4eb3f1190787c75b2205366f83526146a04692270872799179fba7161d98d470

Analysis

max time kernel
784s
max time network
788s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
28/03/2023, 19:01

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

reWASD651-7455.exe
Size

22.5MB
MD5

ab59ba6d3be8a4a581c4c655144926e7
SHA1

9d2310ba522e62eaa6e8c7b59a506df93c03a5cc
SHA256

4eb3f1190787c75b2205366f83526146a04692270872799179fba7161d98d470
SHA512

985d4dc906761fdcfbf180581c019c3dc8d2ae01e71244a913c9c6d86acbd19359ed8ab25919f91bc07409d8a4c942b6038c2d3ae264ab6e923cd2bc06a36aa3
SSDEEP

393216:sd+TvJ9A8hNtpo11oAFD/0pO6FrOhNtqlF8zVpz24gSZ2d+Z58i9jX:hpofrJCO6FrUNt5pz24gdd+Z559jX

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\SET9C8E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\hidgamemap.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SET9C8E.tmp	DrvInst.exe

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2604	netsh.exe
4408	netsh.exe
4816	netsh.exe
3912	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
5112	reWASDService.exe
376	reWASDService.exe
984	reWASDService.exe
4268	reWASDService.exe

Loads dropped DLL 64 IoCs

pid	Process
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
2244	reWASD651-7455.exe
4996	mscorsvw.exe
4996	mscorsvw.exe
4996	mscorsvw.exe
4996	mscorsvw.exe
376	mscorsvw.exe
376	mscorsvw.exe
376	mscorsvw.exe
376	mscorsvw.exe
3984	mscorsvw.exe
1596	mscorsvw.exe
1596	mscorsvw.exe
3668	mscorsvw.exe
4280	mscorsvw.exe
4168	mscorsvw.exe
4168	mscorsvw.exe
3736	mscorsvw.exe
2920	mscorsvw.exe
2920	mscorsvw.exe
4716	mscorsvw.exe
4716	mscorsvw.exe
4588	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
1592	mscorsvw.exe
2132	mscorsvw.exe
2132	mscorsvw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\reWASD Engine = "\"C:\\Program Files\\reWASD\\reWASDEngine.exe\""	reWASD651-7455.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{4f29e8ed-88ea-a742-a260-ca2a54d8ef03}\SET9982.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{cf1bc053-c5f2-e144-99ed-dc4a90a2e596}\SET9F9C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_ecd984f601508a74\netserv.PNF	reWASDService.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4f29e8ed-88ea-a742-a260-ca2a54d8ef03}\hidgamemap.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidgamemap.inf_amd64_d0105ccbf21c4832\hidgamemap.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidgamemap.inf_amd64_d0105ccbf21c4832\hidgamemap.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4f29e8ed-88ea-a742-a260-ca2a54d8ef03}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{cf1bc053-c5f2-e144-99ed-dc4a90a2e596}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{cf1bc053-c5f2-e144-99ed-dc4a90a2e596}\SET9F9B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{cf1bc053-c5f2-e144-99ed-dc4a90a2e596}\SET9F9C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	reWASDService.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4f29e8ed-88ea-a742-a260-ca2a54d8ef03}\SET9981.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4f29e8ed-88ea-a742-a260-ca2a54d8ef03}\SET9982.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{cf1bc053-c5f2-e144-99ed-dc4a90a2e596}\hidgameflt.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidgameflt.inf_amd64_a346fb41642799ea\hidgameflt.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_23069e5b67ce90a4\c_netservice.PNF	reWASDService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidgameflt.inf_amd64_a346fb41642799ea\hidgameflt.PNF	reWASDService.exe
File created	C:\Windows\System32\DriverStore\Temp\{4f29e8ed-88ea-a742-a260-ca2a54d8ef03}\SET9992.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_960a76222168b3fa\ndiscap.PNF	reWASDService.exe
File created	C:\Windows\System32\DriverStore\Temp\{4f29e8ed-88ea-a742-a260-ca2a54d8ef03}\SET9981.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4f29e8ed-88ea-a742-a260-ca2a54d8ef03}\hidgamemap.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{cf1bc053-c5f2-e144-99ed-dc4a90a2e596}\hidgameflt.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidgameflt.inf_amd64_a346fb41642799ea\hidgameflt.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_56290c9e296b5be9\netpacer.PNF	reWASDService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_9b48be32f09b1fb6\netnwifi.PNF	reWASDService.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4f29e8ed-88ea-a742-a260-ca2a54d8ef03}\SET9992.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4f29e8ed-88ea-a742-a260-ca2a54d8ef03}\hidgamemap.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidgamemap.inf_amd64_d0105ccbf21c4832\hidgamemap.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{cf1bc053-c5f2-e144-99ed-dc4a90a2e596}\SET9F9B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_ded82fc1c2b41e6b\netvwififlt.PNF	reWASDService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_739e9ec110147b31\netbrdg.PNF	reWASDService.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidgamemap.inf_amd64_d0105ccbf21c4832\hidgamemap.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidgamemap.inf_amd64_d0105ccbf21c4832\hidgamemap.PNF	reWASDService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_286311b3ad406c73\netrass.PNF	reWASDService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_e610f6f65afdc230\netnb.PNF	reWASDService.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files\reWASD\CrossPlatformLib.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\reWASD3rdPartyHelper.exe	reWASD651-7455.exe
File created	C:\Program Files\reWASD\LangResources\RUS.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\LangResources\UKR.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\hidgamemap.sys	reWASDService.exe
File created	C:\Program Files\reWASD\hidgameflt.inf	reWASDService.exe
File created	C:\Program Files\reWASD\reWASDService.exe	reWASD651-7455.exe
File created	C:\Program Files\reWASD\Corale.Colore.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\firmware\REWASD_GIMX_1_03.hex.md5	reWASD651-7455.exe
File created	C:\Program Files\reWASD\hidgamemap.cat	reWASDService.exe
File created	C:\Program Files\reWASD\Assets\NintendoLED.json	reWASD651-7455.exe
File created	C:\Program Files\reWASD\LangResources\DEU.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\reWASDUACHelper.exe	reWASD651-7455.exe
File created	C:\Program Files\reWASD\hidgamemap.inf	reWASDService.exe
File created	C:\Program Files\reWASD\hidgameflt.cat	reWASDService.exe
File created	C:\Program Files\reWASD\InGameOverlay64.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\reWASDCommandLine.exe	reWASD651-7455.exe
File created	C:\Program Files\reWASD\LangResources\FRA.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\StartDXOverlay64.exe	reWASD651-7455.exe
File created	C:\Program Files\reWASD\StartDXOverlay32.exe	reWASD651-7455.exe
File created	C:\Program Files\reWASD\LangResources\CHT.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\LangResources\ITA.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\LangResources\JPN.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\firmware\REWASD_GIMX_1_03.hex	reWASD651-7455.exe
File created	C:\Program Files\reWASD\inst\setuphlp (1).dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\DiscSoft.NET.Common.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\InGameOverlay32.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\inst\setuphlp.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\avrdude\avrdude.conf	reWASD651-7455.exe
File created	C:\Program Files\reWASD\avrdude\avrdude.exe	reWASD651-7455.exe
File created	C:\Program Files\reWASD\reWASDEngine.exe	reWASD651-7455.exe
File created	C:\Program Files\reWASD\LangResources\CHS.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\LangResources\ESN.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\LangResources\PTB.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\firmware\REWASD_ESP32_1_02.zip	reWASD651-7455.exe
File created	C:\Program Files\reWASD\reWASDPolicy.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\uninst.exe	reWASD651-7455.exe
File created	C:\Program Files\reWASD\LangResources\ENU.dll	reWASD651-7455.exe
File created	C:\Program Files\reWASD\reWASD.exe.config	reWASD651-7455.exe
File created	C:\Program Files\reWASD\reWASD.exe	reWASD651-7455.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\868-0\System.Printing.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\13f8-0\System.ServiceModel.Internals.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\180-0\System.ServiceModel.Activation.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\178-0\reWASD.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\440-0\System.Design.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\12e4-0\System.IO.Compression.FileSystem.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\INF\oem4.PNF	reWASDService.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e98-0\System.Windows.Input.Manipulations.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\2dc6cfd856864312d563098f9486361c\System.Windows.Forms.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e6c-0\DiscSoft.NET.Common.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595#\5d271a02e221b644ac9e7f0e29b9ece3\System.Runtime.Caching.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1288d7e030bc0c5d8b2cbe5f33aeed7f\System.Data.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4ac-0\System.Web.RegularExpressions.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\126c-0\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\e8c-0\System.Runtime.Caching.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\190-0\System.Data.OracleClient.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\ad0-0\System.Web.Services.dll	mscorsvw.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1b0-0\System.ServiceModel.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\840-0\System.Data.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1048-0\UIAutomationTypes.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\254-0\System.Web.ApplicationServices.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2#\79f7533caac95e3eee555dba4e616fb9\System.DirectoryServices.Protocols.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78#\c37de755ec3ee73d604bc11f85599177\System.ServiceProcess.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\c34-0\System.Management.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting\664e4afe397442c26ea9ededbb639ce5\System.Xaml.Hosting.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1130-0\System.Data.Linq.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c#\afee8437a90f473862f2d364b3669041\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1238-0\System.IdentityModel.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\12b0-0\Microsoft.Build.Utilities.v4.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006#\be443628567a54d5e826bd656850208c\System.ServiceModel.Activation.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1318-0\Microsoft.JScript.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462#\e9321ea18d8469f2adca065fe0651379\System.Data.Services.Design.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\698-0\System.Data.Services.Client.dll	mscorsvw.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider\3bfcfe12488f0a2285f5f08274cbc13f\UIAutomationProvider.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\ddc-0\PresentationUI.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\b90f40ba78ef47ed0a9a563e242f6322\System.Runtime.Remoting.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf#\668443fd7a2b8ee0c9d813bba224cb32\System.Data.OracleClient.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9#\03ae2f501b4d6620464cd9a409f59248\System.Data.Services.Client.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\d24-0\System.Data.Entity.dll	mscorsvw.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Security\8391072310ccd84eecefe797cfd4a4a5\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\840-0\System.Activities.DurableInstancing.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\11ec-0\System.Drawing.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Printing\00232ece6fbf0584e184386c7ac94b51\System.Printing.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\7a1dfc357f4135dbddcf38fd9279b2a7\System.ServiceModel.Internals.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252#\0659bfe79859e92397fc1a510aa918e3\System.Drawing.Design.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\860-0\System.IdentityModel.Selectors.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\1e1a1bd97e618bc4934ee967bea27ae8\UIAutomationTypes.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4#\53cf54ff35686c4044952a8cf8b8021e\System.Web.ApplicationServices.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5#\aa7d7c2bf390b327607c0f3dc47741fa\System.IO.Compression.FileSystem.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\113c-0\reWASDEngine.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\DiscSoft.NET.Common\05a114294985345c90604a1feac4c660\DiscSoft.NET.Common.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\10e4-0\System.Web.dll	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mscorsvw.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	reWASDService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	reWASDService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	reWASDService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	reWASDService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	reWASDService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	reWASDService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\reWASD.config\shell\open	reWASD651-7455.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\reWASD.config\shell\open\command	reWASD651-7455.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\reWASD.config\shell\open\command\ = "C:\\Program Files\\reWASD\\reWASD.exe /import \"%1\""	reWASD651-7455.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rewasd	reWASD651-7455.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rewasd\reWASD.config_backup	reWASD651-7455.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rewasd\ = "reWASD.config"	reWASD651-7455.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\reWASD.config	reWASD651-7455.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\reWASD.config\shell\ = "open"	reWASD651-7455.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\reWASD.config\ = "reWASD config"	reWASD651-7455.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\reWASD.config\DefaultIcon	reWASD651-7455.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\reWASD.config\DefaultIcon\ = "C:\\Program Files\\reWASD\\reWASD.exe,0"	reWASD651-7455.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\reWASD.config\shell	reWASD651-7455.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\reWASD.config\shell\open\ = "Open with reWASD"	reWASD651-7455.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2244	reWASD651-7455.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	reWASD651-7455.exe
Token: SeLoadDriverPrivilege	376	reWASDService.exe
Token: SeBackupPrivilege	512	vssvc.exe
Token: SeRestorePrivilege	512	vssvc.exe
Token: SeAuditPrivilege	512	vssvc.exe
Token: SeBackupPrivilege	376	reWASDService.exe
Token: SeRestorePrivilege	376	reWASDService.exe
Token: SeAuditPrivilege	4756	svchost.exe
Token: SeSecurityPrivilege	4756	svchost.exe
Token: SeLoadDriverPrivilege	376	reWASDService.exe
Token: SeRestorePrivilege	4408	DrvInst.exe
Token: SeBackupPrivilege	4408	DrvInst.exe
Token: SeLoadDriverPrivilege	4408	DrvInst.exe
Token: SeLoadDriverPrivilege	4408	DrvInst.exe
Token: SeLoadDriverPrivilege	4408	DrvInst.exe
Token: 33	5064	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5064	AUDIODG.EXE
Token: SeShutdownPrivilege	4932	svchost.exe
Token: SeCreatePagefilePrivilege	4932	svchost.exe
Token: SeLoadDriverPrivilege	4268	reWASDService.exe
Token: SeBackupPrivilege	2848	srtasks.exe
Token: SeRestorePrivilege	2848	srtasks.exe
Token: SeSecurityPrivilege	2848	srtasks.exe
Token: SeTakeOwnershipPrivilege	2848	srtasks.exe
Token: SeBackupPrivilege	2848	srtasks.exe
Token: SeRestorePrivilege	2848	srtasks.exe
Token: SeSecurityPrivilege	2848	srtasks.exe
Token: SeTakeOwnershipPrivilege	2848	srtasks.exe
Token: SeShutdownPrivilege	4972	shutdown.exe
Token: SeRemoteShutdownPrivilege	4972	shutdown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2244	reWASD651-7455.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
512	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 4992	2244	reWASD651-7455.exe	67
PID 2244 wrote to memory of 4992	2244	reWASD651-7455.exe	67
PID 2244 wrote to memory of 4992	2244	reWASD651-7455.exe	67
PID 2244 wrote to memory of 4152	2244	reWASD651-7455.exe	69
PID 2244 wrote to memory of 4152	2244	reWASD651-7455.exe	69
PID 2244 wrote to memory of 4152	2244	reWASD651-7455.exe	69
PID 2244 wrote to memory of 5112	2244	reWASD651-7455.exe	71
PID 2244 wrote to memory of 5112	2244	reWASD651-7455.exe	71
PID 2244 wrote to memory of 376	2244	reWASD651-7455.exe	72
PID 2244 wrote to memory of 376	2244	reWASD651-7455.exe	72
PID 376 wrote to memory of 2848	376	reWASDService.exe	78
PID 376 wrote to memory of 2848	376	reWASDService.exe	78
PID 4756 wrote to memory of 3480	4756	svchost.exe	81
PID 4756 wrote to memory of 3480	4756	svchost.exe	81
PID 4756 wrote to memory of 4408	4756	svchost.exe	82
PID 4756 wrote to memory of 4408	4756	svchost.exe	82
PID 4756 wrote to memory of 4148	4756	svchost.exe	86
PID 4756 wrote to memory of 4148	4756	svchost.exe	86
PID 2244 wrote to memory of 984	2244	reWASD651-7455.exe	88
PID 2244 wrote to memory of 984	2244	reWASD651-7455.exe	88
PID 2244 wrote to memory of 1592	2244	reWASD651-7455.exe	91
PID 2244 wrote to memory of 1592	2244	reWASD651-7455.exe	91
PID 2244 wrote to memory of 1592	2244	reWASD651-7455.exe	91
PID 2244 wrote to memory of 2472	2244	reWASD651-7455.exe	93
PID 2244 wrote to memory of 2472	2244	reWASD651-7455.exe	93
PID 2244 wrote to memory of 2472	2244	reWASD651-7455.exe	93
PID 2244 wrote to memory of 1076	2244	reWASD651-7455.exe	95
PID 2244 wrote to memory of 1076	2244	reWASD651-7455.exe	95
PID 2244 wrote to memory of 1076	2244	reWASD651-7455.exe	95
PID 2244 wrote to memory of 1284	2244	reWASD651-7455.exe	97
PID 2244 wrote to memory of 1284	2244	reWASD651-7455.exe	97
PID 2244 wrote to memory of 1284	2244	reWASD651-7455.exe	97
PID 2244 wrote to memory of 3912	2244	reWASD651-7455.exe	99
PID 2244 wrote to memory of 3912	2244	reWASD651-7455.exe	99
PID 2244 wrote to memory of 3912	2244	reWASD651-7455.exe	99
PID 2244 wrote to memory of 3548	2244	reWASD651-7455.exe	101
PID 2244 wrote to memory of 3548	2244	reWASD651-7455.exe	101
PID 2244 wrote to memory of 3548	2244	reWASD651-7455.exe	101
PID 2244 wrote to memory of 4776	2244	reWASD651-7455.exe	103
PID 2244 wrote to memory of 4776	2244	reWASD651-7455.exe	103
PID 2244 wrote to memory of 4776	2244	reWASD651-7455.exe	103
PID 2244 wrote to memory of 2604	2244	reWASD651-7455.exe	105
PID 2244 wrote to memory of 2604	2244	reWASD651-7455.exe	105
PID 2244 wrote to memory of 2604	2244	reWASD651-7455.exe	105
PID 2244 wrote to memory of 596	2244	reWASD651-7455.exe	107
PID 2244 wrote to memory of 596	2244	reWASD651-7455.exe	107
PID 2244 wrote to memory of 596	2244	reWASD651-7455.exe	107
PID 2244 wrote to memory of 4872	2244	reWASD651-7455.exe	109
PID 2244 wrote to memory of 4872	2244	reWASD651-7455.exe	109
PID 2244 wrote to memory of 4872	2244	reWASD651-7455.exe	109
PID 2244 wrote to memory of 4408	2244	reWASD651-7455.exe	111
PID 2244 wrote to memory of 4408	2244	reWASD651-7455.exe	111
PID 2244 wrote to memory of 4408	2244	reWASD651-7455.exe	111
PID 2244 wrote to memory of 4816	2244	reWASD651-7455.exe	113
PID 2244 wrote to memory of 4816	2244	reWASD651-7455.exe	113
PID 2244 wrote to memory of 4816	2244	reWASD651-7455.exe	113
PID 2244 wrote to memory of 4100	2244	reWASD651-7455.exe	115
PID 2244 wrote to memory of 4100	2244	reWASD651-7455.exe	115
PID 2244 wrote to memory of 4100	2244	reWASD651-7455.exe	115
PID 4100 wrote to memory of 4996	4100	ngen.exe	117
PID 4100 wrote to memory of 4996	4100	ngen.exe	117
PID 4100 wrote to memory of 4996	4100	ngen.exe	117
PID 4100 wrote to memory of 376	4100	ngen.exe	118
PID 4100 wrote to memory of 376	4100	ngen.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\reWASD651-7455.exe
"C:\Users\Admin\AppData\Local\Temp\reWASD651-7455.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\logman.exe
  "C:\Windows\System32\logman.exe" start REWASD_service -p {0CEA7670-4CD6-45B1-9133-71A9DC48464E} 0xff 255 -o "C:\Users\Public\Documents\reWASD\Logs\REWASD_service.etl" -ets
  2⤵
  PID:4992
- C:\Windows\SysWOW64\logman.exe
  "C:\Windows\System32\logman.exe" start REWASD_driver -p {CC6AEC39-B441-4BC8-A92D-2EC99B921C82} 0xff 255 -o "C:\Users\Public\Documents\reWASD\Logs\REWASD_driver.etl" -ets
  2⤵
  PID:4152
- C:\Program Files\reWASD\reWASDService.exe
  "C:\Program Files\reWASD\reWASDService.exe" -drvcheck
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Program Files\reWASD\reWASDService.exe
  "C:\Program Files\reWASD\reWASDService.exe" -drvinstall
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- C:\Program Files\reWASD\reWASDService.exe
  "C:\Program Files\reWASD\reWASDService.exe" -install
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\SysWOW64\logman.exe
  "C:\Windows\System32\logman.exe" stop REWASD_service -ets
  2⤵
  PID:1592
- C:\Windows\SysWOW64\logman.exe
  "C:\Windows\System32\logman.exe" stop REWASD_driver -ets
  2⤵
  PID:2472
- C:\Windows\SysWOW64\netsh.exe
  "netsh.exe" http add urlacl url=http://*:35474/ sddl=D:(A;;GX;;;S-1-1-0)
  2⤵
  PID:1076
- C:\Windows\SysWOW64\netsh.exe
  "netsh.exe" http add urlacl url=http://localhost:35474/ sddl=D:(A;;GX;;;S-1-1-0)
  2⤵
  PID:1284
- C:\Windows\SysWOW64\netsh.exe
  "netsh.exe" advfirewall firewall add rule name="reWASD Engine Http (In) 35474" dir=in action=allow protocol=TCP localport=35474
  2⤵
  - Modifies Windows Firewall
  PID:3912
- C:\Windows\SysWOW64\netsh.exe
  "netsh.exe" http add urlacl url=http://*:35475/ sddl=D:(A;;GX;;;S-1-1-0)
  2⤵
  PID:3548
- C:\Windows\SysWOW64\netsh.exe
  "netsh.exe" http add urlacl url=http://localhost:35475/ sddl=D:(A;;GX;;;S-1-1-0)
  2⤵
  PID:4776
- C:\Windows\SysWOW64\netsh.exe
  "netsh.exe" advfirewall firewall add rule name="reWASD Engine Http (In) 35475" dir=in action=allow protocol=TCP localport=35475
  2⤵
  - Modifies Windows Firewall
  PID:2604
- C:\Windows\SysWOW64\netsh.exe
  "netsh.exe" http add urlacl url=http://*:35476/ sddl=D:(A;;GX;;;S-1-1-0)
  2⤵
  PID:596
- C:\Windows\SysWOW64\netsh.exe
  "netsh.exe" http add urlacl url=http://localhost:35476/ sddl=D:(A;;GX;;;S-1-1-0)
  2⤵
  PID:4872
- C:\Windows\SysWOW64\netsh.exe
  "netsh.exe" advfirewall firewall add rule name="reWASD Engine Http (In) 35476" dir=in action=allow protocol=TCP localport=35476
  2⤵
  - Modifies Windows Firewall
  PID:4408
- C:\Windows\SysWOW64\netsh.exe
  "netsh.exe" advfirewall firewall add rule name="reWASD UDP Emulator Port <36474>" dir=in action=allow protocol=UDP localport=36474
  2⤵
  - Modifies Windows Firewall
  PID:4816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "reWASD.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess d4 -Pipe 1c4 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    PID:4996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    PID:376
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    PID:3984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 264 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 26c -Pipe 2dc -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    PID:3668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2ec -Pipe 288 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    PID:4280
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2f4 -Pipe 26c -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:4168
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 0 -NGENProcess 2d0 -Pipe 2fc -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 0 -NGENProcess 2e4 -Pipe 2ec -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2920
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 0 -NGENProcess 2f4 -Pipe 2e0 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:4716
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 0 -NGENProcess 29c -Pipe 290 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:4588
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 0 -NGENProcess 2cc -Pipe 2f4 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 0 -NGENProcess 1a0 -Pipe 2e4 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1592
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 0 -NGENProcess 300 -Pipe 308 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    PID:2132
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 310 -Pipe 320 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:2152
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 0 -NGENProcess 32c -Pipe 330 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:3548
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 0 -NGENProcess 32c -Pipe 300 -Comment "NGen Worker Process"
    3⤵
    PID:2192
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 1a0 -Pipe 348 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:3692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 0 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:432
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 30c -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:5112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 0 -NGENProcess 350 -Pipe 334 -Comment "NGen Worker Process"
    3⤵
    PID:820
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 0 -NGENProcess 358 -Pipe 34c -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:4664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 0 -NGENProcess 30c -Pipe 2d8 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 0 -NGENProcess 29c -Pipe 338 -Comment "NGen Worker Process"
    3⤵
    PID:228
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 0 -NGENProcess 29c -Pipe 350 -Comment "NGen Worker Process"
    3⤵
    PID:3612
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 0 -NGENProcess 29c -Pipe 328 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:4296
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 0 -NGENProcess 35c -Pipe 368 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:4324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 0 -NGENProcess 340 -Pipe 37c -Comment "NGen Worker Process"
    3⤵
    PID:2112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 0 -NGENProcess 388 -Pipe 38c -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:3724
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 0 -NGENProcess 1a0 -Pipe 340 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:1196
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 0 -NGENProcess 384 -Pipe 390 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:1088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 0 -NGENProcess 364 -Pipe 304 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:400
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 0 -NGENProcess 29c -Pipe 2f0 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:1292
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 0 -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"
    3⤵
    PID:3584
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 0 -NGENProcess 32c -Pipe 36c -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:3656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 0 -NGENProcess 364 -Pipe 30c -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:3128
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 0 -NGENProcess 1a0 -Pipe 33c -Comment "NGen Worker Process"
    3⤵
    PID:4016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 0 -NGENProcess 31c -Pipe 354 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:2768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 0 -NGENProcess 39c -Pipe 360 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:4784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 0 -NGENProcess 318 -Pipe 310 -Comment "NGen Worker Process"
    3⤵
    PID:2260
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 0 -NGENProcess 35c -Pipe 2d0 -Comment "NGen Worker Process"
    3⤵
    PID:1884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 0 -NGENProcess 2c4 -Pipe 358 -Comment "NGen Worker Process"
    3⤵
    PID:2612
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 0 -NGENProcess 2c4 -Pipe 370 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:2144
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 0 -NGENProcess 2bc -Pipe 1a0 -Comment "NGen Worker Process"
    3⤵
    PID:2592
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 300 -Pipe 31c -Comment "NGen Worker Process"
    3⤵
    PID:5084
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 318 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:384
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 0 -NGENProcess 2c8 -Pipe 3a0 -Comment "NGen Worker Process"
    3⤵
    PID:2944
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 394 -Pipe 2c0 -Comment "NGen Worker Process"
    3⤵
    PID:2712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 0 -NGENProcess 2ec -Pipe 290 -Comment "NGen Worker Process"
    3⤵
    PID:3676
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 300 -Pipe 308 -Comment "NGen Worker Process"
    3⤵
    PID:3436
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 2c4 -Pipe 29c -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:3124
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 0 -NGENProcess 2bc -Pipe 364 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:4888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 0 -NGENProcess 2dc -Pipe 384 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:2112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 26c -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:1108
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 2dc -Comment "NGen Worker Process"
    3⤵
    PID:1368
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 2c4 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:2884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 0 -NGENProcess 388 -Pipe 344 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:3364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 0 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:1688
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 0 -NGENProcess 34c -Pipe 388 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:4400
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 0 -NGENProcess 2a0 -Pipe 2f8 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:4836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 0 -NGENProcess 348 -Pipe 22c -Comment "NGen Worker Process"
    3⤵
    PID:3476
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 0 -NGENProcess 34c -Pipe 320 -Comment "NGen Worker Process"
    3⤵
    PID:1168
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 2e8 -Pipe 348 -Comment "NGen Worker Process"
    3⤵
    PID:3332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "reWASDEngine.exe"
  2⤵
  - Drops file in Windows directory
  PID:2500
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 1c4 -Comment "NGen Worker Process"
    3⤵
    PID:4036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 0 -NGENProcess 284 -Pipe 1c8 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:4412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "DiscSoft.NET.Common.dll"
  2⤵
  - Drops file in Windows directory
  PID:1528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 1c4 -Comment "NGen Worker Process"
    3⤵
    PID:380
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1868

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3cbafb2b-ba26-c14a-975f-711473c6491f}\hidgamemap.inf" "9" "47bb1681b" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files\rewasd"
  2⤵
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3480
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem3.inf" "hidgamemap.inf:f5fe8c81ebc2f07d:Install:3.26.0.0:root\hidgamemap," "47bb1681b" "0000000000000174"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3a2e3e14-2f8b-4249-af24-bbe059d745bc}\hidgameflt.inf" "9" "47391871b" "0000000000000194" "WinSta0\Default" "0000000000000174" "208" "C:\Program Files\reWASD"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4148

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s hidserv
1⤵
PID:4900

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5064

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Program Files\reWASD\reWASDService.exe
"C:\Program Files\reWASD\reWASDService.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3adb855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\MICROS~1\Windows\DEVICE~1\en-US\10ccdb63-1013-4e05-a8a8-eede0a450819.devicemetadata-ms

Filesize
103KB

MD5
7876774487d639485915ef1fec0aac9c

SHA1
abc0e6bccb44c228d458e2c97c8f3e5a879a35df

SHA256
dcc755a74b02d97dbda4550d52f2a2a8a9b8579b796f5a80a9261f51f93ef195

SHA512
15a8ab238a03c37947b416c9a9d0897cc085f28a2ec00d7bf01794b4513bdb9dd3dc56e878436bc2fcfe2422d635df467737403fc8a9d6f9baffdb527a9359f4

Download Submit
C:\PROGRA~3\MICROS~1\Windows\DEVICE~1\en-US\4a3b622e-c82c-4b54-aa5d-01ee2e671fd2.devicemetadata-ms

Filesize
121KB

MD5
b003e021a9fd895f5fe5c076682c5754

SHA1
460fb60da0d11ddadebbf1ce238420a1ba48ec4c

SHA256
d92535e3bbca40057a408274169ec49cd29e90f0719086d33a407cbe74577b0b

SHA512
85671d0e64aeb0fd1da4606bc7ff95556497c8c05ccb98e1ddbaa9c6e8c06b0dbb6d9f65b8b03b6d415f988dfbf29d0e4372bfca90d28c951d40b115a815862c

Download Submit
C:\PROGRA~3\MICROS~1\Windows\DEVICE~1\en-US\4d8abd34-19a4-450e-a442-94b3210b6539.devicemetadata-ms

Filesize
129KB

MD5
fe225357a9ae03b847d3010f2a9ad988

SHA1
9b8c6d5147d37551e8087c7eed6b6c106f835019

SHA256
6dc4956fc9b83a132113d024990b8441cf4a0d3d983257ba46eb5baf23250b7e

SHA512
be6c77bd5938fac6e74b04ce027ada2efb423fd599c22dd33219f0171cf109c16a4b8ccf585f8906ab257690376c6d0506b5435d09a45d37d71f749e0e061d88

Download Submit
C:\PROGRA~3\MICROS~1\Windows\DEVICE~1\en-US\5ba03f96-d207-411e-b8d2-55b96a0a3d90.devicemetadata-ms

Filesize
131KB

MD5
e3f9d46399386c7a4964874405ad4c54

SHA1
aa113e17e390f584950df1f358a32bd44fdc3ae4

SHA256
105cfec28f8fff17692f0fd266e1fcf78203f9c0943f076fda3841c2d090f407

SHA512
42c3a7506482486a070ed8ab2a26215a76e0fd91f6f2e2f6d506ee48dfc829662d4fcee31ee8e5fd6e0568e5e270b887e4a7da30333ef4957b41ec521d158a81

Download Submit
C:\PROGRA~3\MICROS~1\Windows\DEVICE~1\en-US\ed64edf0-344a-4b09-9b6d-b808d54d1b31.devicemetadata-ms

Filesize
127KB

MD5
a8ca6700fc6bc8f07177ff5601cfc595

SHA1
5b37905b484e376a34136e0e9019bf58db818627

SHA256
62da0d8dca62a732be5691a8627601db8378e4bed487d5fcfa3cddbd22c091d1

SHA512
04236ad3d517024be0adfb7fa22df8c00ceb39b30354d172de424326f920123433b5cc53b2a9415f1d5454653909e93cdfb8c343d3cd4f3f5cb8cb63a04a972e

Download Submit
C:\PROGRA~3\MICROS~1\Windows\DEVICE~1\en-US\f035d2d3-ae4b-4fc7-b4bb-c9a617abd2a3.devicemetadata-ms

Filesize
175KB

MD5
16008e8ada33e49c061b13d02804d3b8

SHA1
00515d11dfe7cec1c2bd8268bad767d0e0dd6a94

SHA256
b8654b90c817400645c527db38528fa6437120f6ba5eac72d7774eee34eebe3a

SHA512
b62bfa895f0a3b6364a865f4979ce8e7147999f7d9c53733298004982256a283da79cb5ae543b02df1f45498e8ba825f226f527128988d56a87ceaf8123fc425

Download Submit
C:\Program Files\reWASD\LangResources\CHS.dll

Filesize
78KB

MD5
9e0faf0848551a6a5c995b5d8387e1f5

SHA1
9f071097549ff7ac158487506546d6f16c6d8376

SHA256
0c4e8bfc21a228e8f92c0b378bba05d7bef3e1580b07ab40a992e4a4e2a118ea

SHA512
eff0622a93de69a74abcc13f0c02e119f08ca3a1b81d0623362e391a481aa8315f4c839b9f7258350dbb49d9bbb07722d42c058022cfa1bfb0f75298747ef5c0

Download Submit
C:\Program Files\reWASD\LangResources\CHT.dll

Filesize
85KB

MD5
67d8338c129d8ab2e85078294f9a22b8

SHA1
5a2a5ee9139334412eb6949c907f509ccb40a27f

SHA256
c63c11f2ebf1afa2c9460fefb0d4a55bc4bf5c39e44b6e37e8507da51406ada7

SHA512
17d9955822fb14f91f7b044bd1ffb3885fb0f5cfbe7acb85b8b5229f436588371825e99bd8f0ebb7ed297616af72c520be37ece20f4147f6fb0e3d8fc4941428

Download Submit
C:\Program Files\reWASD\LangResources\DEU.dll

Filesize
189KB

MD5
2d62ebe877fd2179d3de2df9b6cc398b

SHA1
a08cbbfb2ccf62b4274caf54915cc8dbb39a4ad4

SHA256
ee458a0312c618b15cc2bf5e2633306388ba0aab225d358aeb067167e3e20115

SHA512
a9ee79970996880f43aebf4e100f17ec1c06a21a0544ee4553292ca9c9e0569cefbf22471156a4ef5bbb9c94ed69ee4b26af84bd575569797ac7a7e3118c4e74

Download Submit
C:\Program Files\reWASD\LangResources\ESN.dll

Filesize
182KB

MD5
89325172c9718abbd56c6c96ca99aa47

SHA1
6c1e1712c505d9c0dbeb32d733672fe2e4dbc8cb

SHA256
00b0edd130676dfe31a025add94d85f3286a8b44d052a16137397605a4e965b6

SHA512
a352b8d8ac67c43ad11a4673ac9f0ed7469f1f2e8a0f02553b0e087169768999a371de828215165701b704c2abdc11728821688c078f84b93d19a891c263b27a

Download Submit
C:\Program Files\reWASD\LangResources\FRA.dll

Filesize
190KB

MD5
3764317435066549e9ee473aaff401b6

SHA1
46c6f0374c7366a074edeb6d1f9d242c16ebeeba

SHA256
7b572246ffb2654a496a74cf72f7ae30c10799ee0d50a2d333d43c403d562f9b

SHA512
14196daceba4aeef7cb14af24364fb0e03721eb4d647748b02d7b0c0e1a510e35d1d398d9582fe061d3155ed3d94c8ae759e390f879d7f9404bb20727cd5c6fb

Download Submit
C:\Program Files\reWASD\LangResources\ITA.dll

Filesize
180KB

MD5
d6d7b109975a8ee3099fc142b8b3d7b9

SHA1
65d374006564e9995e604de4d6185fc25aef2b40

SHA256
2937dda17485937a5ea15e90ba0b6e68052306a99177db885c51c46bdceeb66c

SHA512
e23e47776da729471f7086cf54fb3904222e9f28431f4702adf03aea4270da98226a89cda57fb46e9a9b9230815a957065034f340ed0755a114d5fdeea12d6ee

Download Submit
C:\Program Files\reWASD\LangResources\JPN.dll

Filesize
99KB

MD5
2af268c906ff8eb2b4af12114609264f

SHA1
e80bc0545e7677a511d867564269c04b3eff7836

SHA256
7e695c36121925ce34d87ae83c817fa9ae0a69fca79463350d5ca1ea3cbaf524

SHA512
a3a6ed8b7ac6fca1c624f51359aff12776cd8b5e3cbd306765c10ceee349bf1dbdb0b5c35eb1c9d8adb039d932e59ab99d51dde610e73b05ae2a889a261bab25

Download Submit
C:\Program Files\reWASD\LangResources\PTB.dll

Filesize
178KB

MD5
7bfa5c94a8b040e99df94d22317e7bce

SHA1
3f16e791f942bbdb19437b2bb3db15e379ed7a95

SHA256
cfbaddff764d743a7823db1b5e1b21ed8e3d35baa8627e4d3609a30d4aa65a55

SHA512
8f11a3648347936f0749d0d81d6c65af129923efe677d44d83f14da0a11a1d5536d35907a845b90e6a9dc0c1e5aaf98b4bdfcb59d4e3f81a8df30faab7c8ae03

Download Submit
C:\Program Files\reWASD\LangResources\RUS.dll

Filesize
171KB

MD5
75f75d63735822fe28d6bbfa834d0a98

SHA1
31c1584ef0eb31d96f72e428ac3f1c1353a1f2ce

SHA256
43f831fccc4c845dbb8c93e14c9b1834a039e562055a1b00bf986da17b7603bb

SHA512
45fc2d81c7416f5d7a6588838c6ccdf46165007b83a7e123cfb232ae3213394d36e314b67cf46b6eea401c86d1c19a0fdbc9d657d441c414ce6ba990a94f28c6

Download Submit
C:\Program Files\reWASD\LangResources\UKR.dll

Filesize
170KB

MD5
ddf34002664411ac9438ce86e29eae9c

SHA1
23a244050943794b276b230d11449e045c8cea16

SHA256
8cd89686a58e5a02398b2ae8fce2acaf526adf7dd3c7fcc9a439f441bbdbeb63

SHA512
b0641574c766aa5e43b4efafa3009aaac852a5f4d940c06de0d74ff2c6ff06de7bb110bc0181d0877bdd501dd1ec5319af49fa40ecaf1a774b9f613a5a86fa50

Download Submit
C:\Program Files\reWASD\hidgameflt.cat

Filesize
11KB

MD5
dc50d8914fbd6074a19842dc8820fce7

SHA1
9cb38bad720795bf1d40be205e97da9d4fd2724a

SHA256
df49a4b32136d388248d3d738a7cf6be622944e6f6e236b1ebd2a09b6054c7b5

SHA512
bebafe484989b0ded9e7ebf1ec33a521f61feb8b341d41c0304419dbc45e646601e0b8544bf64dc6f70cb1b4680671ef4927b920a8d01c0bed140dc6e19a702e

Download Submit
C:\Program Files\reWASD\hidgameflt.inf

Filesize
925B

MD5
1b5ece23733d14566fc50cf67f8c930a

SHA1
e2247faf11e21c785dd8009dbfdc6b269b850af8

SHA256
58a8369c194fcba5d941ba7b57980b514ab1284bd194acbf0febb86a9b8b364d

SHA512
e179f549f807bc1f7ce94f0ba633a4a8672168d07a3b907ab2d1cef8460a7b670982785bd24e0522d91b059dde0a15b4c16084e6da553f0970b4992bd6b2dd09

Download Submit
C:\Program Files\reWASD\hidgamemap.cat

Filesize
11KB

MD5
5345e9ebbc345758bbb5fd98d92762a5

SHA1
94327c851a22c8046502fdfe4e73d37044f665e7

SHA256
354d3281100b64dfccc19b0a4ee75d59da648a058f52f3f326dd9683a2f71860

SHA512
51117ac89ac492d976bf50729fd5d7a6b5809c5c8691cc06ccfafdff4fcc82dbbe6e145f384b2fb6907aed1755d2bb3b25254c4994c6fc06ffcd74b6046579c5

Download Submit
C:\Program Files\reWASD\hidgamemap.inf

Filesize
1KB

MD5
1333b8aa48705013420dd9ed1050d575

SHA1
d2ce41e3844c4f240f0723a24c3afb311f5784d6

SHA256
f8a1e51b3f5c789ddb3e955327db4962de9679202cffc4ccf201d65d82855273

SHA512
8f4ce17b4fb69f044b9f39165e6fac14ef30f9fe0f78ab9c95a22d74a479fbf42eba9c4d7df63758414c49b07d0a75fdaf112c3756eb15e56b4fd8cae3ead874

Download Submit
C:\Program Files\reWASD\hidgamemap.sys

Filesize
343KB

MD5
212feba492d9262684f6fdd89bc55446

SHA1
819cece7e17cea98028586d0f0ef8c6b7e647ae7

SHA256
74a82ed3874943952dbd24b32c2d6632fed14c06673f92ac2ee5f82db3c4f56d

SHA512
bed3c8293c9315db40258805c1de07919c1d86cc6743723196e29059434dcac161fb862aa1fa2304f01fd6ce137da36ad4b8ad472240e68f5db0a69ddce7da17

Download Submit
C:\Program Files\reWASD\reWASD.exe

Filesize
8.9MB

MD5
3ccd22bbdcbbf4bb8ebf92823db3d426

SHA1
4483c35cdbc5cfa4813a153bf6aa9ed5a7e755db

SHA256
8777f67aff92d5c887901c6090e852c866b1403e51daea0f67fc0fd98ea6e429

SHA512
e81fd24aceb2288a447c7734cf65248c7d0630154a7ed726127a1ca39d16bcf007a848caedc0e4a4b0f89cf5776b7d90d810a0291218289e46ca0db4b31b22f7

Download Submit
C:\Program Files\reWASD\reWASD.exe

Filesize
8.9MB

MD5
3ccd22bbdcbbf4bb8ebf92823db3d426

SHA1
4483c35cdbc5cfa4813a153bf6aa9ed5a7e755db

SHA256
8777f67aff92d5c887901c6090e852c866b1403e51daea0f67fc0fd98ea6e429

SHA512
e81fd24aceb2288a447c7734cf65248c7d0630154a7ed726127a1ca39d16bcf007a848caedc0e4a4b0f89cf5776b7d90d810a0291218289e46ca0db4b31b22f7

Download Submit
C:\Program Files\reWASD\reWASD.exe.config

Filesize
1003B

MD5
3262ed335b7feac5bb7fe0c29146f593

SHA1
24cb7f9124d61f6e589742a3427b9db019e11a01

SHA256
c9bd9908db742683038efe8f7cc9891e57b287a2168fd451a1a4ad4517711889

SHA512
e28788d878bb8677496e83be291267ff3971dfd1dd81f7481ff232a91c37065ce0c4b0dfcd33dc5dcc3e4ecad9fe0b839e2dd57b7182a97284984f73b3c0c28e

Download Submit
C:\Program Files\reWASD\reWASDService.exe

Filesize
2.9MB

MD5
ec4cccb89e61988442745776da6675cb

SHA1
46f3345395129dc6976c2b000d7ac03b77126ea0

SHA256
cb6660ded33e6076e2b11b03e392a4f40955b2b9b714049438db5100c863737e

SHA512
f25c56f53e634a29650c94895b4ccfe905e132f92ccf988cebb8db8fb8e474e5395eb3993fc5103d87311e5eb7bbf9988cfae53e30404f786893e12c810b9f79

Download Submit
C:\Program Files\reWASD\reWASDService.exe

Filesize
2.9MB

MD5
ec4cccb89e61988442745776da6675cb

SHA1
46f3345395129dc6976c2b000d7ac03b77126ea0

SHA256
cb6660ded33e6076e2b11b03e392a4f40955b2b9b714049438db5100c863737e

SHA512
f25c56f53e634a29650c94895b4ccfe905e132f92ccf988cebb8db8fb8e474e5395eb3993fc5103d87311e5eb7bbf9988cfae53e30404f786893e12c810b9f79

Download Submit
C:\Program Files\reWASD\reWASDService.exe

Filesize
2.9MB

MD5
ec4cccb89e61988442745776da6675cb

SHA1
46f3345395129dc6976c2b000d7ac03b77126ea0

SHA256
cb6660ded33e6076e2b11b03e392a4f40955b2b9b714049438db5100c863737e

SHA512
f25c56f53e634a29650c94895b4ccfe905e132f92ccf988cebb8db8fb8e474e5395eb3993fc5103d87311e5eb7bbf9988cfae53e30404f786893e12c810b9f79

Download Submit
C:\Program Files\reWASD\reWASDService.exe

Filesize
2.9MB

MD5
ec4cccb89e61988442745776da6675cb

SHA1
46f3345395129dc6976c2b000d7ac03b77126ea0

SHA256
cb6660ded33e6076e2b11b03e392a4f40955b2b9b714049438db5100c863737e

SHA512
f25c56f53e634a29650c94895b4ccfe905e132f92ccf988cebb8db8fb8e474e5395eb3993fc5103d87311e5eb7bbf9988cfae53e30404f786893e12c810b9f79

Download Submit
C:\Program Files\reWASD\reWASDService.exe

Filesize
2.9MB

MD5
ec4cccb89e61988442745776da6675cb

SHA1
46f3345395129dc6976c2b000d7ac03b77126ea0

SHA256
cb6660ded33e6076e2b11b03e392a4f40955b2b9b714049438db5100c863737e

SHA512
f25c56f53e634a29650c94895b4ccfe905e132f92ccf988cebb8db8fb8e474e5395eb3993fc5103d87311e5eb7bbf9988cfae53e30404f786893e12c810b9f79

Download Submit
C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\multiloc\10ccdb63-1013-4e05-a8a8-eede0a450819\DeviceInfo\en-US\DeviceInfo.xml

Filesize
538B

MD5
808b9ccccceb9dc78b8164c675a00f64

SHA1
427744a0ee78c1e2d94898c891c76f8606c47e3d

SHA256
fbb469ff098f5151c0bd74945834c4cf4632f74e3d6bc484d047c243e7023a5d

SHA512
152d0e23034b1372214cbf53ee954b90aaadf4df20e80ee8a293afebb4007ceb8e985b5245dbc2d028f00173fc509b0a520d438fe6b4750394b20e358089589a

Download Submit
C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\multiloc\10ccdb63-1013-4e05-a8a8-eede0a450819\PackageInfo.xml

Filesize
1KB

MD5
b8eeb20cd4da34f5e6c60b925ffb63ee

SHA1
e2332cf457ea84eabf6d93ba45f28cf0f43b4be9

SHA256
c521addfc93f4df9db409197c6f93e23fc135cbb63dc9fe9c02bce2e62ee7b4b

SHA512
94ee27e1d83ad5280ff110c0fc534602453aecb28525161db9b57d80cd734c960f46d4e95b818784602d600d92bc84bdcbe637e51ad189c21d832ca1fc205ce5

Download Submit
C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\multiloc\10ccdb63-1013-4e05-a8a8-eede0a450819\WindowsInfo\en-US\WindowsInfo.xml

Filesize
533B

MD5
ae782f154700acb8c38b5f90600edca7

SHA1
e2f3c25f15af68201f0170b3690928cb2f7fb2fe

SHA256
542bb47e39e812b2ec0607fa77465240df2d295d74d13720035c7e8a179bb445

SHA512
273e35a382ad938a0aba2c53c10e428224859fc5aaa4721a4e97554a5804c5341fb6ab21e1d281097965dd001f5eb45abb6eb355c3fe9e8b84c623a4e0e381c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\7z.dll

Filesize
155KB

MD5
ad71a5e3a757aef0329aeda567f25a00

SHA1
97c766d85c9dabfcabd5a983fe165506d227a8ac

SHA256
f6b9ae6eaaedc55db0e381ec153892c122f1f257ada80cf242a20be8a2f117ef

SHA512
6852496fb8f59bea3ae46efd507d654ae27306d9f4f2f0dc0db8b03f9f63a3712e075b12f0ebdf6ea88db081fca4dd29be1555584aa70386ccb8297beef886ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3A2E3~1\hidgameflt.cat

Filesize
11KB

MD5
dc50d8914fbd6074a19842dc8820fce7

SHA1
9cb38bad720795bf1d40be205e97da9d4fd2724a

SHA256
df49a4b32136d388248d3d738a7cf6be622944e6f6e236b1ebd2a09b6054c7b5

SHA512
bebafe484989b0ded9e7ebf1ec33a521f61feb8b341d41c0304419dbc45e646601e0b8544bf64dc6f70cb1b4680671ef4927b920a8d01c0bed140dc6e19a702e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3CBAF~1\hidgamemap.cat

Filesize
11KB

MD5
5345e9ebbc345758bbb5fd98d92762a5

SHA1
94327c851a22c8046502fdfe4e73d37044f665e7

SHA256
354d3281100b64dfccc19b0a4ee75d59da648a058f52f3f326dd9683a2f71860

SHA512
51117ac89ac492d976bf50729fd5d7a6b5809c5c8691cc06ccfafdff4fcc82dbbe6e145f384b2fb6907aed1755d2bb3b25254c4994c6fc06ffcd74b6046579c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3CBAF~1\hidgamemap.sys

Filesize
343KB

MD5
212feba492d9262684f6fdd89bc55446

SHA1
819cece7e17cea98028586d0f0ef8c6b7e647ae7

SHA256
74a82ed3874943952dbd24b32c2d6632fed14c06673f92ac2ee5f82db3c4f56d

SHA512
bed3c8293c9315db40258805c1de07919c1d86cc6743723196e29059434dcac161fb862aa1fa2304f01fd6ce137da36ad4b8ad472240e68f5db0a69ddce7da17

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3a2e3e14-2f8b-4249-af24-bbe059d745bc}\hidgameflt.inf

Filesize
925B

MD5
1b5ece23733d14566fc50cf67f8c930a

SHA1
e2247faf11e21c785dd8009dbfdc6b269b850af8

SHA256
58a8369c194fcba5d941ba7b57980b514ab1284bd194acbf0febb86a9b8b364d

SHA512
e179f549f807bc1f7ce94f0ba633a4a8672168d07a3b907ab2d1cef8460a7b670982785bd24e0522d91b059dde0a15b4c16084e6da553f0970b4992bd6b2dd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3cbafb2b-ba26-c14a-975f-711473c6491f}\hidgamemap.inf

Filesize
1KB

MD5
1333b8aa48705013420dd9ed1050d575

SHA1
d2ce41e3844c4f240f0723a24c3afb311f5784d6

SHA256
f8a1e51b3f5c789ddb3e955327db4962de9679202cffc4ccf201d65d82855273

SHA512
8f4ce17b4fb69f044b9f39165e6fac14ef30f9fe0f78ab9c95a22d74a479fbf42eba9c4d7df63758414c49b07d0a75fdaf112c3756eb15e56b4fd8cae3ead874

Download Submit
C:\Users\Public\Documents\reWASD\Profiles\Fortnite\Controller\Double movement.rewasd

Filesize
3KB

MD5
712dfaef8373af26e0a89c8592eef0b1

SHA1
663b9164d6b35b4073ea23dbb4f71cbf73d211d7

SHA256
662756e39a5f057c5edecc5464a7b79d1f9a5494b3f4f30beca72dff5f4727f4

SHA512
49b7316203f5240cca5767b8592adcf868cce7cb557adbbbb6b04200c4a45e784399bce5e0ec647e8d9eea2110c366405c27bbf872442c8438c72fb07d3bcc0f

Download Submit
C:\Users\Public\Documents\reWASD\Profiles\Fortnite\IcoGame.png

Filesize
269KB

MD5
9ab8cbec5b61357684f7ca436deb1fa8

SHA1
626d58fcb5544b74466689297b429ba021b2dc05

SHA256
de828b711dea56563a009cc47642c54e5fc38fdea37d8a7677e8f8412bd7036a

SHA512
a05a49385b5fdb1a246cfbe84c8859a2d38c7f3b275fb87f1519aac039b0293ca31ee88498149bed249191b63f7e45566fef315d9d5dbd5657c286ba83effdbe

Download Submit
C:\Users\Public\Documents\reWASD\Profiles\PS4 Remote Play (2023)\Controller\For Keyboard & Mouse.rewasd

Filesize
69KB

MD5
188f2439da63508db4ee0e025b7ba918

SHA1
bf1a3c9a3c4fb09a3ff006a0dee659c2170a2f19

SHA256
bbeee0fa97e19ca6c6bf23663a4fb465507daa784714182fdb02f9aea4b07e1b

SHA512
a8b8f9ef79599bdab2d0ba5d4fec0e7ab94369f28a4a515bfac8b359318eb93904b3cba866712191cec475baac75e482408a6958344785737b3c578c1aaefae5

Download Submit
C:\Users\Public\Documents\reWASD\Profiles\PS4 Remote Play (2023)\IcoGame.png

Filesize
453KB

MD5
ff596ab3265df6db369996ef455e90ed

SHA1
920df613e33223eeccdf07b82ffce4622bc5ca50

SHA256
e09a2f1a9a04efb485bf35c402f5adbaca1821e6ef05ba9f65414760c61473a2

SHA512
8aae92cfbdfc7dac570b6b5e5ff381a5329cfa8a3c6d0552a48dbaa2432dae104dc16b8b7edf34e0c63ed6dbc6c38bb7a519473232d1a7033a1e8452ee27a03e

Download Submit
C:\Users\Public\Documents\reWASD\Profiles\Switch console\Controller\For Any device.rewasd

Filesize
69KB

MD5
01bbdf8e66318cb24245a2be643ab670

SHA1
92c896fe8b7c2e9f6e27de7a80ef477135cf49e9

SHA256
e7efc86ef882c162fa88d2764b8b647966f5a5e1bc631ff0781baebaae143643

SHA512
9ba6c4bf82ff18d7e5f5b117d0f2e1a1213ea6504321579b45b469ed8cfa2d3c8f7860424ba9ab8cb161fe0eeefbe68e09058e98dea52d6ab3740d98ffbafc01

Download Submit
C:\Users\Public\Documents\reWASD\Profiles\Switch console\IcoGame.png

Filesize
484KB

MD5
7ba44ef4cf5b25558dfd9561b54c2449

SHA1
05ebf7587443386df5fbe0945a90c10c6f07d90b

SHA256
feea7a36e5ba70b36d2b501cdce652013f35976d049d5e154cc8b272774b9b27

SHA512
68dfad91cb16229fcc5bd8c76b3d51a34be411fc297e19fcd9a6627354470b9da38274830389529ce5918190e033799eab56762943c7559ebbd9ebdab56d571c

Download Submit
C:\Users\Public\Documents\reWASD\Profiles\Switch to Xbox 360\Controller\For Any Controller.rewasd

Filesize
406B

MD5
1ccbe7c61f22e6ca768d51c36c92b9b2

SHA1
5e829c21a646caaddaf89e600cd97b77f8c01f5d

SHA256
6c8a54e671b04a51859478e5b2c28c68f54d32936035f55d345155e6b4603418

SHA512
95681c357a40ab9d23b8d4e1484847f2636a9117b1ea0ca1cc11231b8ecccdebec4f80f23fc2bae403d2bb3422260d27ad6ae5358d3758714bb30409052c5596

Download Submit
C:\Users\Public\Documents\reWASD\Profiles\Switch to Xbox 360\IcoGame.png

Filesize
880KB

MD5
eacfdfbae6e6d7e6abecb58a73e812e4

SHA1
6b6053164db446d1d772d9ae6ea3cc0af7dfc34b

SHA256
5e0499e1f33b85867c1aa36bc1b86aa2c86aa3152814dcabaa2e8ccd0dd9e2ab

SHA512
5c3fd1f39744a6521a6de72ef805a03d9c58d06970de76c3e1741969f74e702460d0efe25f8d6d406e86c70150ec4de4e8b27b8f7f57f6756352c713540b1d63

Download Submit
C:\Users\Public\Documents\reWASD\Profiles\Valorant\Controller\Any_controller.rewasd

Filesize
22KB

MD5
95398465e031f6aa67fbde011bd23b5a

SHA1
3b4643da4365d067988f950924ae23d0837662bd

SHA256
519503549126c4a080ca0b332c76c68151180f8ac25bab1e9d2513ea02a902cd

SHA512
742471447d4b169544913139b4b158b2140275c73de8b55eaa5f486d75072a9bcbe8da39358f1314d0e3108e967b26c13f486a87963101d63a87241bd5b67093

Download Submit
C:\Users\Public\Documents\reWASD\Profiles\Valorant\IcoGame.png

Filesize
240KB

MD5
e56933d3a93b7d69deafd34dffa18d89

SHA1
5c09ea645c024bf181acf4c87e7cd3b0242e5dc5

SHA256
94e53c0aaa54729fa1d8674e40e21e2bc1ee5202c97b47f793b72db6841ef954

SHA512
1754ca46b62f18e5a58467ec3594b8f21cf113fc7549db5239f88901d4163ebdb236375740938494b39162d2e4f1bce9be601efc0015c6954d74a5f7b70c39cd

Download Submit
C:\Users\Public\Documents\reWASD\Profiles\xCloud\Controller\Kb&Mouse for Xbox Cloud .rewasd

Filesize
67KB

MD5
a4c5806ca8cd2fcc97e82524187fcba2

SHA1
9b123e06d51a013f3d531c9ae0a98d68f515ebc1

SHA256
b967a6756ef795a0c7581d20bc2f5c277f67b0eef29ca7b0d0c0b489bb81c2dc

SHA512
1f981d2b9f2a8b1dbc635ffc996724ab469636e8ebb00229f97329a121f60854415a29891296a41cdfd75b496a343867995c281068064c9e7a38fdddcbf31a34

Download Submit
C:\Users\Public\Documents\reWASD\Profiles\xCloud\IcoGame.png

Filesize
218KB

MD5
424b4d94227424765577ea368f34ed53

SHA1
b6f4a04014e8a1a10eb42686a3437aacf28889db

SHA256
f535c85f2365f786465c8c3218ca36180f53af5c56a3d09218abe86a30da7594

SHA512
939dfa90a6ca9ed812578922643726bf2e7119ad6e47aedd327c92d3925ae5e4706e00fe7d670f729fd962587cc313d6d21fa01da2c7206d7b5c1116d45c35e3

Download Submit
C:\Windows\INF\oem3.PNF

Filesize
6KB

MD5
5150082410e863b0ff12e37d4caea1fe

SHA1
d3c23064b319626957a7a72c51298ee7134ba673

SHA256
5a0b69bc125a0891de4be5e3f1d0117fd8389a4fb47a60c0cfa4731343fc65e7

SHA512
2e19185b71403808cf47157955e9f5a4a694eeff28a3543397493bd1e05540b293292728a77cd21f9b5ba590bad65090663f63ac7889bd0ee7c9719503199b3c

Download Submit
C:\Windows\INF\oem3.inf

Filesize
1KB

MD5
1333b8aa48705013420dd9ed1050d575

SHA1
d2ce41e3844c4f240f0723a24c3afb311f5784d6

SHA256
f8a1e51b3f5c789ddb3e955327db4962de9679202cffc4ccf201d65d82855273

SHA512
8f4ce17b4fb69f044b9f39165e6fac14ef30f9fe0f78ab9c95a22d74a479fbf42eba9c4d7df63758414c49b07d0a75fdaf112c3756eb15e56b4fd8cae3ead874

Download Submit
C:\Windows\INF\oem4.inf

Filesize
925B

MD5
1b5ece23733d14566fc50cf67f8c930a

SHA1
e2247faf11e21c785dd8009dbfdc6b269b850af8

SHA256
58a8369c194fcba5d941ba7b57980b514ab1284bd194acbf0febb86a9b8b364d

SHA512
e179f549f807bc1f7ce94f0ba633a4a8672168d07a3b907ab2d1cef8460a7b670982785bd24e0522d91b059dde0a15b4c16084e6da553f0970b4992bd6b2dd09

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log

Filesize
22KB

MD5
6595ab8b5bd852e6caa1da917beab863

SHA1
b561a511b1cfcb4ca6e3a3d82961dea0426bda13

SHA256
13079591dd64ddebee2385c216adbdfa64fc1575e2a0140f1236eef851dcc65f

SHA512
26293554fee89f7a9e9a0a7dbb64536854b3d9fb675719dd63950dfc61389fe0bd5c08ab8617abb8e2b90a134c9d6384c96d00bffcc7f26c4d293a005ac10dc6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log

Filesize
5KB

MD5
7214a1503a5872677337153d7657f548

SHA1
a79b144ef8eb68c2e6444591a8b1692aabe3503a

SHA256
9cb23c751825dd07686cc5813b1671aec4a8e27e0936fd4fea72b9a16463d860

SHA512
8c3d8a4a31dca0fc22e165493986076b02f840374b26b77689cdfe2ebbdc5a39b9e64f2f2c4407c30b2b944baff5b40754e0e54a72ddd48a921750b80713cfb8

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
181KB

MD5
ed07d7778e63a48b4e6441ad9c655a30

SHA1
d96ea57ed588102fd2fe177630b9f1423b4cee2a

SHA256
20a65014f816be1ab99b3918af57da5e307ebab58ca454380945b5c510881d38

SHA512
11ba88cb4cc5f9b67efdbbb81b5f3569fb3ee811f90166760b799d9eb3a75a685bfba7943eef74ae7db65d87fcd503365e9c5f205848c27d47d032d9efc55661

Download Submit
C:\Windows\System32\DRIVER~1\FILERE~1\HIDGAM~1.INF\hidgamemap.sys

Filesize
343KB

MD5
212feba492d9262684f6fdd89bc55446

SHA1
819cece7e17cea98028586d0f0ef8c6b7e647ae7

SHA256
74a82ed3874943952dbd24b32c2d6632fed14c06673f92ac2ee5f82db3c4f56d

SHA512
bed3c8293c9315db40258805c1de07919c1d86cc6743723196e29059434dcac161fb862aa1fa2304f01fd6ce137da36ad4b8ad472240e68f5db0a69ddce7da17

Download Submit
C:\Windows\System32\DriverStore\FileRepository\hidgameflt.inf_amd64_a346fb41642799ea\hidgameflt.inf

Filesize
925B

MD5
1b5ece23733d14566fc50cf67f8c930a

SHA1
e2247faf11e21c785dd8009dbfdc6b269b850af8

SHA256
58a8369c194fcba5d941ba7b57980b514ab1284bd194acbf0febb86a9b8b364d

SHA512
e179f549f807bc1f7ce94f0ba633a4a8672168d07a3b907ab2d1cef8460a7b670982785bd24e0522d91b059dde0a15b4c16084e6da553f0970b4992bd6b2dd09

Download Submit
C:\Windows\System32\DriverStore\FileRepository\hidgamemap.inf_amd64_d0105ccbf21c4832\hidgamemap.cat

Filesize
11KB

MD5
5345e9ebbc345758bbb5fd98d92762a5

SHA1
94327c851a22c8046502fdfe4e73d37044f665e7

SHA256
354d3281100b64dfccc19b0a4ee75d59da648a058f52f3f326dd9683a2f71860

SHA512
51117ac89ac492d976bf50729fd5d7a6b5809c5c8691cc06ccfafdff4fcc82dbbe6e145f384b2fb6907aed1755d2bb3b25254c4994c6fc06ffcd74b6046579c5

Download Submit
C:\Windows\System32\DriverStore\FileRepository\hidgamemap.inf_amd64_d0105ccbf21c4832\hidgamemap.inf

Filesize
1KB

MD5
1333b8aa48705013420dd9ed1050d575

SHA1
d2ce41e3844c4f240f0723a24c3afb311f5784d6

SHA256
f8a1e51b3f5c789ddb3e955327db4962de9679202cffc4ccf201d65d82855273

SHA512
8f4ce17b4fb69f044b9f39165e6fac14ef30f9fe0f78ab9c95a22d74a479fbf42eba9c4d7df63758414c49b07d0a75fdaf112c3756eb15e56b4fd8cae3ead874

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
25.0MB

MD5
af9291cb95f88f6e4979f68554b00383

SHA1
612b3f7781e06b1c706b13ad3549e7496222fd30

SHA256
274619b33ec69789cb50da5ea34a6a751c256b9b3adc0c3289a4841c95445af0

SHA512
7694f6036b4721eae57f793d85589d1af563375575b0b4c12f277c2507993dfadb746bc9a6cbcc34a869c9479fd3ada95ea01a244f5deab2fe013ccbdb0405de

Download Submit
\??\Volume{b2c2c2d8-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{674287ee-633f-4cb2-ab56-b653b88e4258}_OnDiskSnapshotProp

Filesize
5KB

MD5
a5fd8f66468de750001ef0b8f4f7848b

SHA1
3dc3c12b6202a8635f3d75b8220efbb38ce73119

SHA256
a0c9c68bf06d1d3cfe945283a4c27a0cdddac4ae502dfac270da0051a6d31de2

SHA512
f010c09da73035e35a5853893de5492a4a64da29e39e17ace544aae22854394651bb3dc4d9d04fdd46cbd20c6763a3982bd0cac3791ced31f1e887e6291863e1

Download Submit
\Program Files\reWASD\reWASD.exe

Filesize
8.9MB

MD5
3ccd22bbdcbbf4bb8ebf92823db3d426

SHA1
4483c35cdbc5cfa4813a153bf6aa9ed5a7e755db

SHA256
8777f67aff92d5c887901c6090e852c866b1403e51daea0f67fc0fd98ea6e429

SHA512
e81fd24aceb2288a447c7734cf65248c7d0630154a7ed726127a1ca39d16bcf007a848caedc0e4a4b0f89cf5776b7d90d810a0291218289e46ca0db4b31b22f7

Download Submit
\Program Files\reWASD\reWASD.exe

Filesize
8.9MB

MD5
3ccd22bbdcbbf4bb8ebf92823db3d426

SHA1
4483c35cdbc5cfa4813a153bf6aa9ed5a7e755db

SHA256
8777f67aff92d5c887901c6090e852c866b1403e51daea0f67fc0fd98ea6e429

SHA512
e81fd24aceb2288a447c7734cf65248c7d0630154a7ed726127a1ca39d16bcf007a848caedc0e4a4b0f89cf5776b7d90d810a0291218289e46ca0db4b31b22f7

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\7z.dll

Filesize
155KB

MD5
ad71a5e3a757aef0329aeda567f25a00

SHA1
97c766d85c9dabfcabd5a983fe165506d227a8ac

SHA256
f6b9ae6eaaedc55db0e381ec153892c122f1f257ada80cf242a20be8a2f117ef

SHA512
6852496fb8f59bea3ae46efd507d654ae27306d9f4f2f0dc0db8b03f9f63a3712e075b12f0ebdf6ea88db081fca4dd29be1555584aa70386ccb8297beef886ea

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\7z.dll

Filesize
155KB

MD5
ad71a5e3a757aef0329aeda567f25a00

SHA1
97c766d85c9dabfcabd5a983fe165506d227a8ac

SHA256
f6b9ae6eaaedc55db0e381ec153892c122f1f257ada80cf242a20be8a2f117ef

SHA512
6852496fb8f59bea3ae46efd507d654ae27306d9f4f2f0dc0db8b03f9f63a3712e075b12f0ebdf6ea88db081fca4dd29be1555584aa70386ccb8297beef886ea

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\7z.dll

Filesize
155KB

MD5
ad71a5e3a757aef0329aeda567f25a00

SHA1
97c766d85c9dabfcabd5a983fe165506d227a8ac

SHA256
f6b9ae6eaaedc55db0e381ec153892c122f1f257ada80cf242a20be8a2f117ef

SHA512
6852496fb8f59bea3ae46efd507d654ae27306d9f4f2f0dc0db8b03f9f63a3712e075b12f0ebdf6ea88db081fca4dd29be1555584aa70386ccb8297beef886ea

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\7z.dll

Filesize
155KB

MD5
ad71a5e3a757aef0329aeda567f25a00

SHA1
97c766d85c9dabfcabd5a983fe165506d227a8ac

SHA256
f6b9ae6eaaedc55db0e381ec153892c122f1f257ada80cf242a20be8a2f117ef

SHA512
6852496fb8f59bea3ae46efd507d654ae27306d9f4f2f0dc0db8b03f9f63a3712e075b12f0ebdf6ea88db081fca4dd29be1555584aa70386ccb8297beef886ea

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\7z.dll

Filesize
155KB

MD5
ad71a5e3a757aef0329aeda567f25a00

SHA1
97c766d85c9dabfcabd5a983fe165506d227a8ac

SHA256
f6b9ae6eaaedc55db0e381ec153892c122f1f257ada80cf242a20be8a2f117ef

SHA512
6852496fb8f59bea3ae46efd507d654ae27306d9f4f2f0dc0db8b03f9f63a3712e075b12f0ebdf6ea88db081fca4dd29be1555584aa70386ccb8297beef886ea

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\7z.dll

Filesize
155KB

MD5
ad71a5e3a757aef0329aeda567f25a00

SHA1
97c766d85c9dabfcabd5a983fe165506d227a8ac

SHA256
f6b9ae6eaaedc55db0e381ec153892c122f1f257ada80cf242a20be8a2f117ef

SHA512
6852496fb8f59bea3ae46efd507d654ae27306d9f4f2f0dc0db8b03f9f63a3712e075b12f0ebdf6ea88db081fca4dd29be1555584aa70386ccb8297beef886ea

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\7z.dll

Filesize
155KB

MD5
ad71a5e3a757aef0329aeda567f25a00

SHA1
97c766d85c9dabfcabd5a983fe165506d227a8ac

SHA256
f6b9ae6eaaedc55db0e381ec153892c122f1f257ada80cf242a20be8a2f117ef

SHA512
6852496fb8f59bea3ae46efd507d654ae27306d9f4f2f0dc0db8b03f9f63a3712e075b12f0ebdf6ea88db081fca4dd29be1555584aa70386ccb8297beef886ea

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\7z.dll

Filesize
155KB

MD5
ad71a5e3a757aef0329aeda567f25a00

SHA1
97c766d85c9dabfcabd5a983fe165506d227a8ac

SHA256
f6b9ae6eaaedc55db0e381ec153892c122f1f257ada80cf242a20be8a2f117ef

SHA512
6852496fb8f59bea3ae46efd507d654ae27306d9f4f2f0dc0db8b03f9f63a3712e075b12f0ebdf6ea88db081fca4dd29be1555584aa70386ccb8297beef886ea

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\7z.dll

Filesize
155KB

MD5
ad71a5e3a757aef0329aeda567f25a00

SHA1
97c766d85c9dabfcabd5a983fe165506d227a8ac

SHA256
f6b9ae6eaaedc55db0e381ec153892c122f1f257ada80cf242a20be8a2f117ef

SHA512
6852496fb8f59bea3ae46efd507d654ae27306d9f4f2f0dc0db8b03f9f63a3712e075b12f0ebdf6ea88db081fca4dd29be1555584aa70386ccb8297beef886ea

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\7z.dll

Filesize
155KB

MD5
ad71a5e3a757aef0329aeda567f25a00

SHA1
97c766d85c9dabfcabd5a983fe165506d227a8ac

SHA256
f6b9ae6eaaedc55db0e381ec153892c122f1f257ada80cf242a20be8a2f117ef

SHA512
6852496fb8f59bea3ae46efd507d654ae27306d9f4f2f0dc0db8b03f9f63a3712e075b12f0ebdf6ea88db081fca4dd29be1555584aa70386ccb8297beef886ea

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\7z.dll

Filesize
155KB

MD5
ad71a5e3a757aef0329aeda567f25a00

SHA1
97c766d85c9dabfcabd5a983fe165506d227a8ac

SHA256
f6b9ae6eaaedc55db0e381ec153892c122f1f257ada80cf242a20be8a2f117ef

SHA512
6852496fb8f59bea3ae46efd507d654ae27306d9f4f2f0dc0db8b03f9f63a3712e075b12f0ebdf6ea88db081fca4dd29be1555584aa70386ccb8297beef886ea

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\7z.dll

Filesize
155KB

MD5
ad71a5e3a757aef0329aeda567f25a00

SHA1
97c766d85c9dabfcabd5a983fe165506d227a8ac

SHA256
f6b9ae6eaaedc55db0e381ec153892c122f1f257ada80cf242a20be8a2f117ef

SHA512
6852496fb8f59bea3ae46efd507d654ae27306d9f4f2f0dc0db8b03f9f63a3712e075b12f0ebdf6ea88db081fca4dd29be1555584aa70386ccb8297beef886ea

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\CHS.dll

Filesize
78KB

MD5
9e0faf0848551a6a5c995b5d8387e1f5

SHA1
9f071097549ff7ac158487506546d6f16c6d8376

SHA256
0c4e8bfc21a228e8f92c0b378bba05d7bef3e1580b07ab40a992e4a4e2a118ea

SHA512
eff0622a93de69a74abcc13f0c02e119f08ca3a1b81d0623362e391a481aa8315f4c839b9f7258350dbb49d9bbb07722d42c058022cfa1bfb0f75298747ef5c0

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\CHS.dll

Filesize
78KB

MD5
9e0faf0848551a6a5c995b5d8387e1f5

SHA1
9f071097549ff7ac158487506546d6f16c6d8376

SHA256
0c4e8bfc21a228e8f92c0b378bba05d7bef3e1580b07ab40a992e4a4e2a118ea

SHA512
eff0622a93de69a74abcc13f0c02e119f08ca3a1b81d0623362e391a481aa8315f4c839b9f7258350dbb49d9bbb07722d42c058022cfa1bfb0f75298747ef5c0

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\CHT.dll

Filesize
85KB

MD5
67d8338c129d8ab2e85078294f9a22b8

SHA1
5a2a5ee9139334412eb6949c907f509ccb40a27f

SHA256
c63c11f2ebf1afa2c9460fefb0d4a55bc4bf5c39e44b6e37e8507da51406ada7

SHA512
17d9955822fb14f91f7b044bd1ffb3885fb0f5cfbe7acb85b8b5229f436588371825e99bd8f0ebb7ed297616af72c520be37ece20f4147f6fb0e3d8fc4941428

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\CHT.dll

Filesize
85KB

MD5
67d8338c129d8ab2e85078294f9a22b8

SHA1
5a2a5ee9139334412eb6949c907f509ccb40a27f

SHA256
c63c11f2ebf1afa2c9460fefb0d4a55bc4bf5c39e44b6e37e8507da51406ada7

SHA512
17d9955822fb14f91f7b044bd1ffb3885fb0f5cfbe7acb85b8b5229f436588371825e99bd8f0ebb7ed297616af72c520be37ece20f4147f6fb0e3d8fc4941428

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\DEU.dll

Filesize
189KB

MD5
2d62ebe877fd2179d3de2df9b6cc398b

SHA1
a08cbbfb2ccf62b4274caf54915cc8dbb39a4ad4

SHA256
ee458a0312c618b15cc2bf5e2633306388ba0aab225d358aeb067167e3e20115

SHA512
a9ee79970996880f43aebf4e100f17ec1c06a21a0544ee4553292ca9c9e0569cefbf22471156a4ef5bbb9c94ed69ee4b26af84bd575569797ac7a7e3118c4e74

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\DEU.dll

Filesize
189KB

MD5
2d62ebe877fd2179d3de2df9b6cc398b

SHA1
a08cbbfb2ccf62b4274caf54915cc8dbb39a4ad4

SHA256
ee458a0312c618b15cc2bf5e2633306388ba0aab225d358aeb067167e3e20115

SHA512
a9ee79970996880f43aebf4e100f17ec1c06a21a0544ee4553292ca9c9e0569cefbf22471156a4ef5bbb9c94ed69ee4b26af84bd575569797ac7a7e3118c4e74

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\ENU.dll

Filesize
157KB

MD5
4e77f69b5daed1f3a6d9bb4c8c849d2d

SHA1
da7ea6668759e573ff00c929694db8bf7437c680

SHA256
57c112424a65b41a1d2fa4b700f88f5d0af163f79df84ef7898ec22d8508e653

SHA512
553f5ccc92ea377e4306a0d198afba226df2801dadf4bb314431e93ba3c863530f72d21f85231ee7610e7f43bc1fcf74950474fb3ffca543368a51b1e8ff5f96

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\ENU.dll

Filesize
157KB

MD5
4e77f69b5daed1f3a6d9bb4c8c849d2d

SHA1
da7ea6668759e573ff00c929694db8bf7437c680

SHA256
57c112424a65b41a1d2fa4b700f88f5d0af163f79df84ef7898ec22d8508e653

SHA512
553f5ccc92ea377e4306a0d198afba226df2801dadf4bb314431e93ba3c863530f72d21f85231ee7610e7f43bc1fcf74950474fb3ffca543368a51b1e8ff5f96

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\ESN.dll

Filesize
182KB

MD5
89325172c9718abbd56c6c96ca99aa47

SHA1
6c1e1712c505d9c0dbeb32d733672fe2e4dbc8cb

SHA256
00b0edd130676dfe31a025add94d85f3286a8b44d052a16137397605a4e965b6

SHA512
a352b8d8ac67c43ad11a4673ac9f0ed7469f1f2e8a0f02553b0e087169768999a371de828215165701b704c2abdc11728821688c078f84b93d19a891c263b27a

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\ESN.dll

Filesize
182KB

MD5
89325172c9718abbd56c6c96ca99aa47

SHA1
6c1e1712c505d9c0dbeb32d733672fe2e4dbc8cb

SHA256
00b0edd130676dfe31a025add94d85f3286a8b44d052a16137397605a4e965b6

SHA512
a352b8d8ac67c43ad11a4673ac9f0ed7469f1f2e8a0f02553b0e087169768999a371de828215165701b704c2abdc11728821688c078f84b93d19a891c263b27a

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\FRA.dll

Filesize
190KB

MD5
3764317435066549e9ee473aaff401b6

SHA1
46c6f0374c7366a074edeb6d1f9d242c16ebeeba

SHA256
7b572246ffb2654a496a74cf72f7ae30c10799ee0d50a2d333d43c403d562f9b

SHA512
14196daceba4aeef7cb14af24364fb0e03721eb4d647748b02d7b0c0e1a510e35d1d398d9582fe061d3155ed3d94c8ae759e390f879d7f9404bb20727cd5c6fb

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\FRA.dll

Filesize
190KB

MD5
3764317435066549e9ee473aaff401b6

SHA1
46c6f0374c7366a074edeb6d1f9d242c16ebeeba

SHA256
7b572246ffb2654a496a74cf72f7ae30c10799ee0d50a2d333d43c403d562f9b

SHA512
14196daceba4aeef7cb14af24364fb0e03721eb4d647748b02d7b0c0e1a510e35d1d398d9582fe061d3155ed3d94c8ae759e390f879d7f9404bb20727cd5c6fb

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\ITA.dll

Filesize
180KB

MD5
d6d7b109975a8ee3099fc142b8b3d7b9

SHA1
65d374006564e9995e604de4d6185fc25aef2b40

SHA256
2937dda17485937a5ea15e90ba0b6e68052306a99177db885c51c46bdceeb66c

SHA512
e23e47776da729471f7086cf54fb3904222e9f28431f4702adf03aea4270da98226a89cda57fb46e9a9b9230815a957065034f340ed0755a114d5fdeea12d6ee

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\ITA.dll

Filesize
180KB

MD5
d6d7b109975a8ee3099fc142b8b3d7b9

SHA1
65d374006564e9995e604de4d6185fc25aef2b40

SHA256
2937dda17485937a5ea15e90ba0b6e68052306a99177db885c51c46bdceeb66c

SHA512
e23e47776da729471f7086cf54fb3904222e9f28431f4702adf03aea4270da98226a89cda57fb46e9a9b9230815a957065034f340ed0755a114d5fdeea12d6ee

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\JPN.dll

Filesize
99KB

MD5
2af268c906ff8eb2b4af12114609264f

SHA1
e80bc0545e7677a511d867564269c04b3eff7836

SHA256
7e695c36121925ce34d87ae83c817fa9ae0a69fca79463350d5ca1ea3cbaf524

SHA512
a3a6ed8b7ac6fca1c624f51359aff12776cd8b5e3cbd306765c10ceee349bf1dbdb0b5c35eb1c9d8adb039d932e59ab99d51dde610e73b05ae2a889a261bab25

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\JPN.dll

Filesize
99KB

MD5
2af268c906ff8eb2b4af12114609264f

SHA1
e80bc0545e7677a511d867564269c04b3eff7836

SHA256
7e695c36121925ce34d87ae83c817fa9ae0a69fca79463350d5ca1ea3cbaf524

SHA512
a3a6ed8b7ac6fca1c624f51359aff12776cd8b5e3cbd306765c10ceee349bf1dbdb0b5c35eb1c9d8adb039d932e59ab99d51dde610e73b05ae2a889a261bab25

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\PTB.dll

Filesize
178KB

MD5
7bfa5c94a8b040e99df94d22317e7bce

SHA1
3f16e791f942bbdb19437b2bb3db15e379ed7a95

SHA256
cfbaddff764d743a7823db1b5e1b21ed8e3d35baa8627e4d3609a30d4aa65a55

SHA512
8f11a3648347936f0749d0d81d6c65af129923efe677d44d83f14da0a11a1d5536d35907a845b90e6a9dc0c1e5aaf98b4bdfcb59d4e3f81a8df30faab7c8ae03

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\PTB.dll

Filesize
178KB

MD5
7bfa5c94a8b040e99df94d22317e7bce

SHA1
3f16e791f942bbdb19437b2bb3db15e379ed7a95

SHA256
cfbaddff764d743a7823db1b5e1b21ed8e3d35baa8627e4d3609a30d4aa65a55

SHA512
8f11a3648347936f0749d0d81d6c65af129923efe677d44d83f14da0a11a1d5536d35907a845b90e6a9dc0c1e5aaf98b4bdfcb59d4e3f81a8df30faab7c8ae03

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\RUS.dll

Filesize
171KB

MD5
75f75d63735822fe28d6bbfa834d0a98

SHA1
31c1584ef0eb31d96f72e428ac3f1c1353a1f2ce

SHA256
43f831fccc4c845dbb8c93e14c9b1834a039e562055a1b00bf986da17b7603bb

SHA512
45fc2d81c7416f5d7a6588838c6ccdf46165007b83a7e123cfb232ae3213394d36e314b67cf46b6eea401c86d1c19a0fdbc9d657d441c414ce6ba990a94f28c6

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\RUS.dll

Filesize
171KB

MD5
75f75d63735822fe28d6bbfa834d0a98

SHA1
31c1584ef0eb31d96f72e428ac3f1c1353a1f2ce

SHA256
43f831fccc4c845dbb8c93e14c9b1834a039e562055a1b00bf986da17b7603bb

SHA512
45fc2d81c7416f5d7a6588838c6ccdf46165007b83a7e123cfb232ae3213394d36e314b67cf46b6eea401c86d1c19a0fdbc9d657d441c414ce6ba990a94f28c6

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\UKR.dll

Filesize
170KB

MD5
ddf34002664411ac9438ce86e29eae9c

SHA1
23a244050943794b276b230d11449e045c8cea16

SHA256
8cd89686a58e5a02398b2ae8fce2acaf526adf7dd3c7fcc9a439f441bbdbeb63

SHA512
b0641574c766aa5e43b4efafa3009aaac852a5f4d940c06de0d74ff2c6ff06de7bb110bc0181d0877bdd501dd1ec5319af49fa40ecaf1a774b9f613a5a86fa50

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\UKR.dll

Filesize
170KB

MD5
ddf34002664411ac9438ce86e29eae9c

SHA1
23a244050943794b276b230d11449e045c8cea16

SHA256
8cd89686a58e5a02398b2ae8fce2acaf526adf7dd3c7fcc9a439f441bbdbeb63

SHA512
b0641574c766aa5e43b4efafa3009aaac852a5f4d940c06de0d74ff2c6ff06de7bb110bc0181d0877bdd501dd1ec5319af49fa40ecaf1a774b9f613a5a86fa50

Download Submit
\Users\Admin\AppData\Local\Temp\reWASDInstallerResources\setuphlp.dll

Filesize
1018KB

MD5
6e720588931caa2f7cd3c8a43bd33696

SHA1
8d5f82d55fcdae8e66330625c2b8880d24278835

SHA256
6fe0e355b00b5d0573cebb9c3b719b21edf1b5f188b981096766e4a5705b5f33

SHA512
478b48f85df289a84c7219212b62426eb6276837d1121a3b5e7bea5950084a01ea659a49548839ce47813abae955803afb15aa4270331c3f5fe85336c3e8f144

Download Submit
memory/1596-1042-0x0000000064D10000-0x0000000064DDF000-memory.dmp

Filesize
828KB

Download
memory/2244-130-0x0000000006C60000-0x0000000006C70000-memory.dmp

Filesize
64KB

Download
memory/2244-121-0x0000000000D00000-0x000000000237A000-memory.dmp

Filesize
22.5MB

Download
memory/2244-208-0x000000000A600000-0x000000000A638000-memory.dmp

Filesize
224KB

Download
memory/2244-209-0x0000000006C60000-0x0000000006C70000-memory.dmp

Filesize
64KB

Download
memory/2244-210-0x000000000B420000-0x000000000B4B2000-memory.dmp

Filesize
584KB

Download
memory/2244-211-0x0000000006C60000-0x0000000006C70000-memory.dmp

Filesize
64KB

Download
memory/2244-212-0x0000000006C60000-0x0000000006C70000-memory.dmp

Filesize
64KB

Download
memory/2244-129-0x00000000070F0000-0x000000000710E000-memory.dmp

Filesize
120KB

Download
memory/2244-205-0x000000006E430000-0x000000006E530000-memory.dmp

Filesize
1024KB

Download
memory/2244-206-0x0000000007B80000-0x0000000007BC0000-memory.dmp

Filesize
256KB

Download
memory/2244-207-0x00000000073F0000-0x00000000073F8000-memory.dmp

Filesize
32KB

Download
memory/2244-131-0x0000000006C60000-0x0000000006C70000-memory.dmp

Filesize
64KB

Download
memory/2244-348-0x0000000006C60000-0x0000000006C70000-memory.dmp

Filesize
64KB

Download
memory/2244-128-0x0000000007110000-0x0000000007186000-memory.dmp

Filesize
472KB

Download
memory/2244-122-0x0000000006C70000-0x0000000006C82000-memory.dmp

Filesize
72KB

Download
memory/2244-123-0x0000000006C30000-0x0000000006C3A000-memory.dmp

Filesize
40KB

Download
memory/2920-1364-0x0000000058450000-0x000000005846A000-memory.dmp

Filesize
104KB

Download
memory/3668-1114-0x0000000061F60000-0x0000000061FA5000-memory.dmp

Filesize
276KB

Download
memory/3736-1311-0x0000000058070000-0x000000005809B000-memory.dmp

Filesize
172KB

Download
memory/3984-950-0x00000000628D0000-0x0000000062B4A000-memory.dmp

Filesize
2.5MB

Download
memory/4168-1241-0x0000000058480000-0x0000000058502000-memory.dmp

Filesize
520KB

Download
memory/4268-606-0x00007FFD2E790000-0x00007FFD2E7A0000-memory.dmp

Filesize
64KB

Download
memory/4280-1171-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/4996-776-0x000000000BD80000-0x000000000C2AC000-memory.dmp

Filesize
5.2MB

Download
memory/4996-782-0x000000000AF30000-0x000000000B006000-memory.dmp

Filesize
856KB

Download
memory/4996-783-0x000000000A4F0000-0x000000000A540000-memory.dmp

Filesize
320KB

Download
memory/4996-784-0x000000000B010000-0x000000000B0C2000-memory.dmp

Filesize
712KB

Download
memory/4996-785-0x000000000A360000-0x000000000A382000-memory.dmp

Filesize
136KB

Download
memory/4996-786-0x000000000A3F0000-0x000000000A402000-memory.dmp

Filesize
72KB

Download
memory/4996-787-0x000000000AE50000-0x000000000AE72000-memory.dmp

Filesize
136KB

Download
memory/4996-788-0x000000000B0D0000-0x000000000B136000-memory.dmp

Filesize
408KB

Download
memory/4996-789-0x000000000C8C0000-0x000000000CEC6000-memory.dmp

Filesize
6.0MB

Download
memory/4996-803-0x000000000AF10000-0x000000000AF30000-memory.dmp

Filesize
128KB

Download
memory/4996-817-0x000000000B1B0000-0x000000000B216000-memory.dmp

Filesize
408KB

Download
memory/4996-818-0x000000000BA20000-0x000000000BBE2000-memory.dmp

Filesize
1.8MB

Download
memory/4996-832-0x000000000B220000-0x000000000B25E000-memory.dmp

Filesize
248KB

Download
memory/4996-833-0x000000000B180000-0x000000000B192000-memory.dmp

Filesize
72KB

Download
memory/4996-834-0x000000000BBF0000-0x000000000BCFA000-memory.dmp

Filesize
1.0MB

Download
memory/4996-835-0x000000000B260000-0x000000000B2AB000-memory.dmp

Filesize
300KB

Download
memory/4996-836-0x000000000B850000-0x000000000B8B0000-memory.dmp

Filesize
384KB

Download
memory/4996-837-0x000000000C2B0000-0x000000000C37E000-memory.dmp

Filesize
824KB

Download
memory/4996-838-0x000000000B2F0000-0x000000000B32C000-memory.dmp

Filesize
240KB

Download
memory/4996-840-0x000000000B330000-0x000000000B342000-memory.dmp

Filesize
72KB

Download
memory/4996-839-0x000000000B8B0000-0x000000000B8D4000-memory.dmp

Filesize
144KB

Download
memory/4996-841-0x000000000B930000-0x000000000B974000-memory.dmp

Filesize
272KB

Download
memory/4996-842-0x000000000B980000-0x000000000B9AA000-memory.dmp

Filesize
168KB

Download
memory/4996-843-0x000000000B9B0000-0x000000000B9D2000-memory.dmp

Filesize
136KB

Download
memory/4996-844-0x000000000B9E0000-0x000000000BA12000-memory.dmp

Filesize
200KB

Download
memory/4996-845-0x000000000C480000-0x000000000C4D6000-memory.dmp

Filesize
344KB

Download
memory/4996-846-0x000000000C4E0000-0x000000000C830000-memory.dmp

Filesize
3.3MB

Download
memory/4996-847-0x000000000BD00000-0x000000000BD1C000-memory.dmp

Filesize
112KB

Download
memory/4996-848-0x000000000D3A0000-0x000000000D86A000-memory.dmp

Filesize
4.8MB

Download
memory/4996-849-0x000000000C870000-0x000000000C8A2000-memory.dmp

Filesize
200KB

Download
memory/4996-850-0x000000000CF20000-0x000000000CF64000-memory.dmp

Filesize
272KB

Download
memory/4996-851-0x000000000C830000-0x000000000C84E000-memory.dmp

Filesize
120KB

Download
memory/4996-852-0x000000000C850000-0x000000000C86A000-memory.dmp

Filesize
104KB

Download
memory/4996-853-0x000000000D0A0000-0x000000000D1C2000-memory.dmp

Filesize
1.1MB

Download
memory/4996-854-0x000000000CF70000-0x000000000CFED000-memory.dmp

Filesize
500KB

Download
memory/4996-855-0x000000000CEF0000-0x000000000CF0E000-memory.dmp

Filesize
120KB

Download
memory/4996-856-0x000000000D010000-0x000000000D02A000-memory.dmp

Filesize
104KB

Download
memory/4996-857-0x000000000D260000-0x000000000D2EC000-memory.dmp

Filesize
560KB

Download
memory/4996-858-0x000000000D9F0000-0x000000000DB66000-memory.dmp

Filesize
1.5MB

Download
memory/4996-859-0x000000000D040000-0x000000000D04C000-memory.dmp

Filesize
48KB

Download
memory/4996-781-0x000000000A240000-0x000000000A24A000-memory.dmp

Filesize
40KB

Download
memory/4996-780-0x000000000A390000-0x000000000A3EB000-memory.dmp

Filesize
364KB

Download
memory/4996-779-0x000000000A410000-0x000000000A4E4000-memory.dmp

Filesize
848KB

Download
memory/4996-777-0x000000000A170000-0x000000000A17E000-memory.dmp

Filesize
56KB

Download
memory/4996-723-0x000000000A190000-0x000000000A230000-memory.dmp

Filesize
640KB

Download
memory/4996-670-0x000000000B350000-0x000000000B84E000-memory.dmp

Filesize
5.0MB

Download
memory/4996-617-0x0000000009E00000-0x0000000009F5A000-memory.dmp

Filesize
1.4MB

Download
memory/4996-616-0x000000000A560000-0x000000000AE4C000-memory.dmp

Filesize
8.9MB

Download