babuk | ed07799f0d08d37f1ea3841f3727b142ecceddfaf1ee01896af149853eda7a38

Analysis

max time kernel
96s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
Size

79KB
MD5

4f0ccb90deee7a1c682aee81ed6b178f
SHA1

8e04625ea33a81ead19b76a61f0f93c767184175
SHA256

ed07799f0d08d37f1ea3841f3727b142ecceddfaf1ee01896af149853eda7a38
SHA512

5068373c347f4cadcdaee9455a6e410218756f53f71e6596bc2f3a3b62cb12b918afe37ee4abd37797bec7a0246804c1bb7c4638f14a1e6cb94e27383e85667d
SSDEEP

1536:ZOknM8H9Uzzb9srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2n4B:XnM8Hsf9srQLOJgY8Zp8LHD4XWaNH71C

Score

10^/10

babuk defense_evasion discovery execution impact ransomware

Malware Config

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Babuk family
babuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (224) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\U:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\H:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\V:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\B:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\M:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\R:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\T:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\A:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\L:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\N:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\I:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\O:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\P:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\G:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\X:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\Q:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\W:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\E:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\Y:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\S:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\J:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened (read-only)	\??\K:	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1344	1144	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1568	vssadmin.exe

NTFS ADS 28 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\䂘ö掐þC:\Users\Admin\AppData\Local\Temp\\How To Restore Your Files.txt.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\뼸ؖ䂘öC:\Users\Admin\Pictures\Saved Pictures\How To Restore Your Files.txt.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\墠ö፨þC:\Users\Admin\AppData\Local\Temp\\How To Restore Your Files.txt.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\⒘ó䂘öC:\Users\Admin\Pictures\Saved Pictures\How To Restore Your Files.txt.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\︨׬䂘öC:\Users\Admin\Pictures\Saved Pictures\How To Restore Your Files.txt.babyk.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\鮀ؒ䂘öC:\Users\Admin\Pictures\Saved Pictures\How To Restore Your Files.txt.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\𒈚䂘öC:\Users\Admin\Pictures\Saved Pictures\How To Restore Your Files.txt.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\򞈚䂘öC:\Users\Admin\Pictures\Saved Pictures\How To Restore Your Files.txt.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\⼘óༀÿC:\Users\Admin\Downloads\UnpublishReceive.vssx.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\墠ö掐þC:\Users\Admin\AppData\Local\Temp\䤸ö掐þC:\Users\Admin\Pictures\Camera Roll\How To Restore Your Files.txt.babyk.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\墠ö掐þC:\Users\Admin\AppData\Local\Temp\䤸ö掐þC:\Users\Admin\Pictures\Camera Roll\How To Restore Your Files.txt.babyk.babyk.babyk.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\掐þC:\Users\Admin\Pictures\Camera Roll\How To Restore Your Files.txt.babyk.babyk.babyk.babyk.babyk.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\䤸ö䂘öC:\Users\Admin\Pictures\Saved Pictures\How To Restore Your Files.txt.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\⁈ó䂘öC:\Users\Admin\Pictures\Saved Pictures\How To Restore Your Files.txt.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\፨þనóC:\Users\Admin\AppData\Local\Temp\\How To Restore Your Files.txt.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\驀؊䂘öC:\Users\Admin\Pictures\Saved Pictures\How To Restore Your Files.txt.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\䤸ö掐þC:\Users\Admin\Pictures\Camera Roll\How To Restore Your Files.txt.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\墠ö掐þC:\Users\Admin\AppData\Local\Temp\䤸ö掐þC:\Users\Admin\Pictures\Camera Roll\How To Restore Your Files.txt.babyk.babyk.babyk.babyk.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\sers\Admin\AppData\Local\Temp\䤸ö掐þC:\Users\Admin\Pictures\Camera Roll\How To Restore Your Files.txt.babyk.babyk.babyk.babyk.babyk.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\墠öƨóC:\Users\Admin\AppData\Local\Temp\\How To Restore Your Files.txt.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\掐þC:\Users\Admin\Pictures\Camera Roll\How To Restore Your Files.txt.babyk.babyk.babyk.babyk.babyk.babyk.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\ቐþ䂘öC:\Users\Admin\Pictures\Saved Pictures\How To Restore Your Files.txt.babyk.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\酸ؒ䂘öC:\Users\Admin\Pictures\Saved Pictures\How To Restore Your Files.txt.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\顀ؒ䂘öC:\Users\Admin\Pictures\Saved Pictures\How To Restore Your Files.txt.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\墠ö掐þC:\Users\Admin\AppData\Local\Temp\䤸ö掐þC:\Users\Admin\Pictures\Camera Roll\How To Restore Your Files.txt.babyk.babyk.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\፨þ掐þC:\Users\Admin\AppData\Local\Temp\\How To Restore Your Files.txt.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\⎈ó䂘öC:\Users\Admin\Pictures\Saved Pictures\How To Restore Your Files.txt.babyk.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\钸ؒ䂘öC:\Users\Admin\Pictures\Saved Pictures\How To Restore Your Files.txt.babyk.babyk.babyk	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1144	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
1144	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
1144	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
1144	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
1144	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
1144	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
1144	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
1144	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
1144	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
1144	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
1144	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
1144	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1328	vssvc.exe
Token: SeRestorePrivilege	1328	vssvc.exe
Token: SeAuditPrivilege	1328	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 2564	1144	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe	86
PID 1144 wrote to memory of 2564	1144	2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe	86
PID 2564 wrote to memory of 1568	2564	cmd.exe	91
PID 2564 wrote to memory of 1568	2564	cmd.exe	91

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-07_4f0ccb90deee7a1c682aee81ed6b178f_babuk_destroyer.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1648
  2⤵
  - Program crash
  PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1144 -ip 1144
1⤵
PID:3376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1144 -ip 1144
1⤵
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\ExpandLock.kix.babyk.babyk

Filesize
306KB

MD5
64de709da66bc145c746516dc438e059

SHA1
fb2ed86224bfb75235edae7b7a6470cdd5fb3054

SHA256
2fcf7129da6310ccf95343e69ee3d74ac7cbc3f6ac101fd7c6b4c37499e97b0e

SHA512
105169822249b5282dbcbd7eb00ac546d730183c094e810d5addfcd51e2ac203c5ed115febf76fa2a829009dd493a41efd9e8979894211e32fb756e78d25d6ed

Download Submit
C:\Users\Admin\Favorites\Links\How To Restore Your Files.txt.babyk.babyk

Filesize
8KB

MD5
5eada003dc497b00bac5b5288e70d52b

SHA1
daa4849fcb7dfc00a938b52d44a53f3bc28a4f74

SHA256
990fbd0af1060c1c9c1c06dc8fac2a8e0d776d33e18dffb4e297636a40b6ac4d

SHA512
8148a4359499f7e28d4540c4c549ab4ae922c3b031cc1cf5d6a1f379a50cf7810c056c7c56c2704f09a51c60e8c59607fc64e06e8618748112bc7d17be295f0f

Download Submit
C:\Users\Admin\How To Restore Your Files.txt

Filesize
8KB

MD5
2af817219bb1d24a11ab839b9453b5f3

SHA1
f9ff9075f9472c41aeb93df2e439fe624dc143b0

SHA256
6a16454cad4534d51025f65277abaec0ff4a30082840154a35889445bb3ad0a0

SHA512
d443e149d8b097cc64b0bbbf65e3d660de43943a4b36ac4c41bfbdfe814fb895d7ba97128aa1235b85d2292b79afc451fbcb89cc6a56d33ecff7d93e18a15c30

Download Submit
C:\Users\Admin\Music\DebugEdit.hta.babyk.babyk

Filesize
272KB

MD5
0cbea0afdc09ac6b51f73d68080f0d80

SHA1
0eab68f04d0bd00244fef29a00d1ad2c6d87fa92

SHA256
c7069f46e1210022a9c2781396e10ab838ee43b10079afc5d7732320c168ded0

SHA512
9decdf40f739df4a0f25b59b48872c01a8e15a284d408985e38740181fc530dc3be5ebe10ddb8bca37051610f956905897ed2f53606e2f65b80ae187df2c5051

Download Submit
C:\Users\Admin\Pictures\Camera Roll\How To Restore Your Files.txt.babyk

Filesize
8KB

MD5
06c7ae023feec5d8de0fe3b13738268c

SHA1
e3089d21615506a8628eedf509e49e43c78b68b8

SHA256
8c9f47c495f822e9809485cfa51d800e6b4d97eac47026e9f978c86c0640adae

SHA512
36a95c71614ff844619cd94596a070f0bbf7efa4500935f0b43b03592d6ec15a69ac3ed6014fe90ec11b6f84638127a524c5d29c770047c91ab65bcef963fb3b

Download Submit
C:\Users\Admin\Pictures\Saved Pictures\How To Restore Your Files.txt.babyk

Filesize
8KB

MD5
97608712329d87bdc7bd16051d3ff59b

SHA1
184c133ed1182b6c4d27a68f21d9b980bec01176

SHA256
213e8eca032a6cb8c997b249b15794b36502fe1a7929a55a828e3a0f428bcdf3

SHA512
d325a9d319654058d689530be2882e46ebcfdfb52591028d4a941d53e9c0235f442eba4c5fde59a53654bc9dd349970033ad6825ccf4753c84f8f462afaa1890

Download Submit
C:\Users\Admin\Pictures\Saved Pictures\How To Restore Your Files.txt.babyk

Filesize
8KB

MD5
b155bdef47aef8541ecf6ab410d83786

SHA1
42d56e3f5eba1f6ba3546212ac10356d2d4b6e1f

SHA256
0d6e7ed7cac7fdce87c1207cd1fa5c1979fc3e2caa1effa14a9e9da163f6654d

SHA512
cb0dcea16e721fb017047b0db0b684da5464c5d56119c28d481af69dfdf26029bca8880670d8669d9fe83fd81e23dd2f1b2811bfe7ce9d82943f64b6c734d2fb

Download Submit
C:\Users\Admin\Pictures\Saved Pictures\How To Restore Your Files.txt.babyk

Filesize
8KB

MD5
099884066a968153685cdad82d919d72

SHA1
f926f66c603c13adfcb880c187f88bdba57774f9

SHA256
5a9f5fbdced6a834780c00f46f5f53c4aa45be1a817a2bb2262ae0c467d77447

SHA512
57849bb22b9fbae6239ef2c803f32fb3342eedcd1bbb1cb650c93cb9934d9ca7f55d21e76c0c665ec65041fe3a4e2ab8493c5335f17d883cba434950f54a43e2

Download Submit
C:\Users\Admin\Pictures\WatchWait.dib.babyk.babyk

Filesize
367KB

MD5
0ce534661a6fad9c851200fb9345f45d

SHA1
9e88286c538dece6a5db527394402e12dd12fc08

SHA256
15e6da59aa97fec2b79f4601e0b7bfdcb40f2481bff881e77030109a17b2eb70

SHA512
9971c82b1c7cb2e5825d999ccc44e351e6ce8dd147801b39176f3fde3b5c54a411805309e53004ed3c6161131eae6a2dff199d9a77104e306d1e877fa0b2d5cf

Download Submit
C:\Users\Default\Music\How To Restore Your Files.txt.babyk

Filesize
8KB

MD5
9f335b16672ffee31a03d965a87412c1

SHA1
57674d8eb8f63c9d968c18bb82cb210b48023e0b

SHA256
3f239b52581a3bfbca4efe87b959bbee78226c117c2fac51d50ea1f4f67e8193

SHA512
4158db2c8d0996ec49177a21f7a058e9a8c3964a74c2626c049153fb73403cf420383d33d37fd81ca9d145ab9d52d4d49b448d377adad889918306b774edf109

Download Submit
C:\Users\Default\Videos\How To Restore Your Files.txt.babyk

Filesize
8KB

MD5
43ded46da19a7a49223c29be8952588f

SHA1
0d3d295883ffb717cad4c156d49c9e068fbe4f55

SHA256
81808de67360be0631e7094155ac6612ff6a44855647ad939961ed681a091a93

SHA512
3404bc1a0c2353d5053243446f8a3e26cb26f3eeff2b0ab20fff52738a1d009a7b5da46843012c7050a344b32bb653312dc8506cc85d3372f9b131cb8a925d20

Download Submit
C:\Users\Default\Videos\How To Restore Your Files.txt.babyk

Filesize
8KB

MD5
3fec770fedd5353b57f555030e8f1b28

SHA1
ce48571521eb6e9d1a046ed4d8fc515bd03e6bd6

SHA256
e64b6c60c7dfc02c2f063edb8e6cd113b8872e600ae8d586986856adf6379bc4

SHA512
38d9074f5fb50586e227493a91a84378f1ef2fad4ac4744fd8780e82de654df26304b8dce3d5d28d87d924bef9878191a8f60290dc9843da3f7efba731fd3f43

Download Submit
C:\Users\Default\Videos\How To Restore Your Files.txt.babyk.babyk

Filesize
8KB

MD5
163a588de1ae8d643c379734f6eb4f0d

SHA1
fbca23b05872b78c3a68e737c024483b2d640bae

SHA256
495c039dd336493c094069e7475cba2ee4facba5dd24acd3866a28a2d61fc62a

SHA512
d21d7895eafe14e8a18cebf8d6051e6107c226e727d491dd744fe603326ad67bc5ca66cc25727b260b27dcb57bf00e3d0317198c36e252b241cbce2581c666e9

Download Submit