3b19486b4e14b206ec8ab2602ec6a430f9fce7ef40247b1e1f4c6f004ee468b4

Resubmissions

01/04/2025, 20:55

250401-zqx4qaypz4 9

28/03/2025, 18:34

250328-w7tk3s1py6 9

Analysis

max time kernel
34s
max time network
27s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
01/04/2025, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Swift.exe
Size

20.1MB
MD5

532e28bfd55208ef66d609a48a65cf91
SHA1

5da3a7f1a437cae4109b4c052b7de697bc58a674
SHA256

3b19486b4e14b206ec8ab2602ec6a430f9fce7ef40247b1e1f4c6f004ee468b4
SHA512

10c57c4bd1c18242405bb7ac89361121b6169f3444122dbef246e4605b0f793f205a9fb36f5a8d820e9c8617bddb9df65b9590acbaada19a89ac7a064a23a0f1
SSDEEP

393216:V8JNpovBLKnLuJxQBqYuIavH5Cmq+Je5tmCTtu32syZ1k3hqdE7w:VMpWNW0mBqfvH5SZtlTtuGZgxqdcw

Score

9^/10

defense_evasion discovery execution themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Swift.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5028	powershell.exe
3460	powershell.exe
124	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
9	2468	Swift.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Swift.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Swift.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2468-0-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral1/memory/2468-2-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral1/memory/2468-4-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral1/memory/2468-3-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral1/memory/2468-5-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral1/memory/2468-18-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral1/memory/2468-217-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral1/memory/2468-237-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral1/memory/2468-262-0x0000000140000000-0x00000001437AD000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Swift.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2468	Swift.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	msedgewebview2.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x001900000002b07b-242.dat	embeds_openssl

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880145899022141"	msedgewebview2.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
124	powershell.exe
124	powershell.exe
5028	powershell.exe
5028	powershell.exe
3460	powershell.exe
3460	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
1644	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	124	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2468	Swift.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 124	2468	Swift.exe	81
PID 2468 wrote to memory of 124	2468	Swift.exe	81
PID 2468 wrote to memory of 5028	2468	Swift.exe	83
PID 2468 wrote to memory of 5028	2468	Swift.exe	83
PID 2468 wrote to memory of 3460	2468	Swift.exe	85
PID 2468 wrote to memory of 3460	2468	Swift.exe	85
PID 2468 wrote to memory of 1644	2468	Swift.exe	87
PID 2468 wrote to memory of 1644	2468	Swift.exe	87
PID 1644 wrote to memory of 1796	1644	msedgewebview2.exe	88
PID 1644 wrote to memory of 1796	1644	msedgewebview2.exe	88
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 4008	1644	msedgewebview2.exe	89
PID 1644 wrote to memory of 560	1644	msedgewebview2.exe	90
PID 1644 wrote to memory of 560	1644	msedgewebview2.exe	90
PID 1644 wrote to memory of 2908	1644	msedgewebview2.exe	91

C:\Users\Admin\AppData\Local\Temp\Swift.exe
"C:\Users\Admin\AppData\Local\Temp\Swift.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -WindowStyle Hidden -NoProfile -NonInteractive -Command "$WshShell = New-Object -comObject WScript.Shell; $Shortcut = $WshShell.CreateShortcut('C:\Users\Admin\AppData\Local\Temp\Scripts.lnk'); $Shortcut.TargetPath = 'C:\Users\Admin\AppData\Roaming\Swift\Scripts'; $Shortcut.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -WindowStyle Hidden -NoProfile -NonInteractive -Command "$WshShell = New-Object -comObject WScript.Shell; $Shortcut = $WshShell.CreateShortcut('C:\Users\Admin\AppData\Local\Temp\Workspace.lnk'); $Shortcut.TargetPath = 'C:\Users\Admin\AppData\Roaming\Swift\Workspace'; $Shortcut.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -WindowStyle Hidden -NoProfile -NonInteractive -Command "$WshShell = New-Object -comObject WScript.Shell; $Shortcut = $WshShell.CreateShortcut('C:\Users\Admin\AppData\Local\Temp\AutoExec.lnk'); $Shortcut.TargetPath = 'C:\Users\Admin\AppData\Roaming\Swift\AutoExec'; $Shortcut.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --enable-features=RemoveRedirectionBitmap --lang=en-US --mojo-named-platform-channel-pipe=2468.2160.16217371784585369785
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\swift\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\swift\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=132.0.2957.140 --initial-client-data=0x160,0x164,0x168,0x13c,0x170,0x7ff8b3b0b078,0x7ff8b3b0b084,0x7ff8b3b0b090
    3⤵
    PID:1796
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=gpu-process --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1692,i,11658246504983271343,2471193004671495528,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1648 /prefetch:2
    3⤵
    PID:4008
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=1992,i,11658246504983271343,2471193004671495528,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2004 /prefetch:11
    3⤵
    PID:560
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2264,i,11658246504983271343,2471193004671495528,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:13
    3⤵
    PID:2908
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --always-read-main-dll --field-trial-handle=3516,i,11658246504983271343,2471193004671495528,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
    3⤵
    PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e6baeec02c3d93dce26652e7acebc90

SHA1
937a7b4a0d42ea56e21a1a00447d899a2aca3c28

SHA256
137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0

SHA512
461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0b460c5aa61d0dd50667f187d64747df

SHA1
e95362244531b2b3cc63f4830d481b70c45a62a8

SHA256
27fa39b21f726de242c8548e5db00216d498ab9e510fb02669e5b1d7e6ec945c

SHA512
bc3be8e41476d2433ab3e1585463b80c474931e3b853bd77b7eadf204840da94c195ade3513cbb0a949ad6adab4b884d9382481b6188fc502ec31a762480fd30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Swift-Module.dll

Filesize
22.5MB

MD5
c568dbc5fd90067a6712055023a18568

SHA1
1546683eb7ed167b54b9e4fb0a8ae72374f688e8

SHA256
ed927320654bccb0164b7c1e8835975ec9f680d607cfea982c7a0a103684d188

SHA512
72da4af29fd9aeda9851fc0a0a4ffc8a5b35f260074f2203381a760c94e4b836fe28b11186a6d3cca4d01de65893c0063edfcf355268b689330915ab66339816

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kh2lphkc.ze4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
dfb1dd9c9459367e8cb3c32c1c8eb556

SHA1
e538bcadd06db4d0dd613fb47cfd1fa8e7363bdb

SHA256
6454b003de6aebd0e13a0a9a72625d330db64b9ee8d7bd2abd4334d989f50835

SHA512
dce8cb57c1882a32fc13e81bc521cfc73e25dbf68ec7704be673bb37a7ca918c4d3b438444bffd20803d581bd102c5dc6641cb3187c56639cef86c85ec0a4ead

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
2bdd732a19582ac58e1c6f07dc63cf67

SHA1
55e935e3f9d053bc686a62e808c0b9f430ae441b

SHA256
a6791f48c9c481dbd7168ff8486b443526676ee80120fb6c700a2f5b79bc1675

SHA512
9a1ef8e848062ea7152b0bd6d82da31c1f4e95a152040485b03a31d82338f2dedb4a1fc57f35b4f300592342553d5d81f66edbc25531dc7ea55ba49aeb7768a7

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\Extension Rules\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Local State

Filesize
1KB

MD5
370e94d05d24629bfc14627f572b15f6

SHA1
b16a06fe66e28e7bf7ccea763667bd1b6c74c3b8

SHA256
7b8e58ecb3585c64d323bed67e61a14b991336402a8d36e4bd7da2ff935aefc5

SHA512
920fbd830746f5c6c1a503b72796105b8845e719f824fd9953459cd7c5c83f8ab225112206c6bbf561592972563ab932a31c79088860b787fb182cf30705fa3d

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Local State

Filesize
2KB

MD5
e2459efcd480bc53d4f885d57e0ad0c8

SHA1
3ca44ea280d89eab5c581d4a3a1a68521a183ce7

SHA256
766d5e18fb5b0692e62100ac3e1df4d21a7ff6191e0821a527b7d84087ae009a

SHA512
91a8f37f77182c05450b3cea7a6bcabb98037faf8f8b9cd6d29228ee138acc94abdf3fb78ffd24626307dff35a1dd0e276e30fe49551b534b39e4275bf1a8074

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Local State

Filesize
3KB

MD5
756872effc7d90a9d8c416791dc9c353

SHA1
511c1dda82223455ef3b652b6181f47bffa5f976

SHA256
882ea5fbc84fc56b04d36fb4686f1886c56d999d07e3f10a8c8c1103e97cc534

SHA512
8384a0019fd9a38a8a854b64dbbd17a71180c096a4abff0c00e4a4a5a521dd84aa4b215f92a442a3129490331da4b2357bfc11b34d94f2a86720049035064d92

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Local State

Filesize
16KB

MD5
7779862e1f040e44e9333996eade77d2

SHA1
4d846baddd28fd5bb682b1e26c2862b29e73e596

SHA256
12e2faaae3a3da1cd6549cc1c2df380f49cb2594512d6d10135a8633b0bfeb3d

SHA512
1298f58085cb4d985f7f1774b20c5bcbd493c28a4208ad57244110f46afe4f801c3aae46a91a869c9bceaf08f4cc9f0433cd4d94ba5db977bf9b2bdeb250bfee

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Local State~RFe57ddae.TMP

Filesize
1KB

MD5
839d6eef5d8bc413d33f237dbf458a26

SHA1
be07cfd837b1a9a9e1bf3c76b3309fe644bb0f1f

SHA256
0eae4a24080ebfceb1e53230fed71acf96968085b548d5f88bf09611673c82c2

SHA512
7aef96aeac456204ddd01bf3bf2697ca112c2af99f03e7d47a9f1f8fed2f2d213960e1f13becc3309d135ff46e7ea37d987af404590da52a4512eda1af8c01a8

Download Submit
memory/124-6-0x00007FF8D44A0000-0x00007FF8D46A9000-memory.dmp

Filesize
2.0MB

Download
memory/124-8-0x00007FF8D44A0000-0x00007FF8D46A9000-memory.dmp

Filesize
2.0MB

Download
memory/124-7-0x00007FF8D44A0000-0x00007FF8D46A9000-memory.dmp

Filesize
2.0MB

Download
memory/124-17-0x000001C5FC240000-0x000001C5FC262000-memory.dmp

Filesize
136KB

Download
memory/124-22-0x00007FF8D44A0000-0x00007FF8D46A9000-memory.dmp

Filesize
2.0MB

Download
memory/1188-192-0x00007FF8D2F50000-0x00007FF8D2F51000-memory.dmp

Filesize
4KB

Download
memory/2468-2-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/2468-5-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/2468-0-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/2468-3-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/2468-4-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/2468-18-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/2468-217-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/2468-237-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/2468-1-0x00007FF8D4547000-0x00007FF8D4549000-memory.dmp

Filesize
8KB

Download
memory/2468-262-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/4008-72-0x00007FF8D2F50000-0x00007FF8D2F51000-memory.dmp

Filesize
4KB

Download