xworm | hxxps://github[.]com/alienfn/Fortnite-external-updated/blob/main/fortnite%20extenral[.][.]zip

Analysis

max time kernel
112s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/alienfn/Fortnite-external-updated/blob/main/fortnite%20extenral..zip

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

176.96.137.232:4444

Attributes

Install_directory
%ProgramData%
install_file
Nvidia.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d75-493.dat	family_xworm
behavioral1/files/0x0009000000023e13-498.dat	family_xworm
behavioral1/memory/6068-499-0x00000000000A0000-0x00000000000B8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nvidia.lnk	bfsv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nvidia.lnk	bfsv.exe

Executes dropped EXE 2 IoCs

pid	Process
5940	husX.exe
6068	bfsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
58	raw.githubusercontent.com
59	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\bfsv.exe	husX.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6068	bfsv.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1880	msedge.exe
1880	msedge.exe
3228	msedge.exe
3228	msedge.exe
4796	identity_helper.exe
4796	identity_helper.exe
2484	msedge.exe
2484	msedge.exe
6068	bfsv.exe
6068	bfsv.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	5544	7zG.exe
Token: 35	5544	7zG.exe
Token: SeSecurityPrivilege	5544	7zG.exe
Token: SeSecurityPrivilege	5544	7zG.exe
Token: SeDebugPrivilege	6068	bfsv.exe
Token: SeDebugPrivilege	6068	bfsv.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
5544	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5940	husX.exe
6068	bfsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 2708	3228	msedge.exe	84
PID 3228 wrote to memory of 2708	3228	msedge.exe	84
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1824	3228	msedge.exe	85
PID 3228 wrote to memory of 1880	3228	msedge.exe	86
PID 3228 wrote to memory of 1880	3228	msedge.exe	86
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87
PID 3228 wrote to memory of 1140	3228	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/alienfn/Fortnite-external-updated/blob/main/fortnite%20extenral..zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc706f46f8,0x7ffc706f4708,0x7ffc706f4718
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2344,13746943658148520947,11646522105248201095,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2356 /prefetch:2
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2344,13746943658148520947,11646522105248201095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2344,13746943658148520947,11646522105248201095,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2344,13746943658148520947,11646522105248201095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2344,13746943658148520947,11646522105248201095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2344,13746943658148520947,11646522105248201095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2344,13746943658148520947,11646522105248201095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2344,13746943658148520947,11646522105248201095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2344,13746943658148520947,11646522105248201095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2344,13746943658148520947,11646522105248201095,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2344,13746943658148520947,11646522105248201095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2344,13746943658148520947,11646522105248201095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2344,13746943658148520947,11646522105248201095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2344,13746943658148520947,11646522105248201095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:2004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5480

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\fortnite extenral_\" -spe -an -ai#7zMap25532:98:7zEvent206
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5544

C:\Users\Admin\Downloads\fortnite extenral_\husX\build\husX.exe
"C:\Users\Admin\Downloads\fortnite extenral_\husX\build\husX.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\\Windows\\bfsv.exe
  2⤵
  PID:6052
- - C:\Windows\bfsv.exe
    C:\\Windows\\bfsv.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:6068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
010f6dd77f14afcb78185650052a120d

SHA1
76139f0141fa930b6460f3ca6f00671b4627dc98

SHA256
80321891fd7f7c02dd4be4e5be09f8e57d49e076c750f8deb300be8f600de2d7

SHA512
6e6c9e348e948b946cfb97478698423e1272c4417bc8540e5daa64858e28be8fda5baf28538aee849f8bb409c17a51c60e48a3f1793e3a86cb27edeb32aa30a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f09c5037ff47e75546f2997642cac037

SHA1
63d599921be61b598ef4605a837bb8422222bef2

SHA256
ba61197fff5ed487084790b869045ab41830bdf6db815503e8e064dd4e4df662

SHA512
280bff6eac4b2b4fe515696223f61531f6b507c4c863ad9eef5ab0b1d65d264eba74fb7c9314b6920922142b8ab7605792211fca11a9a9ef0fc2ae995bf4f473

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0e1e9d1712935dac4489c4e759028382

SHA1
bfd161e55c9d90bb235714a71deb86e9b80342ee

SHA256
fbe0ecd105e3bbdfefc83ab465492d2910abaf7606848f2abafe319e8c8e867a

SHA512
eacd7c20be88ab9b9ffd5d2be1a34390a59cef447d05f6ab0f003ac82c0f360a2d9228613f79c972ddac3c25084f156548e29026e66811976ee09c287a539a35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
0a8a7c3dafeb4ad3d8cb846fc95b8f1c

SHA1
69e2b994e6882e1e783410dae53181984050fa13

SHA256
a88495f2c1c26c6c1d5690a29289467c8bb8a94bf6f4801d2c14da1456773f90

SHA512
2e59b4cd4cf6f86537aae4ae88e56e21abcff5070c5c1d1d2105a8e863523c80740438cc36b2b57672bc7bb7fb9387896135afcce534edfd4697fecf61031a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d19be283d45de0bd10f88a257316fae4

SHA1
da90c3362cc40a57760c75448a8eef7e169fb748

SHA256
ec30effa5863e20b40225e61f41c21f3c38f105d5a77c6068b47c6e72c8a4a16

SHA512
3d8399e8b905dcb293cb0ceb385056e8bb411e6cd5b5475bf9dfb5af79cb8e85162a8e34ce09d91433c46b180d0d1c0a02a8280d233bfdd29afe7fab4f57e7fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
605637573f5bc978aafe037ec7ade3ad

SHA1
213e4847fbf9c1ee022e122b6fc5abcbc7b74509

SHA256
f16a617fd11ca28a0196f6052de05c0e56af20f02191bceac2027a8678754c42

SHA512
7cc3761776905e5f46d01586bcee92f89d55de208c5a6ee605cdda28b27c0b57501607f0adf0681aeb65793e9c05edaeaa07ddfac6b7c732db2c5751848e94d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
50e817cfa0abc32f98c767d86acd7a92

SHA1
a63d862e599a8cba4081e440c69813aad4214592

SHA256
59797eebc4ca75410ef6b85c3ed07333df0f885e6c0c897d06b7d9165e51837f

SHA512
cae5a04520b9cb62d2eac5358d77caddf86583c5470641fb8e1780785298d401c8242e7ad594535764dc166fff517cca4ff9dd95010ca165589bfda59c43278a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6899c229c53341f01081708b36176f7c

SHA1
a4a5c6875f9a9e0899ac31faf16fef5a8703e6d0

SHA256
89a1bf27401e025a06b2a1aae86d5cefbf4cffcba299325141949902ec309a50

SHA512
220c4f3ad176b2f91706a8451d58c04847bbf00864d2f8b5178cf366d699a3bdb365b8edf164b6b6e07657f54538d9a75ff74a2541fcb1f3f27104dab3379fba

Download Submit
C:\Users\Admin\Downloads\fortnite extenral..zip

Filesize
4.9MB

MD5
e968b426eb108e46472de02f1d263cb3

SHA1
073e27e505e71cdd25cf285590dd04b27c989068

SHA256
16d0ca2dcd0da01d960c2145aa0f7a57f7be6056ee8ac0090f2a8da05e2b296d

SHA512
7ed40d264bb02a16aae56b03cfb352be31e41f1885b0942ec293b8b112ea89b52b07c6c7887b02575c42677d46ee2dd2994cdcb02f798800b69f8bde2259da5a

Download Submit
C:\Users\Admin\Downloads\fortnite extenral_\husX\build\husX.exe

Filesize
1.2MB

MD5
7e9af2c037ddd51d1d20d9e66ff43590

SHA1
9d615f3a0b91f7f64eef7eb2ee1241eb22216e19

SHA256
2a5e29a1ab926677dc017a6759bb4fc088a46a29c8489424ca543a1d1c144f46

SHA512
5735e4f036d52ee63e38447a9851c56e41c390cd7f4eff43d2c9b397d683b4466004c973b1702cb58e6f8e2a847869016bf2e6bdf5995eaab880e2e9b7f9fb8e

Download Submit
C:\Windows\bfsv.exe

Filesize
74KB

MD5
cee1e7c4ee14c83706f177a0b880d57d

SHA1
3c4015b060683ad5c9bc203fd9ef031bce7f4f2f

SHA256
cddaa18328722464947bc204eb543b06244fa88f9b7457aab9c9f091ded9e205

SHA512
eb03629a24c65ad46c7306303f91359b85a8291a9f563842a2257986dd17e40840d58ad70c424da79c0e8fcf70d9ea2e80ab48d1d740dea4a3ea0bed347fc5cc

Download Submit
memory/6068-499-0x00000000000A0000-0x00000000000B8000-memory.dmp

Filesize
96KB

Download