribution)

C:\Users\xmr\Desktop\jpegoptim-windows\Release\x64\jpegoptim.pdb

Developer username: xmr — appears consistently across the Aurora Stealer component.

Campaign Context

RUGMI / HijackLoader / IDAT Loader Overview

RUGMI (also tracked as HijackLoader and IDAT Loader) is a Malware-as-a-Service (MaaS) pay-per-install loader first observed in 2023. It is offered to cybercriminals on underground forums to deploy various payloads. The loader has been used to distribute:

Aurora Stealer
Rhadamanthys Stealer
SectopRAT
DanaBot
CryptBot
Vidar Stealer

Campaign Timeline

Date	Event
2023 Q3	RUGMI/HijackLoader first documented by MORFIS and zscaler
2024-01-10	`tinystub64.bin` (Register.dll) first seen in VT
2024 Q1	IDAT Loader campaign targeting Ukrainian organizations (CERT-UA)
2026-03-09	This specific `tcpvcon.exe` deployment variant first seen in VT
2026-03-14	This Stage 4 payload submitted by reporter Lenard
2026-03-19	`tinystub64.bin` last seen in VT (ongoing)

VT Campaign Siblings (via tinystub64 hash)

The tinystub64.bin component (SHA256: 729e5965...) has been identified in multiple samples:

IDAT_decompressed_payload.bin.00144c5f_0001ba00.exe
IDAT_decompressed_payload.bin.00144dfd_0001ba00.exe
dec5.exe, payload_5.bin, 4.bin, 2.exe, 6.exe

These naming patterns suggest automated extraction tooling (likely IDAT Loader unpackers) producing these files from parent samples.

Attribution

Confidence Assessment

Attribution Claim	Evidence	Confidence
RUGMI/HijackLoader MaaS loader	Module names, config format, DLL sideloading pattern	HIGH
IDAT Loader variant	VT name `IDAT_decompressed_payload.bin`, tinystub64 component	HIGH
Aurora Stealer payload	`EngineX-Aurora.exe` component name, module architecture	MEDIUM
Developer username `xmr`	PDB path in EngineX-Aurora component	MEDIUM
Russian-speaking threat actor	RUGMI sold in Russian underground forums, naming conventions	LOW-MEDIUM
ShadowLadder crypter	Sample tagged with ShadowLadder; matches known packer behavior	MEDIUM

OPSEC Mistakes by Threat Actor

PDB path preserved: C:\Users\xmr\Desktop\jpegoptim-windows\Release\x64\jpegoptim.pdb — exposes developer username xmr
Campaign tag in plaintext: xy_Alt_betav1 stored as unobfuscated ASCII in the DLL body — allows campaign tracking across submissions
Reused components: tinystub64.bin has been in the wild since 2024-01-10 — the component is not regularly refreshed, allowing retrospective linking of campaign infrastructure

Infrastructure Map

THREAT ACTOR (xmr / RUGMI affiliate)
        │
        ├─ ShadowLadder Crypter Service (packing/protecting loader)
        │
        ├─ RUGMI/IDAT Loader Infrastructure (MaaS)
        │    ├─ Stage 1–3 delivery (external, not in this sample)
        │    └─ Stage 4: This container (DLL sideloading package)
        │
        └─ Aurora Stealer C2 (encrypted, not recoverable statically)
             ├─ HTTP/HTTPS endpoint (port 80/443/8080)
             └─ Exfiltration: credentials, cookies, crypto wallets

SIDELOADING CHAIN:
tcpvcon.exe (Sysinternals, signed)
    └─ loads pla.dll (malicious 32-bit DLL, UploadValidate export)
         └─ RUGMI 32-bit loader code

EngineX-Aurora.exe (jpegoptim.exe, legitimate function)
    └─ loads d3d9.dll (malicious DirectX DLL)
         └─ Register.dll / tinystub64 (IDAT Loader core, 7/75 VT)
              └─ Aurora Stealer (64-bit, RaScope.exe persistence)

Detection Recommendations

Hunting Queries

File-based:

filename: RaScope.exe AND path: %LOCALAPPDATA%
filename: EngineX-Aurora.exe
filename: Tiegwak.gzz OR filename: Windpoulroul.rw
filename: tinyutilitymodule*.dll
export: _tiny_erase_

Process-based:

process: tcpvcon.exe AND parent: NOT sysinternals_installer
process: MSBuild.exe AND parent: NOT visual_studio AND NOT build_system
tcpvcon.exe /accepteula (executed from %APPDATA%)

Registry/File behavior:

write: %LOCALAPPDATA%\RaScope.exe
write: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
write: pla.dll AND NOT path: %windir%
write: d3d9.dll AND NOT path: %windir%