Overview

overview

10

Static

static

3

30fcff7add...b8.exe

windows7-x64

10

30fcff7add...b8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    108s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/03/2025, 18:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe

  • Size

    31KB

  • MD5

    dd7f88a68a76acc0be9eb0515d54a82a

  • SHA1

    ca205a28b8dbd74c60fdeaf522804d5a2a45dd0b

  • SHA256

    30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8

  • SHA512

    8e99c1d3291dacaf13c7aff75549d50484b593022bdb82cb3ecffd58f0bbf1dd1ae4deeb09f072d4c3f1b8918a0bc785a397143863466975dad950e115db5af6

  • SSDEEP

    768:73QN4DGrqBLP977YowZe478mR26fgjVyBm8Je7tFv/7iJFzMWe:7gdoT93DaRXf5B+tFcJe

Score
10/10
babukcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\bg-BG\How To Restore Your Files.txt

Ransom Note
----------- [ Hello, WIGGINS-AIR ] -------------> ****BY BABUK LOCKER**** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. What information compromised? ---------------------------------------------- We copied more than 10 gb from your internal network, here are some proofs, for additional confirmations, please chat with us In cases of ignoring us, the information will be released to the public. https://i.imgur.com/RzYzVnY.png https://i.imgur.com/kJzIOqn.png https://i.imgur.com/bFdNbyO.png How to contact us? ---------------------------------------------- Using TOR Browser ( https://www.torproject.org/download/ ): Char url: http://babukq4e2p4wu4iq.onion/login.php?id=0KflFXBAmSHtJrtKWtOPzxZmhJATon !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!
URLs

https://i.imgur.com/RzYzVnY.png

https://i.imgur.com/kJzIOqn.png

https://i.imgur.com/bFdNbyO.png

http://babukq4e2p4wu4iq.onion/login.php?id=0KflFXBAmSHtJrtKWtOPzxZmhJATon

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • Babuk family
    babuk
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (1955) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe
    "C:\Users\Admin\AppData\Local\Temp\30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4236
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2252
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1720
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2964
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
      PID:1984
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4448
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\How To Restore Your Files.txt
      1⤵
        PID:2944
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        1⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3080
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd53dcdcf8,0x7ffd53dcdd04,0x7ffd53dcdd10
          2⤵
            PID:3940
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1980,i,4436042611832833153,2677537345262850444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1976 /prefetch:2
            2⤵
              PID:2324
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1592,i,4436042611832833153,2677537345262850444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2284 /prefetch:3
              2⤵
                PID:4788
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3028,i,4436042611832833153,2677537345262850444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3052 /prefetch:1
                2⤵
                  PID:1924
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2976,i,4436042611832833153,2677537345262850444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2988 /prefetch:1
                  2⤵
                    PID:4824
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2404,i,4436042611832833153,2677537345262850444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2564 /prefetch:8
                    2⤵
                      PID:1528
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4296,i,4436042611832833153,2677537345262850444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4308 /prefetch:2
                      2⤵
                        PID:4372
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4712,i,4436042611832833153,2677537345262850444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4748 /prefetch:1
                        2⤵
                          PID:3032
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5300,i,4436042611832833153,2677537345262850444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5420 /prefetch:8
                          2⤵
                            PID:292
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5500,i,4436042611832833153,2677537345262850444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5516 /prefetch:8
                            2⤵
                              PID:964
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5616,i,4436042611832833153,2677537345262850444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5512 /prefetch:1
                              2⤵
                                PID:5192
                            • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                              "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                              1⤵
                                PID:2168
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                1⤵
                                  PID:5200

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\69c09967-fa2c-4ed2-ace7-76cda03e3cf0.tmp
                                  Filesize

                                  11KB

                                  MD5

                                  a89567d974f433a18a0739655129371f

                                  SHA1

                                  cccb2c29ffa19a74e5a4d6901981bf28d7bd659c

                                  SHA256

                                  aa1541bbb46dbc6ee941e14cb9ecd2c167d9c80f15e89244a11b57c4151e89c0

                                  SHA512

                                  164a24404193f4e5f55d0d407f364c7547423f9c0504cfa5d5b7b8786f7bd0897b94aeb9a80537773dd7eef7e6295db3ebb6f051dde78507fc5b82f56ea268a7

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                  Filesize

                                  649B

                                  MD5

                                  d93fc8b5fefb9f966f2eeb6c604d0ece

                                  SHA1

                                  35553d0f58e64791c10baf77ce61d60c6d8d3f00

                                  SHA256

                                  7898e73ffc9300bbb88292e0b01e943c1dc0bdb708b2a986c5540b40221ecadf

                                  SHA512

                                  1ca8191ad78bfbeb6623b124d57b772b76da2f4b97e0c58f6c3f4f87386260cd77c55952d5460dd0940530c96250ad1ebe7cfe90c3effd8123e0d24e895ec6d3

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnGraphiteCache\data_1
                                  Filesize

                                  264KB

                                  MD5

                                  f50f89a0a91564d0b8a211f8921aa7de

                                  SHA1

                                  112403a17dd69d5b9018b8cede023cb3b54eab7d

                                  SHA256

                                  b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                  SHA512

                                  bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                  Filesize

                                  2KB

                                  MD5

                                  4af315a28559a53ff8dc280d98063a5f

                                  SHA1

                                  eb6b5482a0454ddc74e5d5a4e020496485c33ed9

                                  SHA256

                                  8d9dd9faf684c416f1ff2f8d60c08b7bf1177c3cd66518e91b5d2f4076b4d99e

                                  SHA512

                                  112a856195055372c1e8878e6a2cd2f7e72e5db0e97c7f2591cbe9418f13a5bf7ddcabfe469d7901397fb8bc6aa4c4d706c92580db70cfdd2d4eb1a6bcf277e9

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                  Filesize

                                  2B

                                  MD5

                                  d751713988987e9331980363e24189ce

                                  SHA1

                                  97d170e1550eee4afc0af065b78cda302a97674c

                                  SHA256

                                  4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                  SHA512

                                  b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                  Filesize

                                  690B

                                  MD5

                                  6a494b540c82231f367bd484b7d2023c

                                  SHA1

                                  bbd6787dc04a1a484078907e54ab5d13d93cd207

                                  SHA256

                                  9f468e6bab1fd210c6ab4f3dcd3f86067b34af1063ec58eea3ebbb9f7a238b7d

                                  SHA512

                                  40e8d2f7acfb24f62e39109646c2e1b32c0d09a273874ce39c968edbdd6a965dbbf6477200314374aa37f9bcb9e7324b899b1e5fcf71ee3898eaae2cd6b5ea77

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                  Filesize

                                  10KB

                                  MD5

                                  a70c785fe003d2cacedec7092ad34f9e

                                  SHA1

                                  ac19f18920b9c3a7ed994d86f7a6362822f03982

                                  SHA256

                                  21b2aba3b5ce9720e26d0471bba2528bdd54535ff2cce51794a925e4e57a44ed

                                  SHA512

                                  ed0c35a273252f064c742045fa42ea18d3a2da422e3098797c42a2fd7861047624fba7a6ef604f68627996cdf8b5ab15b9f6a4a094d2f41cb8f324151d1f050f

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                  Filesize

                                  15KB

                                  MD5

                                  509b2996ef35eb3956f7f5df363beb2d

                                  SHA1

                                  9435dde2ca5d0d3c75cf63113f4f3bad6c685e89

                                  SHA256

                                  d062c6a79ca58db3a026cf42e1d2ff16951c54b659c77bd0032a75f948798090

                                  SHA512

                                  0f310e26fedcc5eb4413fd8929fef33816cf669691dd6f45d054b244337c2095ddfb1412557034fdf00004cf8b6be5cce6b6b88a733e7efb8125b02857c83033

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                  Filesize

                                  72B

                                  MD5

                                  7d68fde402c288d04646ed94e8bec3fa

                                  SHA1

                                  95bc09672f4c164cc10ebb3b7da4824cf092c237

                                  SHA256

                                  52882897ea006c792caa5e1072916ad22a1799077669f1dde55f37cab8d7cd5e

                                  SHA512

                                  4a8edc26df0f247a31c9c85e6da735b069c870d4dd374dcfb25538de03d8c87799310d0cd8e1556c7d0277a4eeb405d8928f454ee0b84ca6ff2c588cd4a8d74b

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58f7b9.TMP
                                  Filesize

                                  48B

                                  MD5

                                  ff5334b7366de18c565e9be89eda6c9b

                                  SHA1

                                  6b2b517c6c638241c7c5ac10ff1d89687c3600a8

                                  SHA256

                                  04ce5dcfbee085055184dab0d1493ff18c114304239707e12b163ef47e2a90fd

                                  SHA512

                                  128dacd2f8fb29cb9e6289411b69e3426a16addad2925c057ffe1e6d340715325a00f59ac68e416dd31254df2c44dab3b537594bf9ba192c799de85920446526

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                  Filesize

                                  155KB

                                  MD5

                                  3e948ab1e6b41f5c48a117528c29ccea

                                  SHA1

                                  9e243ccf8c584713d515f479e6be404c66ba2cca

                                  SHA256

                                  3ec369adbded0c3c2123e63901777d9349f654a7ef53f8c7ae084112364a3c37

                                  SHA512

                                  5e4842b261b796a69f0774f2e4c39c3babc4bd6791ad4e33c8ea283619a62838c953d598fe05940e20ae37641c0fb14f1f0a1bf1ac83c742e078bc1cedc16686

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                  Filesize

                                  80KB

                                  MD5

                                  ec1254b42baca7e0cfce669e554e32ba

                                  SHA1

                                  5880e95b246864d26afe34b4184d57e87d844c87

                                  SHA256

                                  740a6379869f7886aabbd927e317c8f578ddc61a897be71a257af2390f245626

                                  SHA512

                                  70e44ac65bd1944b946e6ced054c8cf389acaf7106f5c0df9e424c86399ae7186bccec31c46aa02ca16c0da47a83c3cdd56bf633bdc110180ad6d4c8f13262f8

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                  Filesize

                                  155KB

                                  MD5

                                  6e369531743ddf305caf3e337f48aca3

                                  SHA1

                                  673ac537b41774b1a1e76f266375ab4d3ab16a26

                                  SHA256

                                  1cfbce66dc984761878f10b0b5c87a4c8883833c5785256a4871dc64e0d0ffb6

                                  SHA512

                                  49f2fe830afb1e77d072690bcc2f382155e4df826b66a0a52d2995ad7a4ab8f3b77aa3b79ad94c9f4de5d6764c952c1a3c5fc650741ba70fc57b47c19b9bf4fe

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
                                  Filesize

                                  19KB

                                  MD5

                                  89aa298f72b0c0c0fb31c83619334546

                                  SHA1

                                  7194f13435a9f12059c66ac307616656ae6cf885

                                  SHA256

                                  548f73e4c8bf08bbf69158d21c92e13e7fd0c4a717396cfbf6098ad12b603396

                                  SHA512

                                  f6bd3287b68a92c60ff8cc529647fed9d55df48bf3273443ea332d68e0272b6639835cd189f2b6af0ca58caac437f968519b79cfca014d06cc010cbf757079c3

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
                                  Filesize

                                  21KB

                                  MD5

                                  38fbc9f33b19300015e6cd6a8d3ee49d

                                  SHA1

                                  76d00a655754ca457647f3fb3f0b820180d3621c

                                  SHA256

                                  ac7b17cd71bbad500d16ee92fc5b8b51fb755201d3781b8bc01aea44662259d1

                                  SHA512

                                  72490fa396cc699726b74fd0259da9a38b5aefd23047437cdd10406230b90789c71563b7154a20f30b22ac86b81f271f30902da9d52fc19f6da23b8d6682ffe8

                                  Download Submit

                                • \Device\HarddiskVolume1\Boot\bg-BG\How To Restore Your Files.txt
                                  Filesize

                                  1KB

                                  MD5

                                  4696310ca321ce5a34e879b4e8b0611a

                                  SHA1

                                  89082071a1e6d3379a923ef6a39903cc05dfe495

                                  SHA256

                                  1f366b81cfa615b53eb24345d09abee973b2b82778f5f21f8ee31fbe13e7d92a

                                  SHA512

                                  94bfbe6b23e73435a30c6f1bb94970bf9eaa1d9cea0e38d654e23be28ff3802dbabb3984087784a3a99b12f6517389378f1d4c3016b15b6b05a498293480c7d5

                                  Download Submit