Malware Analysis Report

2025-06-15 21:21

Sample ID 230419-aj2qwsfb56
Target https://github.com/Revoliaa/RowexaLauncher/releases/download/v1.0.0/RowexaLauncher.Setup.msi
Tags
agilenet
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://github.com/Revoliaa/RowexaLauncher/releases/download/v1.0.0/RowexaLauncher.Setup.msi was found to be: Likely malicious.

Malicious Activity Summary

agilenet

Blocklisted process makes network request

Loads dropped DLL

Executes dropped EXE

Unknown use of msiexec with remote resource

Obfuscated with Agile.Net obfuscator

Enumerates connected drives

Drops file in Windows directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-19 00:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-19 00:15

Reported

2023-04-19 00:18

Platform

win10v2004-20230221-es

Max time kernel

150s

Max time network

153s

Command Line

msiexec.exe /I https://github.com/Revoliaa/RowexaLauncher/releases/download/v1.0.0/RowexaLauncher.Setup.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RowexaLauncher\RowexaLauncher.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unknown use of msiexec with remote resource

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI7D82.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2BA4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2CBE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2DA9.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e572e64.msi C:\Windows\system32\msiexec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008ccb747e6bc781e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008ccb747e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008ccb747e000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RowexaLauncher\RowexaLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RowexaLauncher\RowexaLauncher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2764 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 2764 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 2764 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 3244 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2416 wrote to memory of 3244 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2416 wrote to memory of 3156 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 3156 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 3156 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I https://github.com/Revoliaa/RowexaLauncher/releases/download/v1.0.0/RowexaLauncher.Setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding FACF4E4EB9B1690361584B0D518E1F1A C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 53BA6D2F993A2FEA74FCE6FE545FDD67

C:\Users\Admin\AppData\Roaming\RowexaLauncher\RowexaLauncher.exe

"C:\Users\Admin\AppData\Roaming\RowexaLauncher\RowexaLauncher.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
IN 20.207.73.82:443 github.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 82.73.207.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
GB 95.101.143.242:443 assets.msn.com tcp
US 8.8.8.8:53 242.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
FR 51.11.192.49:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 8.8.8.8:53 45.147.19.2.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 launchercontent.mojang.com udp
US 13.107.237.48:443 launchercontent.mojang.com tcp
US 8.8.8.8:53 launchermeta.mojang.com udp
US 13.107.237.48:443 launchermeta.mojang.com tcp
US 8.8.8.8:53 48.237.107.13.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 piston-meta.mojang.com udp
US 13.107.246.68:443 piston-meta.mojang.com tcp
US 8.8.8.8:53 libraries.minecraft.net udp
US 13.107.237.68:443 libraries.minecraft.net tcp
US 13.107.237.68:443 libraries.minecraft.net tcp
US 13.107.237.68:443 libraries.minecraft.net tcp
US 13.107.237.68:443 libraries.minecraft.net tcp
US 13.107.237.68:443 libraries.minecraft.net tcp
US 13.107.237.68:443 libraries.minecraft.net tcp
US 13.107.237.68:443 libraries.minecraft.net tcp
US 13.107.237.68:443 libraries.minecraft.net tcp
US 13.107.237.68:443 libraries.minecraft.net tcp
US 8.8.8.8:53 68.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 68.237.107.13.in-addr.arpa udp
US 8.8.8.8:53 resources.download.minecraft.net udp
US 13.107.246.68:80 resources.download.minecraft.net tcp
US 13.107.246.68:80 resources.download.minecraft.net tcp
US 13.107.246.68:80 resources.download.minecraft.net tcp
US 13.107.246.68:80 resources.download.minecraft.net tcp
US 13.107.246.68:80 resources.download.minecraft.net tcp
US 13.107.246.68:80 resources.download.minecraft.net tcp
US 13.107.246.68:80 resources.download.minecraft.net tcp
US 13.107.246.68:80 resources.download.minecraft.net tcp
US 13.107.246.68:80 resources.download.minecraft.net tcp
US 13.107.246.68:80 resources.download.minecraft.net tcp

Files

C:\Windows\Installer\MSI7D82.tmp

MD5 7385cc83295cb378eb1da7e37c37bcb9
SHA1 d7e9fcf7a50374ab24d320a244e6db59e9243b52
SHA256 f4668eeec4e91fe8dc24bb1cf12830433c2b86cd2e91311a8cb203f4d9007a5f
SHA512 1dc492098cb858f91197c2c0bc93702216d51de151c3bc9bf46894a8a43a4ca3509eaff87a1885222781f7fff9f2419d83f44856a9e23237ad07af795ba8a76b

C:\Users\Admin\AppData\Local\Temp\MSI833F.tmp

MD5 85b69b55118ffc36f03b4db94f4ddc3d
SHA1 f7239136ce15776f76e6567a7a361ed8272a1096
SHA256 e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e
SHA512 bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

C:\Users\Admin\AppData\Local\Temp\MSI833F.tmp

MD5 85b69b55118ffc36f03b4db94f4ddc3d
SHA1 f7239136ce15776f76e6567a7a361ed8272a1096
SHA256 e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e
SHA512 bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

C:\Users\Admin\AppData\Local\Temp\MSI868C.tmp

MD5 85b69b55118ffc36f03b4db94f4ddc3d
SHA1 f7239136ce15776f76e6567a7a361ed8272a1096
SHA256 e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e
SHA512 bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

C:\Users\Admin\AppData\Local\Temp\MSI868C.tmp

MD5 85b69b55118ffc36f03b4db94f4ddc3d
SHA1 f7239136ce15776f76e6567a7a361ed8272a1096
SHA256 e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e
SHA512 bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

C:\Users\Admin\AppData\Local\Temp\MSI86EB.tmp

MD5 85b69b55118ffc36f03b4db94f4ddc3d
SHA1 f7239136ce15776f76e6567a7a361ed8272a1096
SHA256 e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e
SHA512 bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

C:\Users\Admin\AppData\Local\Temp\MSI86EB.tmp

MD5 85b69b55118ffc36f03b4db94f4ddc3d
SHA1 f7239136ce15776f76e6567a7a361ed8272a1096
SHA256 e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e
SHA512 bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

C:\Users\Admin\AppData\Local\Temp\MSI86EB.tmp

MD5 85b69b55118ffc36f03b4db94f4ddc3d
SHA1 f7239136ce15776f76e6567a7a361ed8272a1096
SHA256 e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e
SHA512 bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

C:\Users\Admin\AppData\Local\Temp\MSI8759.tmp

MD5 85b69b55118ffc36f03b4db94f4ddc3d
SHA1 f7239136ce15776f76e6567a7a361ed8272a1096
SHA256 e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e
SHA512 bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

C:\Users\Admin\AppData\Local\Temp\MSI8759.tmp

MD5 85b69b55118ffc36f03b4db94f4ddc3d
SHA1 f7239136ce15776f76e6567a7a361ed8272a1096
SHA256 e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e
SHA512 bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

C:\Users\Admin\AppData\Local\Temp\MSI8893.tmp

MD5 85b69b55118ffc36f03b4db94f4ddc3d
SHA1 f7239136ce15776f76e6567a7a361ed8272a1096
SHA256 e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e
SHA512 bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

C:\Users\Admin\AppData\Local\Temp\MSI8893.tmp

MD5 85b69b55118ffc36f03b4db94f4ddc3d
SHA1 f7239136ce15776f76e6567a7a361ed8272a1096
SHA256 e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e
SHA512 bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

C:\Windows\Installer\MSI7D82.tmp

MD5 7385cc83295cb378eb1da7e37c37bcb9
SHA1 d7e9fcf7a50374ab24d320a244e6db59e9243b52
SHA256 f4668eeec4e91fe8dc24bb1cf12830433c2b86cd2e91311a8cb203f4d9007a5f
SHA512 1dc492098cb858f91197c2c0bc93702216d51de151c3bc9bf46894a8a43a4ca3509eaff87a1885222781f7fff9f2419d83f44856a9e23237ad07af795ba8a76b

C:\Windows\Installer\MSI2BA4.tmp

MD5 85b69b55118ffc36f03b4db94f4ddc3d
SHA1 f7239136ce15776f76e6567a7a361ed8272a1096
SHA256 e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e
SHA512 bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

C:\Windows\Installer\MSI2BA4.tmp

MD5 85b69b55118ffc36f03b4db94f4ddc3d
SHA1 f7239136ce15776f76e6567a7a361ed8272a1096
SHA256 e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e
SHA512 bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

C:\Windows\Installer\MSI2CBE.tmp

MD5 85b69b55118ffc36f03b4db94f4ddc3d
SHA1 f7239136ce15776f76e6567a7a361ed8272a1096
SHA256 e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e
SHA512 bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

C:\Windows\Installer\MSI2CBE.tmp

MD5 85b69b55118ffc36f03b4db94f4ddc3d
SHA1 f7239136ce15776f76e6567a7a361ed8272a1096
SHA256 e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e
SHA512 bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

C:\Users\Admin\AppData\Roaming\RowexaLauncher\RowexaLauncher.exe

MD5 85420618c0d3fdb0689348408566357d
SHA1 46b53c4ebdf1962ce208d1ac4172327e9d84e9b0
SHA256 6a6d2939504b39e9f6d9a9f1ecc509d62cc3fcbc654b87ac1670518a15784be0
SHA512 ccaa21d0c7f232148f6c67da2c1210ec68914fd3878c7de748e1d5f3d369cc558e65e51f583610fdc955ccbc848c78052fcf377285d952324b7a1e539a32a070

C:\Config.Msi\e572e63.rbs

MD5 0a8da9beeac39ec01afcd7af1ec0e930
SHA1 642c980889547c55f311bd858de5b51d181cbd19
SHA256 b742990ffb3f667375f5b01e188542338178c0d44034b1079a7b7b390d99d06e
SHA512 84cb901e2f83e4aa068756152dd3149a44e637855019dcad64a1d5052b9558cb6d3f534fd3f72da6fb262f452a9843c5e95af6dd15137c2fb677dd33cf0a7850

\??\Volume{7e74cb8c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d6466fae-cc73-4a66-8823-2648a82c61d5}_OnDiskSnapshotProp

MD5 cfc54a0a48394a992282ca327357a493
SHA1 68e085c2bcfef57e61cec11e7f4539f68ce4ec79
SHA256 51ab042957e9125b4597b85174b28508ecc8923e2a4dd40024c63a92fb5702f7
SHA512 1a175d6587342064c0db95d86c385cf33a199bcab3270c594ed635927dc80c3dec0bed1f9f963d9abc137cda658b8670eaddb79103a7dedb8c5ebaebcbd69d68

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 c3db3fbac673057c52dc960959fe5e14
SHA1 b2101223986d62713ddd0cc9fd593cf6b16901b2
SHA256 20b543c9a50e2b85dcc40c2c97f48ed0f1942ae67930aad2eca329adc15d504e
SHA512 756b5cd843b96ddc676668cd9d7170591552f0156bc8b71a202154bb050d180dd5c5fb06e3e74959a01b859c5f28afdc2b7c4bee09398d959f8f03bacb527906

C:\Users\Admin\AppData\Roaming\RowexaLauncher\RowexaLauncher.exe

MD5 85420618c0d3fdb0689348408566357d
SHA1 46b53c4ebdf1962ce208d1ac4172327e9d84e9b0
SHA256 6a6d2939504b39e9f6d9a9f1ecc509d62cc3fcbc654b87ac1670518a15784be0
SHA512 ccaa21d0c7f232148f6c67da2c1210ec68914fd3878c7de748e1d5f3d369cc558e65e51f583610fdc955ccbc848c78052fcf377285d952324b7a1e539a32a070

C:\Users\Admin\AppData\Roaming\RowexaLauncher\RowexaLauncher.exe

MD5 85420618c0d3fdb0689348408566357d
SHA1 46b53c4ebdf1962ce208d1ac4172327e9d84e9b0
SHA256 6a6d2939504b39e9f6d9a9f1ecc509d62cc3fcbc654b87ac1670518a15784be0
SHA512 ccaa21d0c7f232148f6c67da2c1210ec68914fd3878c7de748e1d5f3d369cc558e65e51f583610fdc955ccbc848c78052fcf377285d952324b7a1e539a32a070

C:\Users\Admin\AppData\Roaming\RowexaLauncher\RowexaLauncher.exe.config

MD5 17d5fe3e5afbd53e07935be3e68d4542
SHA1 4f0b7fd52670b733bf30b605ff250bad9cee0657
SHA256 887946cccd6cc7eea2dc4133ae86afe71fc4226e3ca9d18f5e465cfb5e0a0adc
SHA512 5f9609278383bdf1091446afe2792c18fd0ed3a4b069143ca4246ddeb9e943589d4a9c91f6901c7b5b6ecee4ddd065fed640631806ddd2e107be0856ddc32fc1

memory/1524-331-0x0000000000B40000-0x0000000000B78000-memory.dmp

memory/1524-332-0x0000000005C50000-0x00000000061F4000-memory.dmp

memory/1524-333-0x0000000005540000-0x00000000055D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\RowexaLauncher\CmlLib.dll

MD5 88dd6ba807619c955f5ae8412c9a39ed
SHA1 298cfb30a1a333d0f7a529b95168b132a0b64b82
SHA256 47a75d70b9f1cc016204b06477d584c9677c63ef31f4f1746987b58f7a8104e3
SHA512 c4bffaa93dd464dadd80f71a71a07661e088a68f7761f7d16759be0daabc5972e7907a2a240d040fd021b4c643db28111ac63ba60f99f0031d96d7add93ac1c4

C:\Users\Admin\AppData\Roaming\RowexaLauncher\CmlLib.dll

MD5 88dd6ba807619c955f5ae8412c9a39ed
SHA1 298cfb30a1a333d0f7a529b95168b132a0b64b82
SHA256 47a75d70b9f1cc016204b06477d584c9677c63ef31f4f1746987b58f7a8104e3
SHA512 c4bffaa93dd464dadd80f71a71a07661e088a68f7761f7d16759be0daabc5972e7907a2a240d040fd021b4c643db28111ac63ba60f99f0031d96d7add93ac1c4

memory/1524-337-0x00000000054E0000-0x000000000550C000-memory.dmp

C:\Users\Admin\AppData\Roaming\RowexaLauncher\CmlLib.dll

MD5 88dd6ba807619c955f5ae8412c9a39ed
SHA1 298cfb30a1a333d0f7a529b95168b132a0b64b82
SHA256 47a75d70b9f1cc016204b06477d584c9677c63ef31f4f1746987b58f7a8104e3
SHA512 c4bffaa93dd464dadd80f71a71a07661e088a68f7761f7d16759be0daabc5972e7907a2a240d040fd021b4c643db28111ac63ba60f99f0031d96d7add93ac1c4

memory/1524-338-0x0000000005AD0000-0x0000000005ADA000-memory.dmp

C:\Users\Admin\AppData\Roaming\RowexaLauncher\Guna.UI2.dll

MD5 978a8a90a03b6768c9e855450b578594
SHA1 f38536d35810bb12fc4e5227a201e3f0d61e844f
SHA256 0539fca0dcd1ae1dda7ca92859762854b0ee17066d176ca524226ce73efd5c65
SHA512 98cf6cfe75c6fbc04dda7c97924a5fbfc7246286ca952ae327c687673e69291587e840f50817e96447c8e3a0adbbc9a1dd2f1e80a91bfdb8bf7869278cd70a1e

C:\Users\Admin\AppData\Roaming\RowexaLauncher\Guna.UI2.dll

MD5 978a8a90a03b6768c9e855450b578594
SHA1 f38536d35810bb12fc4e5227a201e3f0d61e844f
SHA256 0539fca0dcd1ae1dda7ca92859762854b0ee17066d176ca524226ce73efd5c65
SHA512 98cf6cfe75c6fbc04dda7c97924a5fbfc7246286ca952ae327c687673e69291587e840f50817e96447c8e3a0adbbc9a1dd2f1e80a91bfdb8bf7869278cd70a1e

C:\Users\Admin\AppData\Roaming\RowexaLauncher\Guna.UI2.dll

MD5 978a8a90a03b6768c9e855450b578594
SHA1 f38536d35810bb12fc4e5227a201e3f0d61e844f
SHA256 0539fca0dcd1ae1dda7ca92859762854b0ee17066d176ca524226ce73efd5c65
SHA512 98cf6cfe75c6fbc04dda7c97924a5fbfc7246286ca952ae327c687673e69291587e840f50817e96447c8e3a0adbbc9a1dd2f1e80a91bfdb8bf7869278cd70a1e

memory/1524-342-0x0000000006440000-0x000000000667C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f6f0e93e-3ec6-4a02-8f27-5bb0b60bee42\AgileDotNetRT.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

C:\Users\Admin\AppData\Local\Temp\f6f0e93e-3ec6-4a02-8f27-5bb0b60bee42\AgileDotNetRT.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

memory/1524-350-0x0000000073060000-0x00000000730E9000-memory.dmp

C:\Users\Admin\AppData\Roaming\RowexaLauncher\ReaLTaiizor.dll

MD5 a5fc49ea61764ff45785f80144f7fa5d
SHA1 65e04e43e541b3a486e223b092fe87da7491055c
SHA256 d02c6aee20d595fe56d764ac36f287d9f38192eda22c3918d2700b76fb1f01e3
SHA512 d16c16dfa71dc511b8a51663a834629c9d07e8cd6b1fab24f651c6a7a3b76ee01a949bb7e638042a5b66d4f3c3d25583cd5f583f57b8cf830de760159c0bb9a9

C:\Users\Admin\AppData\Roaming\RowexaLauncher\ReaLTaiizor.dll

MD5 a5fc49ea61764ff45785f80144f7fa5d
SHA1 65e04e43e541b3a486e223b092fe87da7491055c
SHA256 d02c6aee20d595fe56d764ac36f287d9f38192eda22c3918d2700b76fb1f01e3
SHA512 d16c16dfa71dc511b8a51663a834629c9d07e8cd6b1fab24f651c6a7a3b76ee01a949bb7e638042a5b66d4f3c3d25583cd5f583f57b8cf830de760159c0bb9a9

memory/1524-354-0x0000000006EA0000-0x00000000074B8000-memory.dmp

memory/1524-355-0x00000000054A0000-0x00000000054B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\RowexaLauncher\ReaLTaiizor.dll

MD5 a5fc49ea61764ff45785f80144f7fa5d
SHA1 65e04e43e541b3a486e223b092fe87da7491055c
SHA256 d02c6aee20d595fe56d764ac36f287d9f38192eda22c3918d2700b76fb1f01e3
SHA512 d16c16dfa71dc511b8a51663a834629c9d07e8cd6b1fab24f651c6a7a3b76ee01a949bb7e638042a5b66d4f3c3d25583cd5f583f57b8cf830de760159c0bb9a9

memory/1524-356-0x0000000007E40000-0x0000000007F42000-memory.dmp

memory/1524-360-0x000000000A360000-0x000000000A4EA000-memory.dmp

memory/1524-361-0x0000000008B60000-0x0000000008BC6000-memory.dmp

memory/1524-362-0x00000000054A0000-0x00000000054B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\RowexaLauncher\Newtonsoft.Json.dll

MD5 081d9558bbb7adce142da153b2d5577a
SHA1 7d0ad03fbda1c24f883116b940717e596073ae96
SHA256 b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA512 2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

memory/1524-366-0x0000000008D80000-0x0000000008E30000-memory.dmp

C:\Users\Admin\AppData\Roaming\RowexaLauncher\Newtonsoft.Json.dll

MD5 081d9558bbb7adce142da153b2d5577a
SHA1 7d0ad03fbda1c24f883116b940717e596073ae96
SHA256 b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA512 2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

C:\Users\Admin\AppData\Roaming\RowexaLauncher\Newtonsoft.Json.dll

MD5 081d9558bbb7adce142da153b2d5577a
SHA1 7d0ad03fbda1c24f883116b940717e596073ae96
SHA256 b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA512 2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

memory/1524-367-0x000000000BA00000-0x000000000BA9C000-memory.dmp

memory/1524-368-0x000000000BB10000-0x000000000BB32000-memory.dmp

memory/1524-369-0x0000000010470000-0x0000000010C16000-memory.dmp

memory/1524-370-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/1524-371-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/1524-372-0x00000000054A0000-0x00000000054B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\RowexaLauncher\MojangAPI.dll

MD5 86d3ed77bd9f8e56c43e7b1eeafb56d8
SHA1 7018e0c7a60c89ef893278f49396b645a5803eec
SHA256 b2ce1bda2e25e337218f1eb6f0e7c61b7748e5027e45e2db8e9f6b6fc3ed58ba
SHA512 ce0b494b20815870f108b414e9a7b3ec5b9cbae17e01cf91a07a0fc71d4a466dc2bdacfa81417c6d85a41a9ce053ab1db614786787a88543f3b547df36c75929

C:\Users\Admin\AppData\Roaming\RowexaLauncher\MojangAPI.dll

MD5 86d3ed77bd9f8e56c43e7b1eeafb56d8
SHA1 7018e0c7a60c89ef893278f49396b645a5803eec
SHA256 b2ce1bda2e25e337218f1eb6f0e7c61b7748e5027e45e2db8e9f6b6fc3ed58ba
SHA512 ce0b494b20815870f108b414e9a7b3ec5b9cbae17e01cf91a07a0fc71d4a466dc2bdacfa81417c6d85a41a9ce053ab1db614786787a88543f3b547df36c75929

C:\Users\Admin\AppData\Roaming\RowexaLauncher\MojangAPI.dll

MD5 86d3ed77bd9f8e56c43e7b1eeafb56d8
SHA1 7018e0c7a60c89ef893278f49396b645a5803eec
SHA256 b2ce1bda2e25e337218f1eb6f0e7c61b7748e5027e45e2db8e9f6b6fc3ed58ba
SHA512 ce0b494b20815870f108b414e9a7b3ec5b9cbae17e01cf91a07a0fc71d4a466dc2bdacfa81417c6d85a41a9ce053ab1db614786787a88543f3b547df36c75929

memory/1524-376-0x00000000100A0000-0x00000000100B6000-memory.dmp

memory/1524-377-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/1524-379-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/1524-392-0x0000000002E00000-0x0000000002E40000-memory.dmp