hxxps://getswift[.]xyz

Analysis

max time kernel
735s
max time network
736s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-01-2025 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://getswift.xyz

Score

10^/10

google defense_evasion discovery persistence phishing privilege_escalation trojan

Malware Config

Signatures

Detected google phishing page
phishing google
Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 41 IoCs

pid	Process
412	swift-bootstrapper.exe
5748	Swift.exe
3668	Swift.exe
2960	Swift.exe
6032	Swift.exe
480	Swift.exe
1104	Swift.exe
4972	Swift.exe
3700	Swift.exe
1520	Swift.exe
3492	Swift.exe
3160	RobloxPlayerInstaller.exe
5376	MicrosoftEdgeWebview2Setup.exe
5856	MicrosoftEdgeUpdate.exe
1376	MicrosoftEdgeUpdate.exe
3336	MicrosoftEdgeUpdate.exe
3308	MicrosoftEdgeUpdateComRegisterShell64.exe
2052	MicrosoftEdgeUpdateComRegisterShell64.exe
1488	MicrosoftEdgeUpdateComRegisterShell64.exe
3412	MicrosoftEdgeUpdate.exe
5716	MicrosoftEdgeUpdate.exe
3364	MicrosoftEdgeUpdate.exe
4616	MicrosoftEdgeUpdate.exe
1048	MicrosoftEdge_X64_132.0.2957.115.exe
5736	setup.exe
1956	setup.exe
592	setup.exe
2412	setup.exe
4076	Swift.exe
1320	msedgewebview2.exe
6092	msedgewebview2.exe
4504	MicrosoftEdgeUpdate.exe
684	msedgewebview2.exe
4544	msedgewebview2.exe
852	msedgewebview2.exe
5304	msedgewebview2.exe
3124	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5196	msedgewebview2.exe
6308	msedgewebview2.exe
2500	msedgewebview2.exe

Loads dropped DLL 44 IoCs

pid	Process
5856	MicrosoftEdgeUpdate.exe
1376	MicrosoftEdgeUpdate.exe
3336	MicrosoftEdgeUpdate.exe
3308	MicrosoftEdgeUpdateComRegisterShell64.exe
3336	MicrosoftEdgeUpdate.exe
2052	MicrosoftEdgeUpdateComRegisterShell64.exe
3336	MicrosoftEdgeUpdate.exe
1488	MicrosoftEdgeUpdateComRegisterShell64.exe
3336	MicrosoftEdgeUpdate.exe
3412	MicrosoftEdgeUpdate.exe
5716	MicrosoftEdgeUpdate.exe
3364	MicrosoftEdgeUpdate.exe
3364	MicrosoftEdgeUpdate.exe
5716	MicrosoftEdgeUpdate.exe
4616	MicrosoftEdgeUpdate.exe
4076	Swift.exe
1320	msedgewebview2.exe
6092	msedgewebview2.exe
1320	msedgewebview2.exe
4504	MicrosoftEdgeUpdate.exe
1320	msedgewebview2.exe
1320	msedgewebview2.exe
4544	msedgewebview2.exe
684	msedgewebview2.exe
852	msedgewebview2.exe
4544	msedgewebview2.exe
5304	msedgewebview2.exe
684	msedgewebview2.exe
5304	msedgewebview2.exe
5304	msedgewebview2.exe
852	msedgewebview2.exe
684	msedgewebview2.exe
684	msedgewebview2.exe
684	msedgewebview2.exe
684	msedgewebview2.exe
3124	RobloxPlayerBeta.exe
1320	msedgewebview2.exe
5028	RobloxPlayerBeta.exe
5196	msedgewebview2.exe
5196	msedgewebview2.exe
6308	msedgewebview2.exe
6308	msedgewebview2.exe
2500	msedgewebview2.exe
2500	msedgewebview2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Swift.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
11	discord.com
17	discord.com
59	raw.githubusercontent.com
75	raw.githubusercontent.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Checks system information in the registry 2 TTPs 12 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedgewebview2.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File created	C:\Windows\system32\NDF\{8B02A683-5984-4CCA-9F97-FC6413C0D287}-temp-01212025-2019.etl	svchost.exe
File opened for modification	C:\Windows\system32\NDF\{8B02A683-5984-4CCA-9F97-FC6413C0D287}-temp-01212025-2019.etl	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUtmp.log	svchost.exe
File created	C:\Windows\system32\SRU\SRUtmp.log	svchost.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
3124	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs

pid	Process
3124	RobloxPlayerBeta.exe
3124	RobloxPlayerBeta.exe
3124	RobloxPlayerBeta.exe
3124	RobloxPlayerBeta.exe
3124	RobloxPlayerBeta.exe
3124	RobloxPlayerBeta.exe
3124	RobloxPlayerBeta.exe
3124	RobloxPlayerBeta.exe
3124	RobloxPlayerBeta.exe
3124	RobloxPlayerBeta.exe
3124	RobloxPlayerBeta.exe
3124	RobloxPlayerBeta.exe
3124	RobloxPlayerBeta.exe
3124	RobloxPlayerBeta.exe
3124	RobloxPlayerBeta.exe
3124	RobloxPlayerBeta.exe
3124	RobloxPlayerBeta.exe
3124	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\mk.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\MaterialManager\Gradient_LT.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\ui\Controls\DesignSystem\ButtonY.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\ui\Controls\PlayStationController\DPadDown.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Trust Protection Lists\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\msedge_elf.dll	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\ui\VoiceChat\SpeakerNew\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\edge_game_assist\VERSION	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\sr-Cyrl-BA.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\ExtraContent\textures\ui\ImageSet\LuaApp\img_set_2x_4.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\ExtraContent\textures\ui\LuaApp\graphic\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\fonts\JosefinSans-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\ui\Controls\DesignSystem\ButtonB.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\fonts\Creepster-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\ui\Controls\XboxController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\ExtraContent\textures\ui\LuaApp\icons\ic-more-message.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUC7DD.tmp\msedgeupdateres_ga.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\IBeamCursor.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\StudioToolbox\AssetConfig\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\ExtraContent\textures\ui\ImageSet\AE\img_set_2x_2.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\sky\noisefb.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\AvatarImporter\img_light_R15.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\StudioSharedUI\pending-light.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\StudioToolbox\AssetConfig\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\TerrainTools\mtrl_leafygrass.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\ui\TopRoundedRect8px.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\ui\InspectMenu\selection_rounded.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\fonts\families\Fondamento.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\ui\InGameMenu\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\ExtraContent\textures\ui\LuaApp\graphic\gr-avatar [email protected]	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\identity_proxy\canary.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\AlignTool\AlignTool.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\GameSettings\delete.PNG	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\kn.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\StudioToolbox\AssetPreview\Rejected.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\LayeredClothingEditor\Icon_AddMore_Light.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\ui\PurchasePrompt\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\ru.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\is.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\it.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\SelfView\SelfView_icon_indicator_on.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\ui\Controls\DefaultController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\ExtraContent\textures\ui\LuaChatV2\actions_checkbox.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\ui\SingleButtonDown.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\ui\WarningIcon.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\ui\LegacyRbxGui\Cinder block.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\ViewSelector\right_hover.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\ExtraContent\textures\ui\Controls\DesignSystem\ButtonR2.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\configs\UniversalAppPatchConfig\UniversalAppPatchConfig.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\ExtraContent\textures\ui\LuaApp\icons\ic-blue-dot.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\ExtraContent\textures\ui\LuaChat\icons\ic-group.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\StudioToolbox\AssetConfig\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\ui\Emotes\Editor\TenFoot\Wheel.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\ExtraContent\textures\ui\LuaApp\graphic\[email protected]	RobloxPlayerInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedge.dll.sig	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\AlignTool\Center.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\AnimationEditor\btn_expand.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\StudioUIEditor\icon_resize4.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\TerrainTools\import_toggleOn.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\ui\MenuBar\arrow_right.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\ExtraContent\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\avatar\compositing\CompositRightArmBase.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\AnimationEditor\button_popup_close.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\content\textures\ui\Controls\XboxController\ButtonRS.png	RobloxPlayerInstaller.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File created	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1320_613700491\manifest.json	msedgewebview2.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1320_302177960\manifest.json	msedgewebview2.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1320_302177960\manifest.fingerprint	msedgewebview2.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	msedgewebview2.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1320_845234682\ct_config.pb	msedgewebview2.exe
File created	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1320_613700491\protocols.json	msedgewebview2.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1320_845234682\kp_pinslist.pb	msedgewebview2.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1320_845234682\crs.pb	msedgewebview2.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1320_845234682\manifest.json	msedgewebview2.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1320_845234682\manifest.fingerprint	msedgewebview2.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1320_613700491\manifest.fingerprint	msedgewebview2.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\swift-bootstrapper.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebview2Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxPlayerInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 33 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3248	msedgewebview2.exe
5512	msedgewebview2.exe
2184	msedgewebview2.exe
1848	msedgewebview2.exe
2152	msedgewebview2.exe
4504	MicrosoftEdgeUpdate.exe
3012	msedgewebview2.exe
2972	msedgewebview2.exe
4588	msedgewebview2.exe
1332	msedgewebview2.exe
4616	MicrosoftEdgeUpdate.exe
2292	msedgewebview2.exe
1560	msedgewebview2.exe
4972	msedgewebview2.exe
240	msedgewebview2.exe
5408	msedgewebview2.exe
3444	msedgewebview2.exe
5196	msedgewebview2.exe
5736	msedgewebview2.exe
2028	msedgewebview2.exe
5212	msedgewebview2.exe
1540	msedgewebview2.exe
6032	msedgewebview2.exe
5712	msedgewebview2.exe
3892	msedgewebview2.exe
5264	msedgewebview2.exe
5184	msedgewebview2.exe
3412	MicrosoftEdgeUpdate.exe
5300	msedgewebview2.exe
2984	msedgewebview2.exe
4776	msedgewebview2.exe
4020	msedgewebview2.exe
2140	msedgewebview2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 38 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerInstaller.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5856	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerInstaller.exe

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133819643330644474"	msedgewebview2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods\ = "7"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\ = "Microsoft Edge Update CredentialDialog"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\Elevation	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass\ = "Microsoft Edge Update Core Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ = "IAppBundle"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\ProgID	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\shell\open	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService\CLSID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ = "IAppVersionWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.CoreMachineClass"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\ProgID\ = "MicrosoftEdgeUpdate.Update3WebSvc.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine\CurVer\ = "MicrosoftEdgeUpdate.Update3WebMachine.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.PolicyStatusSvc"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\LocalService = "edgeupdatem"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods\ = "4"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\MicrosoftEdgeUpdateOnDemand.exe\""	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback\CLSID\ = "{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods\ = "9"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback\CLSID\ = "{77857D02-7A25-4B67-9266-3E122A8F39E4}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService.1.0\CLSID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ = "IAppBundleWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3WebMachineFallback"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\CLSID\ = "{5F6A18BB-6231-424B-8242-19E5BB94F8ED}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LocalServer32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods\ = "41"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ = "IGoogleUpdate3WebSecurity"	MicrosoftEdgeUpdateComRegisterShell64.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 878480.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\swift-bootstrapper.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 327084.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
4532	msedge.exe
4532	msedge.exe
232	msedge.exe
232	msedge.exe
724	identity_helper.exe
724	identity_helper.exe
6052	msedge.exe
6052	msedge.exe
2508	msedge.exe
2508	msedge.exe
1504	msedge.exe
1504	msedge.exe
2772	msedge.exe
2772	msedge.exe
2772	msedge.exe
2772	msedge.exe
6028	msedgewebview2.exe
6028	msedgewebview2.exe
4012	msedgewebview2.exe
4012	msedgewebview2.exe
1836	msedgewebview2.exe
1836	msedgewebview2.exe
4688	msedgewebview2.exe
4688	msedgewebview2.exe
1020	msedgewebview2.exe
1020	msedgewebview2.exe
4520	msedgewebview2.exe
4520	msedgewebview2.exe
1476	msedgewebview2.exe
1476	msedgewebview2.exe
3128	msedgewebview2.exe
3128	msedgewebview2.exe
5980	msedgewebview2.exe
5980	msedgewebview2.exe
3468	msedgewebview2.exe
3468	msedgewebview2.exe
756	msedge.exe
2916	msedge.exe
2916	msedge.exe
3160	RobloxPlayerInstaller.exe
3160	RobloxPlayerInstaller.exe
5856	MicrosoftEdgeUpdate.exe
5856	MicrosoftEdgeUpdate.exe
5856	MicrosoftEdgeUpdate.exe
5856	MicrosoftEdgeUpdate.exe
5856	MicrosoftEdgeUpdate.exe
5856	MicrosoftEdgeUpdate.exe
3124	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe
6152	sdiagnhost.exe
6152	sdiagnhost.exe
6716	svchost.exe
6716	svchost.exe
6716	svchost.exe
6716	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 58 IoCs

pid	Process
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
2192	msedgewebview2.exe
4288	msedgewebview2.exe
5748	msedgewebview2.exe
3396	msedgewebview2.exe
2764	msedgewebview2.exe
2304	msedgewebview2.exe
5904	msedgewebview2.exe
656	msedgewebview2.exe
1000	msedgewebview2.exe
5284	msedgewebview2.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
1320	msedgewebview2.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	5888	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5888	AUDIODG.EXE
Token: SeDebugPrivilege	5856	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	5856	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	6152	sdiagnhost.exe
Token: SeShutdownPrivilege	6716	svchost.exe
Token: SeCreatePagefilePrivilege	6716	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
5748	Swift.exe
2192	msedgewebview2.exe
2192	msedgewebview2.exe
3668	Swift.exe
4288	msedgewebview2.exe
4288	msedgewebview2.exe
2960	Swift.exe
5748	msedgewebview2.exe
5748	msedgewebview2.exe
6032	Swift.exe
3396	msedgewebview2.exe
3396	msedgewebview2.exe
480	Swift.exe
2764	msedgewebview2.exe
2764	msedgewebview2.exe
1104	Swift.exe
2304	msedgewebview2.exe
2304	msedgewebview2.exe
4972	Swift.exe
5904	msedgewebview2.exe
5904	msedgewebview2.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5604	MiniSearchHost.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3124	RobloxPlayerBeta.exe
5028	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 4956	232	msedge.exe	77
PID 232 wrote to memory of 4956	232	msedge.exe	77
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 1612	232	msedge.exe	78
PID 232 wrote to memory of 4532	232	msedge.exe	79
PID 232 wrote to memory of 4532	232	msedge.exe	79
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80
PID 232 wrote to memory of 6072	232	msedge.exe	80

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedgewebview2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://getswift.xyz
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb36cd3cb8,0x7ffb36cd3cc8,0x7ffb36cd3cd8
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4024 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1876 /prefetch:8
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6748 /prefetch:8
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6336 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1504
- C:\Users\Admin\Downloads\swift-bootstrapper.exe
  "C:\Users\Admin\Downloads\swift-bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4532 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=876 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=7500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7644 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7928 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7956 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8112 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6608 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7836 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2916
- C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe
  "C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3160
- - C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe
    MicrosoftEdgeWebview2Setup.exe /silent /install
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:5376
  - - C:\Program Files (x86)\Microsoft\Temp\EUC7DD.tmp\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\Temp\EUC7DD.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5856
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3336
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3308
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2052
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1488
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjUwMTc1NEMtQTZGMi00QkVFLUI0RjQtMkFCQTUwMTk1MEU3fSIgdXNlcmlkPSJ7QTdBQkRGQTAtNTMyOC00REQyLTg2MjgtOEJBNzg3MzUwMTZDfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsyQUY2NTdCNS0yOTU5LTQwNjUtQjlGNi1BRjcxNzY0RjY1MUJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE0My41NyIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwMTIxMTgyMDMzIiBpbnN0YWxsX3RpbWVfbXM9IjU4NSIvPjwvYXBwPjwvcmVxdWVzdD4
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3412
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{B501754C-A6F2-4BEE-B4F4-2ABA501950E7}" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5716
- - C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\RobloxPlayerBeta.exe
    "C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\RobloxPlayerBeta.exe" -app -clientLaunchTimeEpochMs 0 -isInstallerLaunch 3160
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7648 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7376 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8088 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\RobloxPlayerBeta.exe
  "C:\Program Files (x86)\Roblox\Versions\version-080ad6451df24461\RobloxPlayerBeta.exe" roblox-player:1+launchmode:play+gameinfo:AvRz9StP4y783udmqMXVGC3cWx6i0A7MyLD2trtm7XUhF8JDpvyu72b8TbPovN_lt05tWXrfkNmK_B1kN0nkxEcxZL4LJhgWrRNMxRVfI19CE8K9Yl8xmJlJF7Z90A4MaoCd6yY-ABsphOMt4bb3Gsabn19S3lmKvPKlib2piuT46wQuXlzQYQ6RZptb1rdvXdaVbuNbzMHuy7IiEjz4qDoWSC-Eh0QdWdtdgWpXPSs+launchtime:1737490758948+placelauncherurl:https%3A%2F%2Fwww.roblox.com%2FGame%2FPlaceLauncher.ashx%3Frequest%3DRequestGame%26browserTrackerId%3D1737490461993002%26placeId%3D2788229376%26isPlayTogetherGame%3Dfalse%26referredByPlayerId%3D0%26joinAttemptId%3Db2181495-28ed-4d64-bd50-1eef9fb2513c%26joinAttemptOrigin%3DPlayButton+browsertrackerid:1737490461993002+robloxLocale:en_us+gameLocale:en_us+channel:+LaunchExp:InApp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8168 /prefetch:1
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7584 /prefetch:1
  2⤵
  PID:4336
- C:\Windows\system32\msdt.exe
  -modal "524934" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFB9E9.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:6612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1808 /prefetch:1
  2⤵
  PID:6708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7884 /prefetch:1
  2⤵
  PID:6844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7908 /prefetch:1
  2⤵
  PID:6212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:6624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7464 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2528769607552210492,6546993783388209023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2624 /prefetch:1
  2⤵
  PID:6476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5512

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5888

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5604

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3284

C:\Users\Admin\Downloads\Swift.exe
"C:\Users\Admin\Downloads\Swift.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:5748
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=5748.5904.11710314497810397453
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:2192
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Swift\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x19c,0x7ffb36cd3cb8,0x7ffb36cd3cc8,0x7ffb36cd3cd8
    3⤵
    PID:460
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1784,9305040181465946985,6759201525050737844,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3248
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1784,9305040181465946985,6759201525050737844,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2128 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6028
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1784,9305040181465946985,6759201525050737844,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2384 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5512
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1784,9305040181465946985,6759201525050737844,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5616

C:\Users\Admin\Downloads\Swift.exe
"C:\Users\Admin\Downloads\Swift.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3668
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=3668.2856.6395451642949520265
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:4288
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Swift\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x1b8,0x7ffb36cd3cb8,0x7ffb36cd3cc8,0x7ffb36cd3cd8
    3⤵
    PID:5128
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1872,7960717660759573319,500486401364620614,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5300
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,7960717660759573319,500486401364620614,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1932 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4012
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,7960717660759573319,500486401364620614,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2568 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3444
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1872,7960717660759573319,500486401364620614,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4556

C:\Users\Admin\Downloads\Swift.exe
"C:\Users\Admin\Downloads\Swift.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2960
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=2960.1000.1515473217226879382
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:5748
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Swift\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x1ac,0x7ffb36cd3cb8,0x7ffb36cd3cc8,0x7ffb36cd3cd8
    3⤵
    PID:4888
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1828,15241619867762648231,13817072797435488808,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1840 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2984
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1828,15241619867762648231,13817072797435488808,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1888 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1836
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1828,15241619867762648231,13817072797435488808,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2396 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4776
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1828,15241619867762648231,13817072797435488808,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2880 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2028

C:\Users\Admin\Downloads\Swift.exe
"C:\Users\Admin\Downloads\Swift.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:6032
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=6032.2824.2606326011766122
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:3396
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Swift\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x184,0x7ffb36cd3cb8,0x7ffb36cd3cc8,0x7ffb36cd3cd8
    3⤵
    PID:3928
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1736,3760618387830049332,14934965067135887538,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1748 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1560
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1736,3760618387830049332,14934965067135887538,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2172 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4688
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1736,3760618387830049332,14934965067135887538,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2656 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4972
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1736,3760618387830049332,14934965067135887538,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3892

C:\Users\Admin\Downloads\Swift.exe
"C:\Users\Admin\Downloads\Swift.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:480
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=480.4012.422800022364413234
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:2764
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Swift\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x1b8,0x7ffb36cd3cb8,0x7ffb36cd3cc8,0x7ffb36cd3cd8
    3⤵
    PID:4256
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1792,15246804619764102767,492356211084938876,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1816 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2184
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1792,15246804619764102767,492356211084938876,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1868 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1020
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1792,15246804619764102767,492356211084938876,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2524 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2972
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1792,15246804619764102767,492356211084938876,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4020

C:\Users\Admin\Downloads\Swift.exe
"C:\Users\Admin\Downloads\Swift.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1104
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=1104.872.12954242331075413775
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:2304
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Swift\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x1b8,0x7ffb36cd3cb8,0x7ffb36cd3cc8,0x7ffb36cd3cd8
    3⤵
    PID:1592
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1908,724973980442251389,17216913606977919668,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:6032
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,724973980442251389,17216913606977919668,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1968 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4520
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,724973980442251389,17216913606977919668,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2616 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4588
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1908,724973980442251389,17216913606977919668,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1332

C:\Users\Admin\Downloads\Swift.exe
"C:\Users\Admin\Downloads\Swift.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4972
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=4972.1000.2619807838120633061
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:5904
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Swift\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x1ac,0x7ffb36cd3cb8,0x7ffb36cd3cc8,0x7ffb36cd3cd8
    3⤵
    PID:924
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1728,15382718737090420714,3285886708609421049,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1732 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:240
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1728,15382718737090420714,3285886708609421049,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2140 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1476
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1728,15382718737090420714,3285886708609421049,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2620 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5212
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1728,15382718737090420714,3285886708609421049,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5712

C:\Users\Admin\Downloads\Swift.exe
"C:\Users\Admin\Downloads\Swift.exe"
1⤵
- Executes dropped EXE
PID:3700
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=3700.3500.5830979177693987662
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:656
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Swift\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x1b4,0x7ffb36cd3cb8,0x7ffb36cd3cc8,0x7ffb36cd3cd8
    3⤵
    PID:4068
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1752,11157464705581634932,16883550050299024286,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1772 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1848
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1752,11157464705581634932,16883550050299024286,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3128
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1752,11157464705581634932,16883550050299024286,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2228 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2140
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1752,11157464705581634932,16883550050299024286,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2864 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5196

C:\Users\Admin\Downloads\Swift.exe
"C:\Users\Admin\Downloads\Swift.exe"
1⤵
- Executes dropped EXE
PID:1520
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=1520.880.3879214511401159283
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:1000
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Swift\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x1ac,0x7ffb36cd3cb8,0x7ffb36cd3cc8,0x7ffb36cd3cd8
    3⤵
    PID:4592
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1876,16013407822499873522,11615678893921242615,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2152
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,16013407822499873522,11615678893921242615,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1972 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5980
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,16013407822499873522,11615678893921242615,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2684 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5264
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1876,16013407822499873522,11615678893921242615,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1540

C:\Users\Admin\Downloads\Swift.exe
"C:\Users\Admin\Downloads\Swift.exe"
1⤵
- Executes dropped EXE
PID:3492
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=3492.3456.11844037677551054044
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:5284
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Swift\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x118,0x7ffb36cd3cb8,0x7ffb36cd3cc8,0x7ffb36cd3cd8
    3⤵
    PID:2396
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1868,5801644813385631366,17385137955850883007,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5408
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,5801644813385631366,17385137955850883007,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1976 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3468
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,5801644813385631366,17385137955850883007,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2508 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5184
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1868,5801644813385631366,17385137955850883007,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5736

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3364
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjUwMTc1NEMtQTZGMi00QkVFLUI0RjQtMkFCQTUwMTk1MEU3fSIgdXNlcmlkPSJ7QTdBQkRGQTAtNTMyOC00REQyLTg2MjgtOEJBNzg3MzUwMTZDfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins4OUEyOTNDQS1CQ0ZDLTREMzktQjZGMy1DMTk4RUZBQzc4MTZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjUiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwMTI1NjcxOTg1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4616
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{57514876-DC4C-49A8-832E-CB3218813E23}\MicrosoftEdge_X64_132.0.2957.115.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{57514876-DC4C-49A8-832E-CB3218813E23}\MicrosoftEdge_X64_132.0.2957.115.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:1048
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{57514876-DC4C-49A8-832E-CB3218813E23}\EDGEMITMP_62991.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{57514876-DC4C-49A8-832E-CB3218813E23}\EDGEMITMP_62991.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{57514876-DC4C-49A8-832E-CB3218813E23}\MicrosoftEdge_X64_132.0.2957.115.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:5736
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{57514876-DC4C-49A8-832E-CB3218813E23}\EDGEMITMP_62991.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{57514876-DC4C-49A8-832E-CB3218813E23}\EDGEMITMP_62991.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.84 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{57514876-DC4C-49A8-832E-CB3218813E23}\EDGEMITMP_62991.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.115 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff653dfa818,0x7ff653dfa824,0x7ff653dfa830
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:1956
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Installer\setup.exe" --msedgewebview --delete-old-versions --system-level --verbose-logging
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:592
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.84 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.115 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6fda5a818,0x7ff6fda5a824,0x7ff6fda5a830
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2412
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjUwMTc1NEMtQTZGMi00QkVFLUI0RjQtMkFCQTUwMTk1MEU3fSIgdXNlcmlkPSJ7QTdBQkRGQTAtNTMyOC00REQyLTg2MjgtOEJBNzg3MzUwMTZDfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsxQTBGMEFFNS05RTFDLTRGNzktODQxMS02RUMwNDM0NTMwODF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMzIuMC4yOTU3LjExNSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzgxOTYzODYzNzU1MTIxMCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDEzOTUwMjA3MiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwMTM5NjQyMjE5IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTAzNzg1NjIwNDUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzcyNzJiMGNiLWNhNDUtNDQ2My1hODk1LWY3NDViZmZkZjQ3YT9QMT0xNzM4MDk1NDQ0JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVNaJTJmRFhWVXV6aTgxSkh4JTJiMFhhaGNFdjBSS0dsNk84YUpvOXFSVGkyRyUyZk1UNTJVNDRVNDdxemRaSTVyRUIwYUxHRlZVMHk0a3hkOTh0V29VS1MwTEpnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTc3MDk4MzM2IiB0b3RhbD0iMTc3MDk4MzM2IiBkb3dubG9hZF90aW1lX21zPSIxNzMwMSIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwMzc4NzIyMjk1IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTAzOTMzNDE5OTUiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjExMDA4OTk3ODU2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iOTA3IiBkb3dubG9hZF90aW1lX21zPSIyMzkwMSIgZG93bmxvYWRlZD0iMTc3MDk4MzM2IiB0b3RhbD0iMTc3MDk4MzM2IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI2MTU1OCIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4504

C:\Users\Admin\Downloads\Swift.exe
"C:\Users\Admin\Downloads\Swift.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4076
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --lang=en-US --mojo-named-platform-channel-pipe=4076.3904.12457858394005411321
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - System policy modification
  PID:1320
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Swift\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Swift\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.84 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=132.0.2957.115 --initial-client-data=0x164,0x168,0x16c,0x140,0x174,0x7ffb2235b078,0x7ffb2235b084,0x7ffb2235b090
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6092
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=gpu-process --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1732,i,901591586077520937,508173813730619350,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1728 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:684
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=1956,i,901591586077520937,508173813730619350,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1972 /prefetch:11
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4544
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2120,i,901591586077520937,508173813730619350,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2264 /prefetch:13
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:852
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --always-read-main-dll --field-trial-handle=3388,i,901591586077520937,508173813730619350,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3412 /prefetch:1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5304
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=4804,i,901591586077520937,508173813730619350,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4820 /prefetch:14
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5196
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=4776,i,901591586077520937,508173813730619350,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4844 /prefetch:14
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6308
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=4952,i,901591586077520937,508173813730619350,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4848 /prefetch:14
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bunni.lol/keysystem/system/1/1
  2⤵
  PID:3836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffb36cd3cb8,0x7ffb36cd3cc8,0x7ffb36cd3cd8
    3⤵
    PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bunni.lol/keysystem/system/1/1
  2⤵
  PID:756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb36cd3cb8,0x7ffb36cd3cc8,0x7ffb36cd3cd8
    3⤵
    PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bunni.lol/keysystem/system/1/1
  2⤵
  PID:2724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb36cd3cb8,0x7ffb36cd3cc8,0x7ffb36cd3cd8
    3⤵
    PID:5432

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6152
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:6332
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:6796
- C:\Windows\system32\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /all
  2⤵
  - Gathers network information
  PID:5856
- C:\Windows\system32\ROUTE.EXE
  "C:\Windows\system32\ROUTE.EXE" print
  2⤵
  PID:6184
- C:\Windows\system32\makecab.exe
  "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
  2⤵
  PID:6240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:6748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7068
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
  2⤵
  PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Installer\setup.exe

Filesize
6.6MB

MD5
c2f035293e07aaa688bc9457e695f0f9

SHA1
c5531aa40349601a23b01f8f24f4162958b7ab72

SHA256
704df2272e51fce395c576e4090270e0db7c7562f5b59779d36ca0563505cc91

SHA512
70228567ef097bee2b3e04a5300437adb3615d4217d3a2d08fbef364afbb54e43ffb5dd0e5f3931737d648f56f912ebe35121cc8421354d8c2292fe48f5efc51

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
4dc57ab56e37cd05e81f0d8aaafc5179

SHA1
494a90728d7680f979b0ad87f09b5b58f16d1cd5

SHA256
87c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718

SHA512
320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b

Download Submit
C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe

Filesize
7.2MB

MD5
59424c76dce707ae9be1c22d3792615a

SHA1
eff79ababae89ff5c6547826241d6da9830bed33

SHA256
56952f66488eb973dd8dd593068ae19699bd018ed67dbeffe7a33efef4b0d1aa

SHA512
c820c679ae7b2e4f119a1d5e6ea2aa2f04bd614fba1f1a8c15284b1248f82b9eac4661ca63ce26f2258e8c7a0cafaf6898052ae8b2dbd0e17e92c1ba9db20eee

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
14KB

MD5
09bd96cbe9ba6726480315a0a6d307bd

SHA1
89ee1b9210e4cfbf6c9610646609c808391a2f6f

SHA256
2b3c79731686131e3a74e583b012bb6b9e26911cea545f77e5b3c8a79f708777

SHA512
6148d66b307aa01f55818d13ac36cddf880002ef3613a194b1865391b455286bbb2033c11367e661b53d0b2027e3a3b9454710b6dda095e0e6c43d418c700d1e

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2025012120.000\NetworkDiagnostics.debugreport.xml

Filesize
137KB

MD5
1e81112ff7db8ff829c1636ee581a595

SHA1
c121abcc459f8a06401a18fb7da782edbf1ba9ea

SHA256
80d91bd527fc6ced4524bc3070f43826210bfd5a2dabf3eaf23b401641cf259d

SHA512
00ae6a9db8e2774583d978af8f1dd4c66dd28a9d45e6285781699d5d6a657ec67ca274824b93f4a72c0713c3a3aa2bef2a33c455eb41bfb66115b79371cf41ee

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2025012120.000\ResultReport.xml

Filesize
37KB

MD5
44f359d7c5fff3edbfae47f6e6cab5bd

SHA1
f8b8091f84c2fbd3a69c1cd5478082b151f3b8af

SHA256
63d1485d9986e36f9e248f51f506de17bcb34a41b61bdc630ffaf98ee9962646

SHA512
0183559d1a2ce33738b93c0ddcce9a52fdea2e1c4f4c9864a8d25a67475fcf46f5e0833e9a769ccebfa2cf16462eff4792314aa110a5deeccbf49f46f9560faa

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2025012120.000\results.xsl

Filesize
47KB

MD5
90df783c6d95859f3a420cb6af1bafe1

SHA1
3fe1e63ca5efc0822fc3a4ae862557238aa22f78

SHA256
06db605b5969c93747313e6409ea84bdd8b7e1731b7e6e3656329d77bcf51093

SHA512
e5dcbb7d8f42eabf42966fccee11c3d3e3f965ecc7a4d9e4ecd0382a31c4e8afea931564b1c6931f6d7e6b3650dc01a4a1971e317dab6c1f03932c6b6b7d399f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\20ed0183-27a8-4ba4-b61b-d0c844e897ca.tmp

Filesize
11KB

MD5
6517162306d77bae6306e61773143bc7

SHA1
83e057d9721690c2d4e04d146c32690f9009c4c3

SHA256
ce0d92320f53070ca03263b499961324f9125a53f5ca44775756c1a18f7f0d96

SHA512
5dbc00fe13903a98ed5709c0fad24cb52d458ee54ad2a849f954f6b5898efb36cbbb0cb7cc3ee4399e4120b475449764bfc46c5dc9da2a14c2ad56f82e704926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
47KB

MD5
a9db78e7c39d61e2b747c112d842b0be

SHA1
09318e80c631c71b9720176d320c28ce9159f503

SHA256
83f61f7171fceffb1c19c83e4594f4622ff9435b4effab6c20b4d220a9ebbf08

SHA512
f9dbe4772bf0ac2848443203ac97590421881cb4470e9a8c0dfcab5c53b9e6683419f2573af6a77d8d72292c46123193915388aaa9f71d0644ea601834ad63b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
70KB

MD5
3b06aa689e8bf1aed00d923a55cfdd49

SHA1
ca186701396ba24d747438e6de95397ed5014361

SHA256
cd1569510154d7fa83732ccf69e41e833421f4e5ec7f70a5353ad07940ec445c

SHA512
0422b94ec68439a172281605264dede7b987804b3acfdeeb86ca7b12249e0bd90e8e625f9549a9635165034b089d59861260bedf7676f9fa68c5b332123035ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007d

Filesize
121KB

MD5
c901227c139362db89abf7cd2dfce8ee

SHA1
a519b24fa5cf1742a1b643918f6c707a5ed55e01

SHA256
d6f905459865ea861a2981b22a18231ff5c0036d6a8c62bc241cbc90390c07bd

SHA512
4cf8f0df508b9b492ceba03cbd93bc742332f00f6ab7e4791d1b70381ef490638db0493835d958ebc50f041996b640bef26590320ba6a50ca7fb0271a4b18292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00008e

Filesize
103KB

MD5
8dff9fa1c024d95a15d60ab639395548

SHA1
9a2eb2a8704f481004cfc0e16885a70036d846d0

SHA256
bf97efc6d7605f65d682f61770fbce0a8bd66b68dac2fb084ec5ce28907fbbdb

SHA512
23dd9110887b1a9bbdbcc3ae58a9fe0b97b899ad55d9f517ff2386ea7aac481a718be54e6350f8ba29b391cc7b69808c7a7f18931758acce9fbf13b59cee3811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00017f

Filesize
20KB

MD5
f92ec8f4044bb8a416e05e255b7e0b6f

SHA1
d33dba53f960cd40b87a6159b0daae2a4475a638

SHA256
87913cddf943d3eba9140536ce406ec3abf4f637b417c05a973cc096b9929346

SHA512
4a1735c357944712e8187580950884834842b50b0bf323305de397823cbccb74cf57e371da6a542bede6cfd60f9328e89630093a22aeed6c07dd2dcc63fb7a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
4a5747b6f30c337d00e06d7ce0941100

SHA1
96214e36b83ea46c7d5b63c6eef0c723a5f82812

SHA256
c64fc57cea90117fe5ae5689fd21d22487c5821b2591f4c4d6e17b3208a78b07

SHA512
8c87fee32afe114bdeffb31a4b4c6a0cf6c10648792df4d74305adce89cc5b3b971baa170316a026e6f7d3fef6219a21c9cb36449770c0e04d185841ca3dedc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
7KB

MD5
f214d73956f8357db06247e4dadf844a

SHA1
012c14a5f6eb1cc5a0c93d695d1ab4dc659d29dd

SHA256
283697b1796254df18008700f9080eea46bde340c81f861aa238ca0640a3845f

SHA512
d6b5cf988244cc27c6078553388d325baf436eb333d999ec7679e8cc2f1e6b6adc0fd3d484b83a00284b2b0e3aee60521cb64d17c2e8a320b3cf14ca3e698b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
ff2bf60161b21eb7edfaab95b3379073

SHA1
c3bcaf74902c03ce08290620657cdf26e2f7e5d5

SHA256
aee821aa4929e4916ce3f1f3c3af4ccce9ac90d9b3e91907db6ab8ea5d1d7ccc

SHA512
5df937f3720a69cfc79f1caaf89fe786ebda0321fba321b6ecc61a28c1943fa2a1287f7011564a28f6d45abe9fb3482afc2aacfbdf662c690f216cc74ae0ada1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
9866e010f75b4d8096eefcbe9ba543ed

SHA1
ad7104e01d438ab6f19a165cfe78adb1a4f5a469

SHA256
4cb7280d2bd2867f232931e4e53d7f43d850f87dd73d75f9bbff3995d205c026

SHA512
acd505ec1dffd742e30957c0ed14a9542bcaee6e4d881eeab5e82ecababf94b6891da9539eaa1afe4f281c1246aed05d34cabe0aa8aa8a53ae64ba4ea42f681b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
01e884440ac4ca0b85ed4edba0e84953

SHA1
c1a6defd706c97f7c912c1520cc92febd6d214c4

SHA256
87c3c367f3d778dce52e6a6cd43958e06dd97e838f5d6f4a0fb0178001ae6148

SHA512
0e855aed44a77803aa2db67652b021240e3b83aed3baf4d95a3f976437458111a05189cd053e40eedcd6db5121d6fdf45191837bfd0521fbe1c33d1eae2bba5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
22259be76d8cacf670a1bb95fe231b62

SHA1
83bbe59c73cb24a9dc4cc7f8d0ad801da5b06eae

SHA256
96aa37ffeb714d53cc7862b52a29f0805f16e376a39cebc38f028791ca2b0043

SHA512
acfd33d64c266ba6d0e80ac7345d00facd15034d1e26debd50b4f7c3a138b6fb72c289c64a03b6624b605b4c2b5d15a2a80c0821d648460efde664f3fe5133f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
eef99c18691a66c75b6a341f6714b33c

SHA1
9bb1e8e40ed3bfc9b67fcfc155179bd1ac17d12a

SHA256
d48736299eb288c3302b31e3b695108c9dfb6a3fed67b9ebc695645d5d09051c

SHA512
b95e43e35c5be7c6c1f022ff644fcc2ac5ec0f6a3043715eaa6d418d2ab96e5e78b0f19f82ee61f32cd71dd500666d5147fce2b1aa6b9345281a5b08a34eb5b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
cc2e097021df7baf90ac56ea1977be05

SHA1
787c43afc5a50f22a06bb9d037a16cd40c6e3d0d

SHA256
5e5b1db7b0b64fdb6c4e01b8b741192ec095b1e645e1a66985393bfc5bc70462

SHA512
f7cd60fd13aa97985a54841b6cddddd8ed6956e5d82622d35d209a08ebddbcc83f31412e3052d75d684aeb140618100e094d9ee739ee3325ea9db92ee27aee99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
54de9b6b55a6011046c8d6e4be6c2cea

SHA1
1f870a02fd19146f0ac805104199c41aedd8ae91

SHA256
dc5fd5131c981c650d60f8a98891bece5e24999dc1dd818eb918c17b6b782812

SHA512
b1826ceccec4c0db207a44aadb853f2b1874e161a5fe9d324ec80d948fff2d8eaad87251f4f907f23f1e47ab6c031e14c60865d38f31cbcc7ebae10d5fb298a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\000008.ldb

Filesize
707B

MD5
fa2c4372a10a6edc480ec855586e09b4

SHA1
fd64a8622421cf9b5952e1bc78c23f66ea244513

SHA256
b48d65b53bee945c3f9a37b5c6ca8ab57178f68e3cd6453c2245837bc46c7968

SHA512
999747bfec58a334052cb273a5bb7e2dfe46583197fd270262c7a4a132a688cdac7c5fda0ca48448efbe19f1156f330f1c8015f8f1f4f919761949f78ac2ccc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old

Filesize
753B

MD5
7434763a35938caacf087dcb47bc7997

SHA1
015ae7ed3551d55da0e84cae9d811f255f8361cf

SHA256
4e49d68f2f105042b552528849bba95c69e3b9f5c96301df0f4983297a428e59

SHA512
6fbd8a79f80e0ed4dde79f89d0523a2fb2dbf385898dd0549562dde98898ea38a3a1b0e4bfe12211372eb49e4a5d8d475499cf44d3f988439f76cd12220d1b90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old

Filesize
750B

MD5
e8d922143c525a4d66df2eb14c97c8a0

SHA1
905dfe48c49b40d6f1e62a6961a5f08bcc38127b

SHA256
fe8ef2f8b0e00d0bd9ab89a155b4c45bdf27e451eab061ad3d08a842d3615706

SHA512
32799500fad0f72394bb39d51ede241d94780ac8316bca9179e2979d5b2853a188ec509354c807aae69af86d7094f71e99e3be31aee89270a72a1b65d3d3286d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old~RFe5f2043.TMP

Filesize
1KB

MD5
17a6f2412961e84f92bc502fef221ede

SHA1
8eb51f7d21948eb8fa9e5422eb2baeb38f940ca0

SHA256
91ebb544bd518e8e9aa93fc1991059004778a05ee0eeb1e21121b5a2e1baa431

SHA512
e33bc92c521ce28678f299d8dc4c482ef27267ca1879d54a92df8b496c56c8b709bb7575318248f85fdd11952bbcf44b38e725076ca0a090a0eb1a8fe6da0ecc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b802ac39e050943f38376ba8660e4b66

SHA1
9c1d621d1257b99c2d29d639d86e5d0dadf91ae5

SHA256
7d46dafd5998ed8c27850ca6f428a8093f2fa7fc2796b35e1b5a18d78332ce2e

SHA512
553cd458ac1e10f4b8f6c8e422720f267603f11ea6d51540fed7bab0fdd7960931c0d6034262fb4c4fdfd7ee8c07a6ecdb5c48629bb59091a754373dca10c4fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
5c68ce16dd5a9bf73f965db23c55d952

SHA1
2642fc8fc70f45b5ae5dc035c8331d2d17f3a0ef

SHA256
cd25b513e771e5006ebb149111f6d49aac1b6647cae9b046286f1189a53ccdaf

SHA512
986fca76d07c539bf0bb6ecf841a101b81e4d75d2ff57b969b4ee590ebe7459a011f70ec896128b0fd7a155f21ca5a67f1be76941fbe48d5ad741e4580bbc17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
6161425dd42b48360e399da718152a6e

SHA1
37b93ff489614c17a0363525ecbecb76d9b18cdb

SHA256
98be0be2e77c479e6ff75ef170a4cfa7eba2573b4eb71ed3faa9385465b3bc2d

SHA512
2019cabc0c7575c86dd957454a9e5cb418dcc84ec36b23733afdc0c9cbdcf1b808d6cde7d0ed88c42bd1699655889241eac379c9f978eb20953a9fb24869caa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0f86b9d14589be36fc6ad01820e04343

SHA1
8c9a245361226fb2ba6c9c528b02f70619d74a2f

SHA256
3ac3ccec37b8503c55d08347f0bd007160f4ebc4d5c75f3017ef8374403e0ca2

SHA512
9df1ae97bc3a2d0edb1e515117660bbf11738f9f339ab208b0b5ae874a73b3816d26e364bd6422820c623664de93286dd1be93235b5a59aa68efa07d9a4bb077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c2d6513781dad595c6e8bdf19a1d4df9

SHA1
d5e892bc86cb70647df53b89be6081bd47eb813b

SHA256
99790cb91d53ac6b2ff7df59bb9109ff5e6ee0ae39b48dc399a46a6356731cce

SHA512
fe7846cdda4852afe62773c0ff490cd6db4880073d830e9f15fcc4fdbffd7f903c0e9af82b9cffc0ee6f25ab32fb449032b76a2b5d4e385f94d032316fb773d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
df8c9f4e793c2bd8e9594fe7005352f3

SHA1
43b97b7136d79cdb61888b041b5fe1e5e2a1e7a1

SHA256
c65569c5430d218c9d3c33c47f7c681d8f9f694ef2177dc777d3c81097a5ed2a

SHA512
a14b104b26101ae85385a77469728d159db62858bb35d3ffe5b9548defd5c174d370e502641e5b5e2cc8b18f574531101b64465db9f6bedc6f0a696575e8469f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6f32dd823864e7dd38ed52b1e936fb25

SHA1
5202b8c61cafc32b601cdd8942cff4444d938b0d

SHA256
14519e1809c51f04c9088f8aa71954d89acab3454225888dff5f5667046efca0

SHA512
e690c8da1917a4c70e896626f86cfbae4aa8f9f307301f89f61453fab6555b1e69c14a28c253cc3b6f532205fb124c29378a7d6a2fe34861546c126786580161

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3015c8899acfae61446b7facb7e2fe94

SHA1
25faf83aa72849c45cbb060a38db33ea0188d033

SHA256
ca47810631ca595e60aa0d9f425e6cdb80e5d6ffaf09d22e2c08caf5dfc90df7

SHA512
6c2a645e265f788d1aa545cd594d71e1cb5e9ff969d0b2b06d6a0ac4c41d0dda19b4546b224ebd56c717b6bd2a6fac8dacd627a0849bcad42ade7d69225fcf14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a41e1004bba512e9a716221799cf9cd5

SHA1
5b61028456fa672001172c8ff7ad5945cfcdb865

SHA256
4f82cb5c65c6d9187f8406a134e5f13d15f7ee4f3211305f0fd5e292aeafa182

SHA512
4074c0a6a9c902a0f33f34d542e58ae61dd0c753920cc964841458d0e27f5b40a3545a639db837f50d8b901fd020abd7dee8e49d7ceb6a2398ca1cfe6f86c36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
91ee596e7a80154073c205f16f975ff2

SHA1
a416633020ef5c92445292d3e3a4bb0f99a039ea

SHA256
e2050c751e6b3f1e07050a80ad7d5bc482da0f2ec9840f9b8b9044b2f918ce87

SHA512
70176a17b9edfabf74a911343a43768dede19c497f51e0dd5ea0ac171977da37b1313416a682a42f60169c413ecee6744f83a6be69b65c0cb346fa6057e819e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e95b35da53e2e4c2c8873fcccbb6ccfa

SHA1
2d8a1f5e72d9aea992e78fe8ac521a24490d5b85

SHA256
c14191d869928a7c5626608a69905d171247661c51bf2ef4dea55359da5743b8

SHA512
fd902357b61389776f74eb3074340dbb1e3fc54e593249507072036d6b1e77015fc3d617fc1e8c76f26369adc87cc7c8e4943306462b7817cf76be194db63f89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fda9cf4aea1f4be72460ac67d8412867

SHA1
46e71cb3fcf6baa8d33248964c3fb99c502bf3b2

SHA256
73d1aaaaea7dfe1fa801dbf3649d96c16c2c3f24d6302cd2ca126a7be9a0b09b

SHA512
70db71c88e84bea7d33a788cdd86064ff59e528892187d568936712abad6fc7bd55e0ab11817c56fdb40d8ce00ec701e8fc9da4e141fdfd3dffbac948bee3b46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
54f29f2fe06f6be508f050a3c8a98b3e

SHA1
3ceacc678c190d9efc68dd339c22c61b09c9df90

SHA256
412ca0aae2ac0f0c1bcdcb2fa9970019890cb6679b5561a98ef11a7375781e25

SHA512
305b23d2a701fc3f96c36c52011ec756cbcc5802e53f7d610d2239a1a562c3f31b60c257111e578713767a8dbf690ea43de49ca535830cbb3e5fd8cd46d68199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
48f922801dbd0989af259aacf17daeea

SHA1
72fb4e1b85e8893610d3aacd8d5ea5788769bbbd

SHA256
da8538a9fb8147ce8eed670427c13e0d97518c1e9fd28a9d82056c7f3df8340a

SHA512
39f251998783b548d6b42c7eb37aae45ceb6434e88a7b770a11bb0ee49e3f72fe899e57e3e0b23098ab7be82eabce57b79093241f9a6e27e832f7674238b35ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f350c83cb616a8a626de76ed0aeefb15

SHA1
ba09d7d5873019b36616b86128cca27af68d6c3e

SHA256
1eb39bd8d2b7d3081cc78613a2efb8f5bfc5a9a8b296be5c8e402567b2e6e070

SHA512
c8260418f3f1acd0437c127388d5d0eb86c228a839a4641f79d0d35607fca9f7ce4cd8dd8f940e23fe679e3c80e0bd9aa932bdb530ce8f5625b765be9991b7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3652dece5499efff529f950db9f410fb

SHA1
abfd548340d7f7a8c98131c7cf2d6ca785a2d9f7

SHA256
2414cfe841830a3126b4cf1c090857234cbcc03bf778c21c2aab70dcff0648f9

SHA512
ef58139f437ca223f17feb7177b0082febe29db5b681374ef27d712d840fa2cddd635543c29be33990b805b330db84efe6b2ea73a35f3f326640df5d31bd990b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
03e4b6d6ab124435b76bd82d0cdd60c2

SHA1
e7a95a2cb8252fff8366262269d4316fbc1c49fb

SHA256
d246dd74cbc73ff64b40ea26a079692e45ada5a636b85dc08cdb41b567a18b4a

SHA512
3046be3e054d5af1c2b2269ec560c917fdf8084bb72894b215277a4613b2515de461edd844bf108eaf119c06d04a007c4990df7ff1bda4f5794ac9227075e086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
5fe2f59e81b93694cf71a1841e891f6d

SHA1
31a3df183729fc722243f48812626218270ecde9

SHA256
5d1e9a5459a6d774b57562b786b2782a284d01682d563cab0dcf3ad4c3173a60

SHA512
75dd3ef3815eb7f4093748a5d1b9fb8bb51d5fa6ae86be49927d279af5eb53eca196cca2e3a08a55c8cd03e27d02b86a996f286a7956bababc454b1bcada03f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ff9b6b4f21d04386e34955cc4962d0fe

SHA1
16211f2b892650b75b8d4890b1f6c60e8473f073

SHA256
8c4c05ac53cadf18dadd48e5b625f09fdfcb7957a34a6490302859f4925b9135

SHA512
7d208e9f5d3069e8909626db49e9a48426f32045938c8babf44e7e43042e8b4bac3478e271f1d647a453490847dba14f3c9b1f2cf8c97c3b6dd5a06503b9a36d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
d6e52a438b46724426f502c63cc01c16

SHA1
1ff466d927e0a2babf5cff9582ff818dd3513f2e

SHA256
1321020b6eb61e01ce14db821c1b74db20f58e81c419bee77cd38a5878502405

SHA512
fcf4f46506c5e8a6107041f3349fa21bcfd42cd88b04094e84d8ce686720b86374881637534611aa748ea5dc4f55001c510a60d58fc4d1fd3c7ccccaeb11b45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
0749654360f86b6d0eb3a9f656f951dd

SHA1
8bf5c867441a3bcdc388fe9028f4540e8b71d42a

SHA256
bb51d79b72ec0cff9dcf02c5fed32059ce6b11290bf356be5dc738470fc23ffd

SHA512
18ae8341ccfbdc40a226923ef16bda39deb7377486ca31544ba4f379aad01f970f920af87f899a1e294cc566ac76d0f9a0f5bdbc200ba5216e8e76c8b6fb91d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
90ebfdba89744308f9c076759e8e9e54

SHA1
d069963bb32440c843ad860ce25dc79213da9902

SHA256
70047825b1845a644dcdefc1dd1fa73e005afd8a6d1bb34d42aee7ce9f0cdd86

SHA512
b6da536da004d1afa954679c6fd014190102146719eed0ba75c528624d015839805e61f8ab70743f85efa6950fff82cb8c1772d370e9c568b90f6f2690597a1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
423f73db72aba134fc3415c11c0f6bed

SHA1
70d445946496b827bebcd7851042862f89afd477

SHA256
4bbcc7999e944d04dc46d5847dfe8f2aed204daf65f162e39571ec1c60bb8e38

SHA512
3c726d2e2588881208d8ead3d2943e520b5669e1ab453ceaff58bc81d70c98ebcb3ebd09842c1ced662479b5e7fa0ca7b71db91ea33a7570ca7a9e4f9be70d7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
3e4cf6a59c84bf5a79e9fa85808336c6

SHA1
68331ba8c04584cdbde40ecd8370b6b572e4ac80

SHA256
34d1018c359bc5504ae193ca18d25473b1b5ccf18d7f16f7d9c896a3032774b3

SHA512
267596619da412750326e1030f2f88dc3f981e550f9f7c9a6ae63ef58cf098fa173d5ae8d322887fcb0255f2689a7a474734527e479405a1c5b1daa16e7a5f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
d117650ea1ca04c872cd956599262e35

SHA1
332f3c3387585c5eb1e92bf645e4949b8895d727

SHA256
26aea6663db5b049aa1261e36e004a6951469438b5f16b06a4d6425d43bb0cb9

SHA512
dc6ae4f92e36708a2549bd941a7e75f02bf4a6e7607dee5f468eaa8689893dc38bada283b00a4020be87399a625c4e0df3e27561defa659423e12808f3218718

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
eef7b98fce039f5ee45d3a9eede68a7d

SHA1
ebad8dfe08530dc8706982c01ce525ea839318fd

SHA256
6c966b1e12a317ec9deb2c195b4918d24d15524c60310131fc13dfdcc5ba82e1

SHA512
331d14e05d15505e00d201123ae2c9b656c33cca8cedd4fcd93f31c2179d7b5be79e636ecc78db324e4051b2fe06107dca34cede198ee07a04c6d7f7737b1acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
47619b18a0e1baf5c3699c6ed3038471

SHA1
a33388376b81f59421e324298554d548fa6955e1

SHA256
b696e54e61013ae1da1e3ce502879b4fc4883d58cb8355e1b39e3497987e65fe

SHA512
ca0a4533f7d7ee56def36ea7f56a770876e3502fe490b3e24a0aca2eb90ba8d18ad61dd46441710baefc6f9c84ce405d4107c7347e754ea13771a37438da60ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
96302a4edb221e822f2a6d7280a6fc32

SHA1
4ab599427ebd08b874e22293a9e85ff73025372c

SHA256
013ddf9c77396f0bea9f20be74019614e6ca92caf7af14c5f87e6063c0224bda

SHA512
6b4aad8e4733f4b635b9b14ae498ee7ce9db6dc0ea53f7f58b50a4bcd34ae6169fcdabf2b5e2ee489540261c8b32caa46dd4713607db1303262adcf996f5af41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
95e3c7abc981effcf3f23469667c5515

SHA1
9a508e08af86eef303b38c7dd623ab96624fbf7b

SHA256
8432aa6f7216e392b2fbd8a5785cbffae6f6b419f74eaf0250671055b4d1d322

SHA512
08a8e6c0d6e399b98df55e855d0da46ee39ad26ca9a176351216b93098983dc41a9ec00e65b553dd400b2a9d3fcac042ea6fb541c72168010dc157f9336bf6ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
c916ac4a5c9374048e095b842f8da4a0

SHA1
9259e27dece31d20ccdbc758305ae9d2ea9bd416

SHA256
eecf70c74f278dfbc4ed2ffa0905f8a4fdcb03c4925c6af968d0a24e9cc71983

SHA512
0aa6b119ee46ce37ef438fcbe428baab6f05bae55677266fb9ecf96e47017581d3e327857d2925f9481c36719646e93720a18a0dacebecaf8ee1c2fcbdca37aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7dcc7d1bf28174a1980738d1b7358a4b

SHA1
99ee532928b953a62d6df105b7211f7432ec7c8f

SHA256
4e094d29199159abcdb170c9ea4fd95b84723baae5ccd202346ea79f1726d8ca

SHA512
299e39529ddf3ad09dd7c364e422f6ca5d06530e9272e28cd5cdb95afd4d5e41828067ccdc396dccf3f95bc344cc81967ddb45f1f249a7ac2288c5806a807ff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
68e7604d65272ec6bab2eefe805c33c6

SHA1
1c2a0d4156977f11e459e81257c8f7207fdd6d8d

SHA256
4c46bf4181c0124636853aad7121d442380065f4d2d67b78cffcfe91998d4a1d

SHA512
6fef718f5c7c431d4c7e9946e64523795fa78a871e6274c40b7adc61adb953b0ece5ce3b2742238065d79eeaa298640b32c54b1eeed9418a96a389d63c5518d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4d9d92c43b65dc09f8393f4ec1e1a4fb

SHA1
7b61341fbdd6f301ec8c34af67d2e1a528e99d4c

SHA256
180a60a4ac1b3f96b0744571e63e2210982092730c20793452d39feb1f4d0e77

SHA512
801c92ff34b83bf2d46a9679bbe344018d38be75cfc5683c1bad386a429de79797dd1495675399ac54e9b99327d2f6c047762c73fbabb7d73d5eaf47c64d983f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2cdf4868961fd6aa3391a6e54b2b6076

SHA1
c907b5d83037e5e86163fdc6b237bed841e91b4d

SHA256
86b1ee25f8e36b8f8024e07a73c0ffa756001d43453babc0fecc81d391ae4428

SHA512
09b4d0b59f67c4287c666617ab42bcdaa22c47778e1d14e17f9aad44d77f99837b86cd97e33dcefd30e00f3d0483ab07ed8bdac8ae4bbdc9f9b8942e0443cff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c39ffede0c6ef85827b9b3127f63ef19

SHA1
1b86bfd225dc7d59675aeb508aef4ede4301bac3

SHA256
c1d917044c56112bb20622b8a4f57d6dbf7d08c2d8609239989863f6ae0078d2

SHA512
693e8a5d61ff925a723173ae0aaef322945b7660ce3799e68d376d94995eb906ea6b86eb253b37347bd1500581cb157da75f54cedb04968415de8cd15ba4d214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
820c4a702dbb89aaf695975db9c886d3

SHA1
eff5c21571cd654cbbed4d840f253cce1fb7e562

SHA256
6ff9211fea72d9969c629e542652d44a898bbb13fcca369865a6bd15eec36b4c

SHA512
f1057511b38c0d73c32f159716ed4f9c0597e5046cc44ffefc52df52fd0cc4fb04a9f598bd3970dff8022bed61c9df55d7ad80e4f97d18da8071b229e4147898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
4f6b638582fac84faea6a565a7cd313e

SHA1
4770fc7e1e738202cc837e25e31e2311c1341967

SHA256
115529e289b9c9da1cf69d5715032f4163b3662ebb13bf7cc0edcde65d0e2bbc

SHA512
4441698f6482cf894b1be3b032ddc2bb4e8544b1b1c5e7c4b00319cf4c5c36f5af7bc61a0a21ad09103073467f8509725129f49612581be3031142e288a02218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
05d1e66949ca504783c6e3ccd0578ea8

SHA1
edc314382e9aab8992f0331a717c8d6aadd98806

SHA256
a30f2c725df3687e1e5cdee5fe3931d19a747bd76a8183626eecd35f1f3ee5c5

SHA512
0f3860bd4afd98fe65181aa615c8d2068236ffebb74ad5f3bcee863b1f00507aeefbbf2595df4cfdb47d9fa39beb744a50aaecbe175b71d2fe1e8dfd0a355519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
ce1bd387c2719b6a642ed31248d692a4

SHA1
18e0904890fdbb047692876c14b952e865cdb898

SHA256
e9efdd92c54a4b05aabb1746ae7d261277e7af125b32e1dadd5fd6f450edf0fd

SHA512
036a74b450e0e62878e42a70e7f32470e56d5e190cd7b741a6a2b72833664e416833d265079d823f8010d7c511e1b1429c20bd8f993c04339d6a9605873c4556

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
9be063f690c5bf3cff5636639a3fa938

SHA1
323bf919c9aebe24cc957a51986edd56b6104d0e

SHA256
8827a9c6ee66172202a29d661ce2fbcda353c103b49f0a982fb815f0eb5ca435

SHA512
6c1e95cdc92f34ecc46ae35665d1bfea55838c1668227610218c0c1f59bf4cd43eb66bc91cc8c61fae082f1309a799d971fb6ed93332710bf726cf02d183e28b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
67f7d6cc38e9e75293c4c35a6ea0e3cb

SHA1
15738588a6f4773196d0a8552df69c19d54cc891

SHA256
c2fa718f1d012b16941a0155ac47d34c62cc80b634c92a0280e75cdf46693e02

SHA512
ce635a2f023a1269724c26bb1dfebff9fad5440b4f0578e139d90d3bad367f640f6a16ed57d46e499c305cf43652fb2dabdcac8b1f94808c23031a63396972b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ba7f2ae3893e241f5c6a2d2cb7a3d163

SHA1
c419cfc05086b871e1dfc11b16b032b0b732c33b

SHA256
4ebf2b0ff433568e464bffff7cf0839cc0e3fdb473b921529a861e6629c7556e

SHA512
055bddb1313273704299c5b4b3741bf09d0342f98771bbc81bae41ed5dc55535b04f292796a36c723740d8eed6bef51539a9a1f6a0e1b9b67064b197fe5668b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
62314da32ca92cc62fdeac7c2736be9c

SHA1
af06320193daca48dc33b259a3a2f11e49026055

SHA256
a88d75335720093b040b11b05184e49fa78eed8a4525f8fb7a3c1f3514b98cd9

SHA512
9f6cc30cc3b68d4dce99ed2b6c749d27cef311d9e82f08fa97158bf6af4817269e674a81431cbd8d51be3f03ea1efcc15e72219743cc2963aa21448a57044cfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
64375be2e2820c0e0126c176a2147442

SHA1
0576b7494710e27760a479f94be5da1f41230e93

SHA256
dd8a61b4fd713146e525fd697ce7f7a9a35b7a4a28d0142dee6304ffe33daf04

SHA512
636fd02ee9a88262463485718933af38da894bd2dd0a014df81506c49ae88a2f80836e3091bc9129611102d41fc7fa8e5ba034936dfcafd467e8fcaad3816ea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
783d2e554a7a6195220c2e9629446bc9

SHA1
f09e0e09cc85ded21e0a7397918086788f172542

SHA256
3aa58eb61eab06176aab2b50a5b5b49c88e54f209187b572d7d78cf4d0290981

SHA512
99157c56ef2dc67af56f90044d6979b335d354e31595f50a846d0cd19934e65ccfb506dae531b18452edf87392eb46e02660dbdbeff3cfa62d707424d12a28ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
aa5a7938f01905fd17c679bd51e2c624

SHA1
f2d6ea922b9457c2193e8629526a00831029bac1

SHA256
9e5017bcd046daecc56613bc8a969f02999fa436ebde624f24dd26ad088a7b2b

SHA512
8f8adb343d4cfe15b3806ff08f0fb606b69d51dee6fe7d321fcd37081d3b89b2de761ed6f477271fbe6ae641ee1c1106dfda58166dc212409a10d2c2db9bd232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
559cf625147d7dcba97887cf1d61e09a

SHA1
94164e064a1cf5884cd88a164625b9e4a8a9bb44

SHA256
083309fcaca4cf6836c43e1304c9d42f7b83a529d5645637c0925ce702716b71

SHA512
312446c555fa6e329d5f19230bcf3922d69524d3ccdededee2d55c9c60b36666f30d9292b67b773e161972979a5c1ad8d7bfd7bbbd4beb26e59d126a34e4039c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
8f01a1048a6256c1b1671778fe7f3b90

SHA1
5336db7c69393bd09284e095b06a28a8ee1ebebf

SHA256
cec30f4d32b6663960b9c0d2b58593576871ebfa6ff26381a545aea6cacbdde2

SHA512
d838649249f7a89efd5a100a2a0a8f1452a52135acaed7a3f1c9966cdb7c2f72985c043069769243cf64fa72a2461533c307abb6f32431cda4bcb1268854eaaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
0ad60f9b75d03f47bdf2f31afa7fdcdb

SHA1
565c7d50f09d5494eb9377adf193f44913e64383

SHA256
822376f4828f0f00a17f1bcf6ca2bcb140634a51a5d07333b5c5a9bfa91ec856

SHA512
94b41d68539e17165a5291137ce04b8ddff9744ba89fa67bf6582e6e7a6c3fb2ccbbb49889acbc8890ec50e88a87d59b4f9e25c6c064a61bea19bffd4d0b3bad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
cc81524c5f9f35f404b6bd4eafcc96cf

SHA1
80638699e31f77f2fd2271d1737e8bcc77242b46

SHA256
56c071d5091c713cc0934d8dae151b37b2f3a0ff9289e530505d3795d7b43130

SHA512
6d5d5064873208457989b4ca884d8b4d93a56a12b47b52691ebda7954857aefc505f268e18f1c03b78fdba82513bdb302f2563858a8a361e04059aa3b3909faa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
de364f3c5f5bf151b395ab9adbb49b15

SHA1
deeda10981ff6b97fd14bb87462f7290e747655c

SHA256
1dae59c182155fb990c3d2fa76f7fdb7e077346bcabb9fbd7def6a62aca1b82c

SHA512
5a81a15eb0865a8d56f4269b8ca9c2b0178bf1db793b3c3d26f6855b8b09fa5a8592423aa3b443325f0a6208592f77a7805df5d25c562b8555c575a8ec7590c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
c7ae84c1dc6fc07bc38c2f547ff1eda0

SHA1
0559ce1f2762d6eedc7b022af40e0750d1c89db8

SHA256
0020f873eae60bde21c66a8339be0ad8b84b8c97bc2b4f6e738ec09c40c363ba

SHA512
319245fdfd52d78a54d7c648f19d53d71f26ae27179bcb1138625d37cde1c9313362558dbbcec80d0a3819c39842d0181b367ab41b4c003e34fb78f46a6ba624

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
5b49382136fdd13c922cf4fb3a103650

SHA1
12febf90bfb1f9ddf5f2ecbd0835233eec4a937b

SHA256
5545a0267c9ada5845457fc01246f10f8e80411b5ea71374777db273c4c2db5f

SHA512
b24462468ba70cf1e21be06d0b0134a532a574c7b4adc3ab060cc05c86a34583825f4b99b0b6e62c6b7fa1f413ea66bc2ee4ec6c9843d645a8d9b326857f4d72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
580f43a65da6169bda48291e55f39aa0

SHA1
31c2261837fdaab2b85118f310819900a05b7e09

SHA256
01f3b4736e4fe616b186171b60e5fdc3a5b6d919827dea4ad8e9e87e72b20582

SHA512
8aaca4e9e79771cc2c0eb25e6f72f9a303677c3007b020c19b476b3de189aba39e5d12295570ce54f6da11fba4870bf1a8bd0d998e68dccd74af3b8ac9bc9b45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580078.TMP

Filesize
370B

MD5
c0356f127dfacfd3864c0e767f477d1c

SHA1
e8ec07709fdafba8ae8c45aeaaa524add00f5b9b

SHA256
3eb995e102b76066c099db356714914bbf64ec5da1e1138ec031ba2858af194a

SHA512
04427c338a690c8b8b343dacae6aa107e69ebe8707300854cff5f981dc6a93bdd78769704fb2733c62854703693f45b7bbeacd4ce33ec1a6a5c14606c533173a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e356fa93-52e6-48ed-87fc-89ddb4ca784f.tmp

Filesize
6KB

MD5
9de2a8dad214b7a4867b8534c26df9d6

SHA1
819a0468ba6dfca1714ae8e84bf09b7f2b177dc8

SHA256
92b05a98fa030b5470e135c47dd1bf1d709f84c95352d3b25372a656f65e5c2d

SHA512
6060fcf148e7a87b14d5b85844dd702b042a759251d05934fec65038163700b0be76e993971613797afbac0d8c022ff7ddadf9c19efceaec25b81fe7968ce06a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
82741174a4cd57c35438cba4dcc24d23

SHA1
c87f6174078d67a63b4cbfcca0349f8deeca495a

SHA256
91b9572adf8fe78009e69c8de1ea8485fbad21768351c79c04918a93173a68db

SHA512
3f5174f25306ba895d156cd2b34852c83350b2800b96cb6cbb85131c9bd47908cf9a47882de57f115adc1d73b639221f7e8ee5c4e74f1443302c36fa7a992992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
acd56402d7200b215e81796a6a4049b2

SHA1
199fd2efb1ebe59e987ae5a78e99b91f7b54d22d

SHA256
4da7218793df2d0edde14fd0c213aae06457b76144ca69c4091cab2d3e92cbd3

SHA512
01d8607f0d40eb96b222412f6ec7ba083a2471a3fe5a2346a858a73f2cc92fa03ef2328e4d8d4a09afcc939fe09f760c3270d1dec0893cd320875be442d5a8f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e92495d4931f29083f31f0a6a2a6145f

SHA1
313ec82a8dcb563955c03cc8072c3a1883811a31

SHA256
88ad56a78a56606ab4c3663eff1fc85540164ec2746dff848ec5de0751bd66de

SHA512
05da0ba1b9627be157a7319edea8d7c88729da5fe1bfdd68f23873a09e61c7727bdf6103b45e68af4465cc9e2c05e7f6622e219e189143d4436e8f911aae57fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ac032ae583fcccf644abfd922c16b592

SHA1
428788cfe5e9139a0373ca45ee67edba8d0cf28f

SHA256
c4357137c3778ba78a1745a336c3125c7aac5366b5d188f9201493d8af438109

SHA512
54ee35cf6043143d9b91c961a006716fb94e0ec8ca99b1d907f82b04b2bc6c2778f9a9bb71a6d38082718fc7b3ab7d65b3b027621ea31dab5b4e424da0b5937f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a12a589a670500012b64223287f82760

SHA1
b5190e7e46053bc0ed343549365c577d6712aded

SHA256
e9f6e17ac15a59f51690c92a575bd865bac04dec5746f19a2c2e699871e3002a

SHA512
cec39f8311ce5779f01a452c22d9c171e3e01c430c855ca36b8ee1c0a2f0b4c10ee70bda5262006627c76fd23cb213e53ea220f198353565d484ab7434ba15ab

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
d6d3499e5dfe058db4af5745e6885661

SHA1
ef47b148302484d5ab98320962d62565f88fcc18

SHA256
7ec1b67f891fb646b49853d91170fafc67ff2918befd877dcc8515212be560f6

SHA512
ad1646c13f98e6915e51bfba9207b81f6d1d174a1437f9c1e1c935b7676451ff73a694323ff61fa72ec87b7824ce9380423533599e30d889b689e2e13887045f

Download Submit
C:\Users\Admin\AppData\Local\Roblox\Downloads\roblox-player\4eb40bd3c767674ee4b74fe5497f0863

Filesize
7.5MB

MD5
4eb40bd3c767674ee4b74fe5497f0863

SHA1
e632cf2bc598ee38f323b331b4b64de0fd51a706

SHA256
fb9fb730389c066f553796c8c843b507ef3101aed13f7303d5f1ac6c347cbd2c

SHA512
33b5b734a696d67c5ca9dc911f4920a29316fc901bd1b0a9cfb1702657d7f017806c69b1aef80090f64dba353364dd987e3440ca2547afbd3fe4e9af61546660

Download Submit
C:\Users\Admin\AppData\Local\Roblox\Downloads\roblox-player\e16e648456a76cf6c12be47b86b4401c

Filesize
7.3MB

MD5
e16e648456a76cf6c12be47b86b4401c

SHA1
a033d9a48bf918dbba65ef29576dfdcb5db2194c

SHA256
3032ddec0e6152a0aa21929060e8fd6fc0a55c4d7d8c534fe6be24775dbc39ae

SHA512
68f335d81d20b8e5e273310148c011aaf8c2d42f2902da31653f705090f2c86f6a1c872c40e776aebd0c394abc32b87efa0213c95292467fa3b5ba0b8c9a6d6f

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\AutoLaunchProtocolsComponent\1.0.0.8\protocols.json

Filesize
3KB

MD5
6bbb18bb210b0af189f5d76a65f7ad80

SHA1
87b804075e78af64293611a637504273fadfe718

SHA256
01594d510a1bbc016897ec89402553eca423dfdc8b82bafbc5653bf0c976f57c

SHA512
4788edcfa3911c3bb2be8fc447166c330e8ac389f74e8c44e13238ead2fa45c8538aee325bd0d1cc40d91ad47dea1aa94a92148a62983144fdecff2130ee120d

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
43059969882e9bf1d1d70355402230c2

SHA1
dc2cf8d672929e512581c245addf4686ae620940

SHA256
d0399007d19f4fce9b0cee7c5ceec9e6ecefbbeed116cb19b8dd65daac2fdb6e

SHA512
4c5c22b6d8d2bcd4ef4211ab9b3210b814de520c8fd1bad9a4abd3169f09cfb36f8604206f8694d003d87e8650c6efa2ef5dda69dfd06ec9bb2107a03f88385e

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
02364192da2d613fecba8073c41a83f6

SHA1
5e89f9dbf774c477d0b7c1eb9de350ea12659bf3

SHA256
7e6741c4caa82b5ea33d1970e0361f7aad7c68efedd1e422c6e5d3c29a0f6632

SHA512
cdddb0d9045aadc311d7ecdb71a6c5381b328fc38dff2c1fa3b5b72cc2c6cf8ab638e2b7660b801fe93c1be1ae2f1b2530d2689185dc73cd178372a9cffc27b0

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
85f525fc3b1eeffdda964041c7d665b6

SHA1
c21e5cb978f3cd9f6811cf181d79d22d97d70b0d

SHA256
1ce39d727403d7dd437ca38447021c25164ebaa07c34812c1457f751a8fd0601

SHA512
8e9c10e2bc6735e1992e949ee615eb8f67a2d1f96d18af59d893415e2b2aa38d5793c0e63e9af5436c079a7e7e371804238ad66a47f9838d035f69c507d38e8c

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\004565ee-be75-4784-ae00-a9e1f12c107c.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
928633a52686a8d02457e391e276d557

SHA1
ee3ac133b0f3ad09b4c5552866db75c4a2a129b2

SHA256
282bf218c50f40f6e7f2f7ac80dafb033a706ff39b2699a5e5f90f05d93baad6

SHA512
9c2a2ac908f4319ba09d24d7df70ceb9af4b3065c6c3bea811cef50c8e5172908de4d818e247748a589c6acd8d5614c7d27c81f1a28f2b2e0ffd91d911ff383e

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
c63119f48385f34e6af6c9c0b64583a1

SHA1
aa96fdd83d692dcf710fa487b2567c653ec70be2

SHA256
15633cda82134de4b8d5dea4f19e7cd41695a2ba755ff1a8d763ac03561f132e

SHA512
16faa85443d16ac60a6b619af6b7a42fdca95f1820adae3b13f55ca34a03a545c125a449eeb60a5f52de5b10671bd9fe72743f605944183a465b747a6024b0b5

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Favicons

Filesize
20KB

MD5
5688ce73407154729a65e71e4123ab21

SHA1
9a2bb4125d44f996af3ed51a71ee6f8ecd296bd7

SHA256
be1b822e970dfe1a120d248db7000eaf799bd6531929a1308676c70fe1608d60

SHA512
eb6452b23ea36c39d03ead154185616c13583f12f382cb2456beeb1ba6e5febdfd2a6f1064283cf115ad1c517dbf409777cdacb128e00c9d3f401335db355537

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\History

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Network\Network Persistent State

Filesize
242B

MD5
08a45e72b6889c6d9a4968328ba595a3

SHA1
67f3218eb60a8766dadcc9c9e8cf44b5975005f0

SHA256
0c952e4983b9e052c9e7d9113f09534eac2304863cbf73fe57f094e0323bf15b

SHA512
f5fc9a7f58e2829113950a2c00e83eb4470e0ec18f23e437a09f0fae5b992f4ff66cb7bfe1cb5da0cdad45533673135eb0542a23dadfebcff7e06483afda3357

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Preferences

Filesize
8KB

MD5
e8140fb7f046bda5ee17ddb1ca0f4773

SHA1
a26fe6beff43ee1d8b5ef71fccd781dd0caa34a4

SHA256
7786e9ca6667992527b1785aeba5644432f4e47a00578a8c72727df4c4065161

SHA512
408d7f3f93ec4542f3eff2551c6592b54d7a71172b1e0147d163a52dc1132bb6c1a061799809a3e6dceca8d4f92f55627f054156a14ffd2ae34cd59d3a54e6bf

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Preferences

Filesize
9KB

MD5
e4724e0f67d24512ebffe9e34128817b

SHA1
cd7c9050339390d4f542816ecbc52a6f9ef3e201

SHA256
560b0dc22591f3b9bb3d735e71968f3ec6f7ece588a94b5c348281630d6243f2

SHA512
e2b6e22a7f5473f3272e20a03426dc42c7ebee155a07608a5f9f3c9729abbd838d380c8623930cb862f50426545b261ad053f7166e565049435dc0e48180623a

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Preferences

Filesize
3KB

MD5
f7977dec8fd6a485fd5fe093202140ba

SHA1
8bed1c56c17487f54a5308baad65d444fcb3686e

SHA256
5fc8b2cbcf8c16ef89cbb33d0902a123838477142033012f10c3164f1f14d455

SHA512
7f35632f10ad1f3287b3b34feb425eeff281f83a32a047cfb97c989807c59450c5ce49c71d3eb0bbe090c365e08c73320f3a605a7b606557d97c0a85ad5dcc98

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Preferences

Filesize
3KB

MD5
1b5e413ef37d58894d810f238a53a264

SHA1
7e999d001888dd9265a49a94cb6fd4c5691ab564

SHA256
57a46d4c358e8509d9d59e31e6728a6cf5e64856c064f339fca1d58a89374fc0

SHA512
cb863934bfe9e17736602ef3ed7db6cecbcf075d8ba12cd6a4db501710385d271398062d1edc29cc1f79c803dd2f1680c3bd5993de324bafe25b33b3249e5205

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Preferences

Filesize
3KB

MD5
34420bdee32943e4408508070d065d7c

SHA1
6a5c146a3d5036e0f5054b0ba39fdd10d916facf

SHA256
2cfc684d5e21bd10b0a78734387ffec65a56f6bd2202c0251036ddb5e4752cc0

SHA512
02a1d19c920c3e04f0fcf93d8c6491563628a6a21d89f50b3e2f828175ccb79a13895a488f3181da8f4cea5ed8f87a49685c15a6cc26e2f09b17fbd5298b5cbf

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Preferences

Filesize
3KB

MD5
9b20edf0e588a4313d054fc59df791c6

SHA1
d1b28d6da32a131cab2a109c0215fbd56f36e3ff

SHA256
408376e5332436fc5c4c974786a45782e5ffef686d16f075dc9807c52019ca70

SHA512
4f2d38df9c2b94b5c5ca20f1e6ff54a334d971cadde742a37c47dd091b915a239c419f5d98adef15bf0e579e687c5298f096d129915362848116fcf0ecd6e0cd

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Preferences

Filesize
4KB

MD5
2ac78fee4442e75aa3fedfaba487b54f

SHA1
282ca9f405d493881d93e419045688783dd2b3f9

SHA256
40b54b317ab88622ba624e494f787db31dfdda3a7c093af9cc62d450edc89c6d

SHA512
b217e4cae7d2c510e33d68baf404ff03c345290782ab88a8c2c318f3add4d31fc2936d922074950af961079b93a41093307c3f730f78b2de7a4c55731fb8aec1

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Preferences

Filesize
4KB

MD5
9fd5b4e057529ab9ef6b4e7c906f007b

SHA1
c03477b49e50202e4edb7e8c7711270115e680b9

SHA256
ff50424d3f93edf4c2880335b9b74dcf86f00219c9bfffce2ae33747391cfe33

SHA512
f6687c5d3661b4eccf3b439a6cd6617d1e9e72d9ee7af21e9a50e7938c1604123183ec38d08bfa0a7290c21e2358b2b136b9e3760385b3fa0175276dc2178abc

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Preferences

Filesize
4KB

MD5
0fd131590dfb07c162e5fbc429e0e573

SHA1
f89e480fbba30f51cff3df43eca21606e55e83db

SHA256
c30968939c0d7a1ad3f27a00fc398231f4457eddbf26d46ada01ab8868e3a886

SHA512
d9ca0afdc101eba0d764737098409007e068daba3a4700cf0128467a4eed8f6d9c074320689aa012f76dca464d0b22995a95c791ff4e2407ddc48baee781ae9c

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Preferences

Filesize
4KB

MD5
f86383bc12f20131415fecb5d8eff60e

SHA1
6d56b1ece4436b1b6535af62262b24f02d6daf1e

SHA256
1b17cef5a1e828aaebf6e2d9f0afff27e7bb25f78da63ed4230af9a9b332d491

SHA512
ac585f58be8e8d8aab8344e0fbc27ff7c8c67ea98ed0e3995d4bea2d1547ecea38916321634685a3bf98fe4461da953db2761727bc2e8987bc143741a21947d7

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Preferences

Filesize
3KB

MD5
1021ef2f5fdc9cde64d09451162aac76

SHA1
86cf3b2aa4acdac11db05911adb38ee1d47f9c52

SHA256
d6df9a4745a4710c91419dd2f81442807727410c46ee74d007aefa39b03c2cfa

SHA512
21d711789e1eb1421871885b7f8cb489926569cad549e3a7fea6e2f035439842286e22475193a93d1b0adff106f359692e81e6ac55dedbcd7ec33cc8f35aa2b7

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Preferences

Filesize
4KB

MD5
ce49582dc5724c7cbeb6d0bbce41502c

SHA1
878f652892f9617a58eff2bf57ef3e7607eb0929

SHA256
c71b97db87338d6948cea0d36849a048256e2c4d734a15284a4fa51054b11d64

SHA512
c320de092b2ec31a9403ec7484105b1ff862c4c6f6a7dd73c15d7c12fc21972e8bae6a6cb8b0a3b2fe87eca5011909ba4ddce87dcdef3f7e67989717edbafd0a

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Secure Preferences

Filesize
8KB

MD5
d71db022f030e4f78f89797249649a4d

SHA1
f592bb593d223a3468cc47213cc73e7b12172e98

SHA256
fbc6e236c2d7071314d30ccc68887ba75287e4d25214d8d515cf89f0a114dd8d

SHA512
6e2bcd4e01a92ef047d5c177004bd6c378201179c8c02a5a0b1754a0de9dff4395c45f83a4140add0dfbc65829745c82e7f59f3080f4ff61cbddd76c8c865d15

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Site Characteristics Database\LOG

Filesize
291B

MD5
0767ab43df7edde691f22c7a284a5076

SHA1
900227c77b26eebaa44ae8dae46c9a5ee5510948

SHA256
31f17a1af2a5a75e37a33327c37f3deff24625b9e80c09ae09fceb5647439cfe

SHA512
13d6446b10079aa96ec57f4b17e250dc252da2b3a6f4773814fccee04b6fb5582576a2bd2d4b2711ab661599a9b53b089f9efa94f8d6ceef497966bd5d1a64e8

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Sync Data\LevelDB\LOG

Filesize
267B

MD5
358ba9af384c35ec8270b077aea7b4e0

SHA1
fbda4d19b0162bc07cf6928d8596af6d16da0866

SHA256
38545cd8533454df6b573b923e89aaaa610b9d135967be81a0820a194df65f90

SHA512
d206c93fc3ffe2eebf3375db4d7c5c6f59a03e86797c5050aef1ee9b33352dbaebd68c8167f41cc2cb3919219062e950aa47010f31b16678aa1e26b527d7d9b4

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\Visited Links

Filesize
128KB

MD5
3cf4e614401cbc828d37be5505f40315

SHA1
d44c2bd9992f83275f78688ff002b19a3c612bf5

SHA256
f3be246d485fef9cc0b2980e9611ac0be8e5f11c0e2a06e37b4b0ebb41f0a0e0

SHA512
0e9d88beff66528222b54c089402f8a4a43fc542667c3828780285ba9bbded3a39997b4f4ced16ffe587c7799ab5d05ebd356646bfe2ac430b763757d2cfdc17

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Default\bc60cab9-60d9-46fe-9631-ab1789b40cc0.tmp

Filesize
8KB

MD5
bf07bb460e9cc56813152ea04456f78f

SHA1
886d4f1df642c9fc99296c6e9e98bcef41877711

SHA256
702d233bf3dd50415f3ef1a2d176d3e85e9902332c74f3cad4d10063cd5abbc5

SHA512
fb34a537a5778da4fb196b2e872aa257bafa50a137c40e6c86473789680fc4a6b10a88de7229164f3069a59454b1da99ac178de34014c49f5c58ff9599d681d1

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
3KB

MD5
5e7b190083dd5bd8d5f3428b0a1f68fa

SHA1
11652b4a838bb8409a1db18487a42618125865d2

SHA256
84a2174763f6d5946dc56806d94cc9f9d2d33750d146e2632a18688ed72b4587

SHA512
9b59ff42a80af642acff5cbf8c04100c873538368f6274f654059d5d343ff8ff7c1f9c466ab8c44028829aede04c84eef81ffe227715243d193a9038c396bac5

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
4KB

MD5
094f0f73b386146e035b04d9bc11e4e1

SHA1
8ddec306d6ce77f1438a3c9254f92d1d4bd348b3

SHA256
378768c590bb128e9931e02560a31ff91ca3aa6ce9a000846354cde0f6442f3a

SHA512
816c7f6dd9a44c65b6cbfc433f69d4772895728e3ff54616f835c3e4c3ea7cf51e0500166e9f91664d74b8dcd28abde006e24430e7e0f351b57937f3258520a2

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
4KB

MD5
8e4d2fa054a367ca976fb8906b1f333f

SHA1
4b72975247904507bb5505b1e36389a7c63d4ff6

SHA256
f659da5ffe5efc6d68a9d63295bd6579aee9e6c2ce4a46476be6796cc36e8125

SHA512
cca6a580b4c78eb2008be788b0f8a174a9973e3b55565476eb0d6c9fbf37b087f751210b8da0c735264972b8ae6427a350c0b94a2ee1a95b76ecda3beff86d90

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
17KB

MD5
e09c7afca1f56f2d68a9098d84d43ad4

SHA1
45bcd7ec2ac156f952f594cfd064d9128d130034

SHA256
07400ea0ca2d4ce5522b57d41788bdf68ca0c284e819a2d9251b5837d1d49c30

SHA512
30d91a4f3d6e4672706a513f34ebe224c0957e8fdfc3f5e836e7c656c6ff93825ddc0930b628167c64c439cdff7a7caf2af1da488c2ed43a5b9739228566ba03

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
18KB

MD5
a96937d71864f4e84767eb53af2d4c64

SHA1
18f615769fca06f4cb882694e75e53839676790d

SHA256
1fb9a4de840c17635106097c516aaddaf1db694ab8215cfef842997ded1d66e7

SHA512
93f79a8c3509c593b4756082faba5c649be16e058b2516ee68b397bbb23d97d95e1357db70fbd30831d19c4518976c83d2a60acc88ed3e83312d1c17dfcee1b0

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
17KB

MD5
c368cb61f6b31e9760d098dd3d65f36a

SHA1
3c294258c4fdb2313ab2330828f54065db442488

SHA256
58e4ebcc7079ea98fa33140a3ac17a4447bb3142a885de1113664db91fdf4095

SHA512
c735f0ab922efc0967526750afe77e739d706c92ccdc57ea776f531bae2b9ae70e708abf47e159aa067f35a1c9f01dddcb9dcdb6ebade3ff050cb23499c093eb

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
17KB

MD5
42f9b90a1dcef374d1848806b0a77a16

SHA1
e2d897461a9441197b1c07ca387333632cc27482

SHA256
cab7de9693cd0c051589eeab02e95d7be952a2601188255268cc23def7e9e022

SHA512
d4aa7366500fcc3e1095fa0480e381076e57710f9c54f033815d3bbd1c15c42270338b2fff89bb6dc01998289987aff7344f8180312c14541c33bb17dd2fdd69

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
2KB

MD5
e1a00287ac88847f578c6ba49c8efbe1

SHA1
212fac6f0eaa12bbf6eb2c91c32cb9af85d2dd96

SHA256
a898adbcacbbd3b62b5f6d124af576a3d8e4f872e1b4e87d00736213c3b058e2

SHA512
d50744b3f1864f9f2e315ef47231995ea9f6d04f4c2cc4a44872959b7b369d2bc01c39ddfe69e5806ea2020287d4df0fb4dc69cb2fee0645d058f8bcfe8d7bd3

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
2KB

MD5
d3f5df4ca077678495a8b5f0cbedcc90

SHA1
1b11e49d38706cb6ff4d401ee24939f64bc2d63b

SHA256
43957d46487742e830214ddca4a1381c3ff87d47cde4dbd1bd186e0bd3b72a31

SHA512
c00c24fc2b3506d2a4ed903800407000608b13dbc25fae94fd14cb772e37489ca07ed28152f88b58c1fc3d2bcacc0bf3929089a8b36ad4f2be2063c2c268838a

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
2KB

MD5
a8e52cae949e6f38a343f9479ce6f6c7

SHA1
31472bd5c58938d9514cbc39990d92db63b9f435

SHA256
dcd531d1881b34d395ab1e14bb879395b0056bf59cdd8e45e1f0c0edd0a1cfd5

SHA512
0590c1607a43efa4b412352fb21e6c03a65fbceabf7e0c6ddd4671f872e49402729fb9afc26cdb3eb3f551a3dc47968f4092c281c24087ef4286c74c0363c057

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
2KB

MD5
b9d91d756ec7a6eea3ab9ae17d27f686

SHA1
07888fefc21058150981ca457e743662c1fc0df1

SHA256
863bada24ca0ab15282b5676a8c62f6febe81d45e5c562032e2153bffe686f40

SHA512
1eca64249bf87e78892dcea7e220b62db3bdc395b1c609274bd3be66e73da93244826aee3f9805220fedac826cc9adcbe4df8d11dded186b53c25a2037fd4025

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
2KB

MD5
a6235a1a441bd8875e6ccdb3658a7624

SHA1
340da7e519adc09e4d308bf2ae0973f980d25e2e

SHA256
86673332f919e9a005a6b61de58e8955b21010aca16609f5d03e760e499bcf63

SHA512
4aa67446c500c47ee5e67cd97df1fa772d0a869663902d02722e0b0f8b9200516ec8e96193edc82a98a4abd3e70220ea15d4952740b8f5857fc75a3c313f89b1

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
2KB

MD5
70b7247201acdcf2ce377061a0b477e7

SHA1
4654c16caa505ccacb2c3b20f038cade4b632b7f

SHA256
22a8454f4820b6ee9f5cb9bba9835ec56cff3f13661210e8a89233a3a2c2f3c7

SHA512
6ab7e5a6f4f77a6950575ecdc79c511e6f1075a3661d8fb9f3cf4ecac0a15dce4145cd75c15a2a4867c2f1877b6b451d6b431bf09533b3952ed7102fcb4b89a4

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
17KB

MD5
fff9201393ea2917d4e59c6c62afb365

SHA1
8aa619e8b817040c0a162869327d267c02f1fdb4

SHA256
64bfb93ceda1a8bd4f36fa151e7bb66140b12f2bc3586ace47dac3abaa6a891a

SHA512
86d117669539ad9d90fe505baaaedfc7431c7e5e705605110163f91be4b1eab777151fa92abe69a5eccc48b525bdc48b8795834e280bf105720da08eaff317c1

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
2KB

MD5
88cf62d4708470c7750116f736a44a4c

SHA1
ffc680167e847472b4ace172cc80a18681807277

SHA256
47aec594b1865ac160b44343326ac368849219c0c615e9461cd740a854ec6322

SHA512
19b0398cbbbb262442c71b8fc4327bc487462d34ab607f9d03eee7097ac1844e5beb544b16b07c939f7ca35806e6568a40db70230982338f8610110e9341792b

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
2KB

MD5
e76026dd215076dc4aa6e709c3e3065d

SHA1
dc46ff89e7199d6006a03df7d9f6051b01d01723

SHA256
5d067a3f5670379cb86f3fcc5cc5950389bdeeb734817ddba7759457c7ad4d4d

SHA512
61e96031c12ef02cbb0dca2fcbb9e783c58820a199318c0545959ad7498e142b3c0ab117b0612678757f3e06393e2f6736e436a4fc3463a5ad35a285ec835984

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
3KB

MD5
8fe2034597b7bf81ad9c1d63c04a96fd

SHA1
4e8230b7155320f98de9ce3eb6131a53c6b1eded

SHA256
50184a23954b665b8b090a37a44fd836d99a4001367e09c0d4767a9c425c28be

SHA512
3dead19f6d8c932c43a5748e89434c7ebc7b7873d488bcba0a455ac637761fd4c5c8da4aedde5722e33826dd71a12f5682cae550f432cb75d0896ab1a5d8536a

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\Local State

Filesize
2KB

MD5
516182409adf2a1630dee8b45d4e784c

SHA1
c1975cd20070ecdd2997aca66dce07c14f8196ec

SHA256
5face718ae94e1ddc58cb6b10659b22da3f932724ac816681eca781eae96211f

SHA512
6d2756650d0a0f25ea58eda5789d8a881ef90911e2ab7b0893c8ad73b800585e9f436970db1a039ef4d43e2c9aab691e1bcef320b12af5cd6c154c2a22a8a629

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\PKIMetadata\21.0.0.0\crs.pb

Filesize
289KB

MD5
24a3775317d74ceea8fba6f0cfbce562

SHA1
fed5009eb51938d0894a9bb7aee8a97873d9b6f3

SHA256
192b206ad6f649f6c8767f6a3b11d9c5354710602bf0aeb4157eea08d7461ef7

SHA512
245951359283bff026aad50f7768a9aa59c1926ca7aa441c8f6a3715be34925332eeef4115a442a7841429400105d59d13937ee3aa9b80e83f1982893aefaa8e

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\PKIMetadata\21.0.0.0\ct_config.pb

Filesize
10KB

MD5
09b6469de61db3473bdfe04951f08529

SHA1
d64b455ae9c65d8d8629a128a9f3505ef3df3555

SHA256
1c435f4448dcf1784637fa9470546d12d7db2420a11cf8b5d6343439dd401c60

SHA512
049d3c0e05aa3ab1d4d51cc5bd72603f47aa33141bf771cb86baedc19b8973911445ce74256ff1118483175cf4a104262a22ae9431a6366cbd1f7d28553fcbb0

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\PKIMetadata\21.0.0.0\kp_pinslist.pb

Filesize
11KB

MD5
2d8bcb7c4b2dc669429bd40f7048f62a

SHA1
43a332c99105dcfb67893ea167879c3ce6bac8db

SHA256
7a0866cdd7bd21b8b08d166edb3f6adf8c859b47988b9b3ba3f0eaafabe10ff2

SHA512
15d3c7c6df2c3c75daf7ea9165687c5a6f8acac3dfe83573e20aa1bd425dde8fc659fc2c1b050b3e8ddb28358a96b9e0c083e61fa5d63ae34fa4b0bb63db8a76

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\ShaderCache\GPUCache\index

Filesize
256KB

MD5
682a6b1c283fa8c1125aebe6b4c731a0

SHA1
be7f65afe68d191b6e7fd95439184e4459f4b789

SHA256
96a902ec13eacb01bb288e19ade2cbcc764fc2022246aab342c6da766288e5ed

SHA512
41252698bc42dd20aa715360372f6df1c3997d5cc65ef13d1e0e167fdfa38b51d81c81e48972850145dc12a120f5f615dc4afcb6abe76cb79c3ce323c7553bae

Download Submit
C:\Users\Admin\AppData\Local\Swift\EBWebView\b3ee1222-14cc-4747-84e0-27486e2c8b92.tmp

Filesize
2KB

MD5
fcba57a0f21ee23c037cc32252af243d

SHA1
c9f8ca4356a7ac41f3dd2265af1436a2531684f5

SHA256
048ffaada0ef33ba026c334c2d59c083fa53d7cb9160ceb419921a978e06f5b2

SHA512
54d5a4b8c8ff6e52849457509219823c40cf75b802ae63d0b3bd3fd2a16d71ab83e4232ced8d79e6b470ab8faf6e1e8de83d33a6f55cb48a2c99adad0514f22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i4lwymss.ygn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Swift.exe

Filesize
13.0MB

MD5
1f22eb0a0742c95cec82a91205411797

SHA1
c36230783fb1039857a99e401ded02158c955360

SHA256
a6392ee4b34c64a366500cb050478049560e6acbb02c20077d38f3d5ee5497d1

SHA512
c29201c7ef9a63268731d73511fbeb2f694749677bee45b38fb2b9d9db7dfe382f8bd8e6ad2191379d69ed116f2a6fdbf48cf2c437bae935cfe03a7df131171a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 878480.crdownload

Filesize
3.0MB

MD5
47c5385bd4351bcc1ef5b3abc8646718

SHA1
3a224284bdc8536e08525e5258508bea49b7da28

SHA256
8debf2bb0e3af08f2124f2700bf14da2b702d57b1e3c120888bb2b2726691d3d

SHA512
ef19b57a849d57519796bd415fe8f1218485fd9df8a01d52c9a2e28d93df5988b40131a6bb2313e16e942606039eab4b392d8c3d4c569e23d7f4c48865ae1cf6

Download Submit
C:\Users\Admin\Downloads\swift-bootstrapper.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
c589975bf857d79adf34a2e97bf4364a

SHA1
006ddecaaa1fd3e1abc853923c11029999b09b2b

SHA256
44db91328b5730fa2ca77d02eecb1c209ee180d82e78db81a7f4da7dd3d2b5c6

SHA512
53f5f53098859afee63a06a2caa4ac288cd1cbe37f4b16be2f5e532973ce6e5a53f6699637feb859c749c7dafeb09a09e34a99c7fec6f37cd8f70d43393a9d37

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1320_302177960\manifest.json

Filesize
43B

MD5
af3a9104ca46f35bb5f6123d89c25966

SHA1
1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8

SHA256
81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea

SHA512
6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1320_613700491\manifest.json

Filesize
134B

MD5
58d3ca1189df439d0538a75912496bcf

SHA1
99af5b6a006a6929cc08744d1b54e3623fec2f36

SHA256
a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437

SHA512
afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1320_845234682\manifest.json

Filesize
102B

MD5
2c2e90b63e0f7e54ffc271312a3d4490

SHA1
4eb9d97e1efc368420691acb2e6df1c61c75f7e4

SHA256
72dbb7d6b647b664ef64b6a14771c2549c979b9c57712f3f712966edb02d7b2e

SHA512
9ec9e8a34cc56a694ac845a4344600b479d11347ec5279d955ab4cf55590440f3491e0a1b635ddb9db821630885e5fd63c269fc2a5d1abd0a0d0062ae21dea8b

Download Submit
C:\Windows\Temp\SDIAG_7129dada-7fd4-452d-bc48-ff3f5a167ab4\DiagPackage.dll

Filesize
488KB

MD5
ec287e627bf07521b8b443e5d7836c92

SHA1
02595dde2bd98326d8608ee3ddabc481ddc39c3d

SHA256
35fa9f66ed386ee70cb28ec6e03a3b4848e3ae11c8375ba3b17b26d35bd5f694

SHA512
8465ae3ca6a4355888eecedda59d83806faf2682431f571185c31fb8a745f2ef4b26479f07aaf2693cd83f2d0526a1897a11c90a1f484a72f1e5965b72de9903

Download Submit
C:\Windows\Temp\SDIAG_7129dada-7fd4-452d-bc48-ff3f5a167ab4\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44b3399345bc836153df1024fa0a81e1

SHA1
ce979bfdc914c284a9a15c4d0f9f18db4d984cdd

SHA256
502abf2efedb7f76147a95dc0755723a070cdc3b2381f1860313fd5f01c4fb4d

SHA512
a49ba1a579eedca2356f8a4df94b1c273e483ceace93c617cddee77f66e90682836c77cea58047320b2c2f1d0e23ee7efa3d8af71e8ee864faef7e68f233bec4

Download Submit
C:\Windows\Temp\SDIAG_7129dada-7fd4-452d-bc48-ff3f5a167ab4\result\8B02A683-5984-4CCA-9F97-FC6413C0D287.Diagnose.Admin.0.etl

Filesize
192KB

MD5
a6538c478f93f366ab1d1ac29cb5350e

SHA1
e2b3ac331413162a34dff9956b95fe8502d4a647

SHA256
52d93bb84f8c96b7c5b21eeb50bee18f38c9d4402ba8d53c10c0d495d29a4bba

SHA512
e72cda69327d44e9e2d2e797bd0feb2e6ee9561f5869b2937a3292c84fd3a160c21c208aa2e641a779cb5ffc44dade9ec7672343c0bc64244d0dc5ddc9492b51

Download Submit
C:\Windows\Temp\SDIAG_7129dada-7fd4-452d-bc48-ff3f5a167ab4\result\NetworkConfiguration.cab

Filesize
1KB

MD5
c933ee3efa0c8dc6c8cf7b10f65a745b

SHA1
429deed2a79b63b2f0b51cede22f75cce4cc3f1c

SHA256
9ebf83aa684cbf9b5cbaba47390535bfca813904bdf92f92224ccc9521cff40d

SHA512
4de91f03cd61fbf200be4ddda7613fe97e66fb21914ca3c395532ffcc619261298115b52b8d94c1a9cef44ccec65596d8b1c8ad31e9628fea2d91d2237680e3a

Download Submit
memory/240-1722-0x00000284EBAC0000-0x00000284EBC5A000-memory.dmp

Filesize
1.6MB

Download
memory/684-3884-0x00007FFB447A0000-0x00007FFB447A1000-memory.dmp

Filesize
4KB

Download
memory/1560-1515-0x000001FAA58C0000-0x000001FAA5A5A000-memory.dmp

Filesize
1.6MB

Download
memory/1848-1793-0x000001C1DE0C0000-0x000001C1DE25A000-memory.dmp

Filesize
1.6MB

Download
memory/2152-1864-0x0000020B0F2C0000-0x0000020B0F45A000-memory.dmp

Filesize
1.6MB

Download
memory/2184-1582-0x0000019951CC0000-0x0000019951E5A000-memory.dmp

Filesize
1.6MB

Download
memory/2984-1435-0x0000021D00C20000-0x0000021D00DBA000-memory.dmp

Filesize
1.6MB

Download
memory/3124-3986-0x00007FFB45B40000-0x00007FFB45B50000-memory.dmp

Filesize
64KB

Download
memory/3124-3990-0x00007FFB45CB0000-0x00007FFB45CE0000-memory.dmp

Filesize
192KB

Download
memory/3124-3988-0x00007FFB45C60000-0x00007FFB45C70000-memory.dmp

Filesize
64KB

Download
memory/3124-3987-0x00007FFB45C60000-0x00007FFB45C70000-memory.dmp

Filesize
64KB

Download
memory/3124-3985-0x00007FFB45B40000-0x00007FFB45B50000-memory.dmp

Filesize
64KB

Download
memory/3124-3989-0x00007FFB45CB0000-0x00007FFB45CE0000-memory.dmp

Filesize
192KB

Download
memory/3124-3991-0x00007FFB45CB0000-0x00007FFB45CE0000-memory.dmp

Filesize
192KB

Download
memory/3248-1118-0x00007FFB447A0000-0x00007FFB447A1000-memory.dmp

Filesize
4KB

Download
memory/3248-1270-0x0000019BE92C0000-0x0000019BE945A000-memory.dmp

Filesize
1.6MB

Download
memory/5300-1366-0x0000017FE2CC0000-0x0000017FE2E5A000-memory.dmp

Filesize
1.6MB

Download
memory/5304-3942-0x00007FFB447A0000-0x00007FFB447A1000-memory.dmp

Filesize
4KB

Download
memory/5408-1934-0x000002389AEC0000-0x000002389B05A000-memory.dmp

Filesize
1.6MB

Download
memory/5856-3824-0x0000000073830000-0x0000000073A40000-memory.dmp

Filesize
2.1MB

Download
memory/5856-3760-0x0000000000F90000-0x0000000000FC5000-memory.dmp

Filesize
212KB

Download
memory/5856-3859-0x0000000000F90000-0x0000000000FC5000-memory.dmp

Filesize
212KB

Download
memory/5856-3761-0x0000000073830000-0x0000000073A40000-memory.dmp

Filesize
2.1MB

Download
memory/6032-1653-0x0000021A66AC0000-0x0000021A66C5A000-memory.dmp

Filesize
1.6MB

Download
memory/6152-4638-0x00000224A4F50000-0x00000224A4F72000-memory.dmp

Filesize
136KB

Download