Malware Analysis Report

2024-10-19 12:19

Sample ID 230920-1w5anaah3w
Target 3de0ca27d3f0b6ae0deccb6ee1f11f8693100fe7d829ae73473e911aef8f1918.bin
SHA256 3de0ca27d3f0b6ae0deccb6ee1f11f8693100fe7d829ae73473e911aef8f1918
Tags
octo banker evasion infostealer ransomware rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3de0ca27d3f0b6ae0deccb6ee1f11f8693100fe7d829ae73473e911aef8f1918

Threat Level: Known bad

The file 3de0ca27d3f0b6ae0deccb6ee1f11f8693100fe7d829ae73473e911aef8f1918.bin was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer ransomware rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Acquires the wake lock.

Requests dangerous framework permissions

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-20 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-09-20 22:00

Reported

2023-09-20 22:03

Platform

win10v2004-20230915-en

Max time kernel

91s

Max time network

151s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31058958" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058958" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058958" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402012238" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{309288DC-5801-11EE-A4AD-D212195BFD32} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "85191418" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000053f6c1c968fea744ae4054d48ac91ea9000000000200000000001066000000010000200000009ff3d90137884eab3b0877c8ba8657554b338a6629798344fba620fc2fee8e72000000000e80000000020000200000003b4eec41c88f26ef3d4e2cb7b1307b24008eae5ae08c61fd7bbcdee178c98ee2200000002233e21019cb6128093591d415b334451e901c90148445f294e50910a58c9a54400000003d77f9c4bd33809d8aca8d8dc27ef3f89d6ee539decb20c722f0342d589ffede4fcc9f1f21c9e886c513ab4fbce38a94eb68f7be6b796427fa7c72786bf63e99 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b091be060eecd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000053f6c1c968fea744ae4054d48ac91ea90000000002000000000010660000000100002000000026996d657b83d6a23b7f393e7fc6b1796b0d4934c371bb46504ebe67f82d3113000000000e800000000200002000000086b5242d8f943ba8dda5b387567576f62abc42cf71d58844ff9c6c009654d1d7200000005e299bc52cbd199e70c077fe7016e76fece3efaf1bdd86a31664bba9e87ecbd940000000e1a7f387fe91bbbc227318560cb5d951b45c9afa6ccc2f826b48803debe8b103aff0efa4d8c7a223b3968db0aa01589606309f8e0cb1866655f553618c917ec2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "98628952" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "85036397" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0c3a6060eecd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 155.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZFOAR009\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-20 22:00

Reported

2023-09-20 22:03

Platform

android-x86-arm-20230831-en

Max time kernel

3030297s

Max time network

130s

Command Line

com.seaknowsplp

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json N/A N/A
N/A /data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json N/A N/A
N/A /data/user/0/com.seaknowsplp/cache/fxuzb N/A N/A
N/A /data/user/0/com.seaknowsplp/cache/fxuzb N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.seaknowsplp

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.seaknowsplp/app_DynamicOptDex/oat/x86/Dild.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.170:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.251.36.42:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 junggvrebvqq.org udp
US 1.1.1.1:53 lauytropo.net udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 bobnoopo.org udp
US 1.1.1.1:53 junggvbvqqnetok.com udp
US 1.1.1.1:53 lauytropo.net udp
US 1.1.1.1:53 junggvbvqqnetok.com udp
US 1.1.1.1:53 junggvbvqqnetok.com udp
US 1.1.1.1:53 junggpervbvqqqqqq.com udp
US 1.1.1.1:53 reservop.top udp
US 1.1.1.1:53 junggvbvqqgroup.com udp
NL 172.217.168.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp

Files

/data/data/com.seaknowsplp/app_DynamicOptDex/Dild.json

MD5 2e5fe405a120b75cc65cd2844ed028c8
SHA1 8009d3d4feda42bb679f76fcb2364b402a332672
SHA256 654ddcc1dea947725ac83019b892a4ffba0b97845428d31026ca65a1385d44fe
SHA512 0f304367b2fedefac22fa7b22ba1173bc32d0b79264b758cb2522aa929fdb62d9503786fb015660b4945dd67d346748ba6157fc4511a6001b7f406df49910cc0

/data/data/com.seaknowsplp/app_DynamicOptDex/Dild.json

MD5 0c5d76c5fccdcd48df22b2fdea895c5b
SHA1 ba846963bf3454f635b570239780734279fb07ae
SHA256 87a5eaed5176f0c33f4d833fd4fc7bfb38da7aba6b4ebaaf569989ac38362fe1
SHA512 263a85a31ffde6339f12df1acb5ae324849cba0a4b6a4b1f2ac6e93e41f273d34ed244ba2abff2d29a4f22ba9970d92bafdabdf7b14b7d9e4bb8567e6b25c501

/data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json

MD5 abdfa1fc42842d12414d867f537a84be
SHA1 9892e8c24047ae6e3b1b35be1aaf4fec01620e3c
SHA256 cd40e2d8a61b7a5d1fc9a3f05f8203ee7971ca8ebbd2f7b23106ec31dfd08298
SHA512 ff0ab81d177eb898a91642162b15658b83dde11b886f95c36690f6c974ef949d9fa24689bdbbfa1546cad47314c24f2da94c3058f49e61d8c456950214d37849

/data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json

MD5 64a95da5ce47d088bb564caf680bd228
SHA1 eb70c209906b1f9c66c9ac2eae37395221348695
SHA256 2fc975b6b4c3e231e12c1b9fdfb188fbfaf7ed50758a6ea55e36be506dea0551
SHA512 f9c6a1fa8a829be4e84634176027f41931b00282033720182d25e4cfae746321655940483ac39c27ef7c11e86de046cc589c031d8175407288b3e3ce62e3ed23

/data/data/com.seaknowsplp/cache/fxuzb

MD5 a1405db751a141e61ad44b351fa1f62a
SHA1 a3e44b7dd5e3e79b10d455cc951688d7716d589d
SHA256 14f700d4160083a1081d1cd97fa3a612bdc4edc045bb944c8c9d5da09abe0082
SHA512 56dd2a2b296637f7169a3e41be191a7b6a569681a791e4dae7bcf2d19af1d653adfc7725fb165bc9797d3b4ff1b6974cf5401b8a21996aac0bd6fff7f692aaa1

/data/user/0/com.seaknowsplp/cache/fxuzb

MD5 a1405db751a141e61ad44b351fa1f62a
SHA1 a3e44b7dd5e3e79b10d455cc951688d7716d589d
SHA256 14f700d4160083a1081d1cd97fa3a612bdc4edc045bb944c8c9d5da09abe0082
SHA512 56dd2a2b296637f7169a3e41be191a7b6a569681a791e4dae7bcf2d19af1d653adfc7725fb165bc9797d3b4ff1b6974cf5401b8a21996aac0bd6fff7f692aaa1

/data/user/0/com.seaknowsplp/cache/fxuzb

MD5 a1405db751a141e61ad44b351fa1f62a
SHA1 a3e44b7dd5e3e79b10d455cc951688d7716d589d
SHA256 14f700d4160083a1081d1cd97fa3a612bdc4edc045bb944c8c9d5da09abe0082
SHA512 56dd2a2b296637f7169a3e41be191a7b6a569681a791e4dae7bcf2d19af1d653adfc7725fb165bc9797d3b4ff1b6974cf5401b8a21996aac0bd6fff7f692aaa1

/data/data/com.seaknowsplp/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.seaknowsplp/kl.txt

MD5 43a12c1b7ac47221c235b4164115c7ad
SHA1 414872e672858bc176421ed340bd6865f8a689c8
SHA256 921c50a8018bc49871a73a0aae01397f11517757d47a02c94e9b44547996ff86
SHA512 775c5a253c30ebbda09a2b81690b7cce901ca25fb09e9f34f46051c306e322ffe285dca9bfcfa521bf22e8f47186f78bc4b1e3f330913109be7a38196ffce03c

/data/data/com.seaknowsplp/kl.txt

MD5 afed4d27932a62fd826897259b74641a
SHA1 1d55e5687ca7139b1ab5b9a49707c9bbb32e2f6e
SHA256 2a61a30b4715c6bd270c5ccab197302830f7a60f2e1c7f5ad3d5e828d5d0912b
SHA512 e5dbabbd326815d280bd8a1b672e18f7726f7db7c6f4a7d401c8a9c720cd43d8dd36a48fae1042f9af08b703d1863c0e1dd86b4c0df38cf6b4155e8600ee5240

/data/data/com.seaknowsplp/kl.txt

MD5 23bd1e795b1d8d1a1f98edfbb3a1e1de
SHA1 c5b97364fe6b5299cf652d040cfbcc771386323a
SHA256 94438fb44f243eaa4a9edf1c70f1c0d848c0662ecaa7b15ab5d3a12f6cd1ac6a
SHA512 a1c9e38c1aaa85259c6190956f3a18376fa986244d11db17bd33d52b6c06d27e53455735202703f809cb5e91b686c05b21e0a7a03855f189f2382c857984ae62

/data/data/com.seaknowsplp/kl.txt

MD5 e7dcdb937399fb4ee468f28ccd6141f1
SHA1 629a9892c9caa139451ef92d92b771075e25ddc7
SHA256 f6d1cc67654ef77a14de89734845bde9e0beff6307d62c3ea92fa021587e62f6
SHA512 38a79604d598afea9ec9eecc60faf1fc6b5f4a68ebde29b70ed502b9bb2e647250198c4478e6f0cecb82c0e267a95e2918a9c1eab187c89ce78e0176a6ed4574

/data/data/com.seaknowsplp/cache/oat/fxuzb.cur.prof

MD5 bf3afc895847be4ce1ca5523c116551b
SHA1 bea3a1b597f0c2a2c34bad2fd99e9a61fe84d566
SHA256 ea49e09cb5e021fb34a4cf248ae576921a051d53fbb21395e010d74bd1a21631
SHA512 8f10b234072473714dd5eec926875d321853a6cdcce2a6d95b6604c0055071c1c87ff72cc17d208399b0fa8ea22150804e55c0c9fbb8b595977159304116f3bc

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-20 22:00

Reported

2023-09-20 22:03

Platform

android-x64-arm64-20230831-en

Max time kernel

3030298s

Max time network

143s

Command Line

com.seaknowsplp

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json N/A N/A
N/A /data/user/0/com.seaknowsplp/cache/fxuzb N/A N/A
N/A /data/user/0/com.seaknowsplp/cache/fxuzb N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.seaknowsplp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 lauytropo.net udp
US 1.1.1.1:53 junggpervbvqqqqqq.com udp
US 1.1.1.1:53 junggvbvqqgroup.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 reservop.top udp
US 1.1.1.1:53 bobnoopo.org udp
US 1.1.1.1:53 junggvbvqqnetok.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 bobnoopo.org udp
US 1.1.1.1:53 junggvrebvqq.org udp
US 1.1.1.1:53 bobnoopo.org udp
DE 172.217.23.206:443 tcp

Files

/data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json

MD5 2e5fe405a120b75cc65cd2844ed028c8
SHA1 8009d3d4feda42bb679f76fcb2364b402a332672
SHA256 654ddcc1dea947725ac83019b892a4ffba0b97845428d31026ca65a1385d44fe
SHA512 0f304367b2fedefac22fa7b22ba1173bc32d0b79264b758cb2522aa929fdb62d9503786fb015660b4945dd67d346748ba6157fc4511a6001b7f406df49910cc0

/data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json

MD5 0c5d76c5fccdcd48df22b2fdea895c5b
SHA1 ba846963bf3454f635b570239780734279fb07ae
SHA256 87a5eaed5176f0c33f4d833fd4fc7bfb38da7aba6b4ebaaf569989ac38362fe1
SHA512 263a85a31ffde6339f12df1acb5ae324849cba0a4b6a4b1f2ac6e93e41f273d34ed244ba2abff2d29a4f22ba9970d92bafdabdf7b14b7d9e4bb8567e6b25c501

/data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json

MD5 abdfa1fc42842d12414d867f537a84be
SHA1 9892e8c24047ae6e3b1b35be1aaf4fec01620e3c
SHA256 cd40e2d8a61b7a5d1fc9a3f05f8203ee7971ca8ebbd2f7b23106ec31dfd08298
SHA512 ff0ab81d177eb898a91642162b15658b83dde11b886f95c36690f6c974ef949d9fa24689bdbbfa1546cad47314c24f2da94c3058f49e61d8c456950214d37849

/data/user/0/com.seaknowsplp/cache/fxuzb

MD5 a1405db751a141e61ad44b351fa1f62a
SHA1 a3e44b7dd5e3e79b10d455cc951688d7716d589d
SHA256 14f700d4160083a1081d1cd97fa3a612bdc4edc045bb944c8c9d5da09abe0082
SHA512 56dd2a2b296637f7169a3e41be191a7b6a569681a791e4dae7bcf2d19af1d653adfc7725fb165bc9797d3b4ff1b6974cf5401b8a21996aac0bd6fff7f692aaa1

/data/user/0/com.seaknowsplp/cache/fxuzb

MD5 a1405db751a141e61ad44b351fa1f62a
SHA1 a3e44b7dd5e3e79b10d455cc951688d7716d589d
SHA256 14f700d4160083a1081d1cd97fa3a612bdc4edc045bb944c8c9d5da09abe0082
SHA512 56dd2a2b296637f7169a3e41be191a7b6a569681a791e4dae7bcf2d19af1d653adfc7725fb165bc9797d3b4ff1b6974cf5401b8a21996aac0bd6fff7f692aaa1

/data/user/0/com.seaknowsplp/cache/fxuzb

MD5 a1405db751a141e61ad44b351fa1f62a
SHA1 a3e44b7dd5e3e79b10d455cc951688d7716d589d
SHA256 14f700d4160083a1081d1cd97fa3a612bdc4edc045bb944c8c9d5da09abe0082
SHA512 56dd2a2b296637f7169a3e41be191a7b6a569681a791e4dae7bcf2d19af1d653adfc7725fb165bc9797d3b4ff1b6974cf5401b8a21996aac0bd6fff7f692aaa1

/data/user/0/com.seaknowsplp/cache/oat/fxuzb.cur.prof

MD5 0825773fb2cf675cdb3a57e42c44537a
SHA1 dd4bde6e3d9baeb77c88bac89080f4138b929d5d
SHA256 a379bd7f1986eccfc2a13f49627f0aa7352d5abaaa676375fa7cd72b184af17a
SHA512 dd85a598354cfdcc39504dfa48409a3d5006d3fd093b79692ca37a2e970588e1aea5c570109f79a3a25ab10093845a24bb998c806bd98539256bf8bb6a989d2a

Analysis: behavioral3

Detonation Overview

Submitted

2023-09-20 22:00

Reported

2023-09-20 22:03

Platform

win7-20230831-en

Max time kernel

134s

Max time network

131s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0f841040eecd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000f2dd5c70c9658eb8d0b9b03e7f4cc70dd1df83ac53d3e499bf1e94d0ffe43fe9000000000e8000000002000020000000a9a2cc651ed1f7da729cd89c538bec4cb221639f0b5d07e4b6cc65e651c1990d9000000029a1ae234e3fc0809db3019c95aef40e808fa04d85c0c132da9ce70d3b61486e9fcbed93bb233e6e27e8e952b9f07d9da525b0724f8dff74a123536729b404df2ded455878c9f7bf39fecf07102ba3d81694485e91025dc34a7ff8037440fcec3bfae0de219f0df7ea2a8b2039611b188005c8e48c7cd75c21a6f2d3bb22732c8e53be8bdb7402b8e8f5cff1f50a4a1b4000000082f2427c7b6f1d0f08f2e72a716d4fb741acc9473f8bd03e8bc7ec9a7a51497a340d216b451d54e840d03e53393aa21c9fd5b57f4d47fe9c436ec998aabf4fec C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef000000000200000000001066000000010000200000009eba478610aff1c2444a5cdeac76b0df0bd93077a7a474bb1814050ebbb76e22000000000e80000000020000200000003ac0aae2b315e6024259789dc9e98c38652bd09c31ccff0029f99c5b40ffcc3d20000000257407408af27b7399ae927ae0c60da48e11b9a12159f0f27112241ad5a36dbc40000000ea6034fa4766c092d86d87baff849085b3e10bce1926b00f2ff3a80f5260a94efb312b500bbbf969cf0e31c5b3614110e8b39a07c146a101f1d5120f941ed248 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2F8F8311-5801-11EE-A914-5AE3C8A3AD14} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401409128" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab5CF1.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar5DFE.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7cc0b695f5030f1aced120b6da33ad6
SHA1 28f109ae748584133b5e5b9d43a786477e2664a9
SHA256 83cb4dfbbfda1a8f6d747a30aeaeb3069dba56d99381499fee01a4bae3d3954d
SHA512 ccfa7bf1ce2bd76b9b68378487fd3f462544e953231064d13bf6e5b830e6cad3f22a44daa4baffd25429fc2db9861a686a55986f84bf4c2f972c2c6b7026c9b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e4d0c11caf3e97bbc7d10e1fe5a616d
SHA1 2bb688646ae3cc191c22752234683e09e4384dab
SHA256 13372e78b121851e494579e8884caaa53315a1004c4842ae2a7ecdde82720a77
SHA512 ee53957cf94e30992c78e5b1b2025f8f8ba0221746afce73b4da64e3501c70687793e6473af6bfbba2e58dc0011916b4a7a6327e9112bdfd94ce1d66de35fb81

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf21be597b9c224c33e9d1f69ddc7543
SHA1 37a48e8827e2b9ad6dce1d9bcafd36d756c21b77
SHA256 b16d152dbf9d59c0aee5a6f34d5d8366c8dbd8734a5f039b47447de9194f3da5
SHA512 76b4933f39022be75a005cf3c28226934ac490e448a2999f3279e5917e23be02381954357a5b66ebfe202e2def4670ab0657f8a25168267ddff4622430b4c7ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a42ea690e9d3aaef577aabf627670474
SHA1 bcb441ef45c52855715a22a1c362f4678f8ec9b1
SHA256 5394ac224186e5df54a9a4b92fe8319c12a5abc8e2ceb7fdf8f74876de3b6af5
SHA512 c19d3e7c39402c070432cee8695eeb35573eafbb0d0ea719d9fe47c02ad91c618f3cfa5e2789a89fdeaa13793a4093e7353151c4f03e4b3026ca14725a5c43a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57d4183631b4bf3f3724d861544d44ad
SHA1 ba3deb2858174ea2d4edb5160c619898f0eb6b82
SHA256 e861b8bfbb405ff21bc74a2e678ea1822202a32d60030985fd19a5a5acbc785a
SHA512 bf65b841e85df98e5059e21b2c0cad0cd343de8b83f753ac772a17b76172fe007a592a4af10853638535f17607cf8ebf319c0aafe2b5fdb2261ef8f428f2e142

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83ad9203af54ce101a4357a3858f7583
SHA1 5d188216558f49af489f2fd52d28a71e58bead9a
SHA256 a98e6050f90c38ae5fdd053f50e7a287b38981e042a4fdaad0c6168414efcfb3
SHA512 afd1dbe80bd3637716d2e68d0de019d8cecef10718d12d00450f94f39cba41cfd8f98acfa70b51bc8938e72c172c5ccdd3f2151ca94bcdef4846a4416d2eb74c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d33c3ed493dfe895e51d39460be5a113
SHA1 a1bacad29927af374cf18a0e44441e8f14791f99
SHA256 378d890b57b2b6035350aa3e3fd6da1b96f6aaeedf3dde9bb4cdf76ffc6cdc1a
SHA512 185a44e78abdd28876f08682a5fd30576272d1b5889c8b388cc2e65dc33a8c5ce52db862b830dceeda1c452d74768cd82adc1672a9fad763b41058df373848a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb72d33f54fdfd2db77500633bd0cd5f
SHA1 11dccdd52712d13e74d1ae43ecf8553ab8f67db4
SHA256 b86e91c7409d9aeeda2cd01cc7d05410525875e46bf7edc32a7faee3a6a35cf3
SHA512 0403b4827db673aea04496f5562efca82c5b6704266d71a8e6bd08513a6b69ef5f487b6744df9a5dd03c2aa5f911059f4b0d23915e729bcc6ad16dd167b0141c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 916178f2f61d0df90192d03172ab2399
SHA1 6021ec46c46b1184d6ce55c6e070e5c4a7dc575a
SHA256 03f9e0b455cfbb7bd257b7aed34115bc173f8a4972e081a0a11238090e74ae2d
SHA512 69f800861afc5e5b63f20c7cedebba0ec82e1f2a2c216e420fe45ed47d058911d12019900f17c8317e2c8daa0ac029a8152632fc69584a000a4c5bae4261bedf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42c4687c37a7d4cfbd153202fc8cca96
SHA1 4d09134425cd151c934cf75574fbfa8e294169f7
SHA256 4519b76c4b8585930c04411d1837f3220c47c98516695ed68aa176b17c5dd2f0
SHA512 1eccf0aad3537aa694e97f12017d4d4a43ced269a8d6d29e72caf48cde2e27c4b2032d807f0c94449c51ff38fa6a82968af43d379d5a9bb49ef0125e46bcec78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a83b37f1e7ad864b97c2bc722129162b
SHA1 be317b76bc7897e2ef0a7205bf8e571d3ac5d981
SHA256 a3c9862e4b81599e3cf50609556b9f37a94f29f1760fef687337955135bc7758
SHA512 18a1ffb756c27b6fa1de7b208ce008bb6d6e08b46200dc2df40bfde47b7c0fb9acf2a396cec721dcb41414efa107a5562927b710e2472bd2798ba9d61d603b23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f4041ca7ac724aa279c916a945d0272
SHA1 2b5d165b9d50e7482dbb9f9748b01dbe6c4b646b
SHA256 870a1f6aab375080ad608a53aea567ec3ac4921fd8cbd95be3db070c0e0b4782
SHA512 1030cf1a85c308def1c16e95654d7821870537f7299322e8cea94c783fcd4207966fb6a4def1f4655d75e52c82860f0fd0e18345514511a45f31ed4860575499

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb98866331e6b7cb24b9a2b26d3d541a
SHA1 f060775e4f90e8d8ab5900fe329389d779ee0182
SHA256 1f9d2443e5605ec94eb18f26744538da1aa3c395d28ff8c4ed3001fc50bef6ec
SHA512 2e66548a7390c8dc629b4a689e1a3b3ca65f64814e5f9fe6e450ecd8a9c67dafe80cfa145977e860209619e92b9aa72299a69c3b091278cbd0d1e87851950cc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20b2dedeb1a7f015ccdc2ef0c69a911c
SHA1 12efb9d230892ba1476bd4b892a3fedfdb4e6f06
SHA256 75dc7688291ff05b7cdbc6e57d3a42115ef49b57378e5f837daa2fd5febd0eae
SHA512 3edf0edfb2fae37a0644370868024cca0cc4af18c04419a7d441e5a4e8ffac684d07c0c015ade59e28033af6768d66a1c4c62a7c67dd913b27fc33b514851419

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e2dd6fbede4323d7a1f07298facf3d1
SHA1 6e28e993517e26577747644c2c57d7ec4d122c72
SHA256 14f1b7188a8b864cbed2d87eb7f77f727bd39697085a2e9cfba2d56580be3f38
SHA512 f0db1fd09204e29497f60c6ddbfcd1f4a8537f68340d6125ddffec5195d485478a7c3d321bcf1cc3d2c60ec25655a6a9ea29472e8407bfd8e07de6b0d01243dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 883e0bca762edef15afca22a88b6a6c6
SHA1 6b8d50e4c5dbc79276a647c54c2066b92a9b6379
SHA256 3e60d639b70c88661167095c21e9e0d63dac3f09863f0ea1a172f13c95356d6f
SHA512 bc25fad8d3ed599860fbc11283a776a7e907fb47b2914159e58e5d282ef6d6dec96bfd06d329f5453fce60cce73eb89a473ccb8f148db0ccb44b3fb6da5b0a81

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ded7dd78105db2fabb13e992974e7b7a
SHA1 53a5b8d1ef328f13446d2bfda2c1464ebef959de
SHA256 2aff38ff6216d6fb6bff150cc590a547cb2a55965c066e37c16062af82583034
SHA512 c4076468c4e9040618199f2708db36ce9e2b4fbf33062209211e079ee3843b8e74f267035ac441a2dfd6142a25b41ebdac75fc82ce536b19281c9ee3ec8dffc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 999a670f315285a2fb3a6c6574779c31
SHA1 36631f4775c6330bd374c320881b476487177e6f
SHA256 c5fdb46b31ce025aeeda6719712046dbbb4cee50551168abde714a54b92a429e
SHA512 008d6d23e2067bed99eea1f136c88833ef4f2c4ffd17cdf8841c35f64eff951f98c7dd9a5a3c0a0330661d4ff224fc14a3e2ed42d8c4f59dcacf30035eb27fc6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90242ba68a93f854f281fe4d100a26b1
SHA1 a2bb694e94a4846bf797ba928148321eba613108
SHA256 1c8ab5ed606cf0a3df9a0709ad43f48247b60ba3729bbe63188e964a453d67d6
SHA512 f420318a239ec27f4b5da82fd43a4686ebdf13e7c44431679667eca6f98ecabcbcfd189d0151c4217cf427b2b08b1792ca66670fd617e98c32b00936e6c8c156

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac83c548992a88eaf60ffb6331f394b2
SHA1 1ac5b6a75c465d456343c10a91e7469dc0156ece
SHA256 3cdd1971051d2b78b640f0c25b81e2fb500ad95811009f19b89d01e76a5cbe95
SHA512 6d6f22a60c25a41dbfa78b1580008157d7b375dce7bc21bfb9ee8c14f749182a60900771b211e45bf78f5715bd0e04dbcbe996ff54c01318ff75a753fc22599b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49445c9568ad6ca4ddbee3933939d924
SHA1 d1cf49791a23cb6e1f0cc667cc3eeaaf098eea5b
SHA256 3bbe31ec719b6741c754e55af47dd4c31c9dc4eef80d9fdbc2bd5d5fe1ae4bcd
SHA512 3e75309e8e813fc3326e17ab641c34151f3fd2750c3e65abcab5782a8c1c625aeb245b5f1175cb578cba1b2ac77f7b9620052685454071e91dc1a56ab389e426

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a47c81e4a73d18dd57d8a37ebcfc8e4d
SHA1 9d0e54a4a5288e6917ee7b5a6fddf3a2f8d8646d
SHA256 e8de4f3f9d6c5a081b96ed509548087cd8c8d219e6f050e886b8ab1df2d84a5b
SHA512 b35f86543c81df28c22d0c55173ea1d8dda4faa9355700634e7a62111e21fe467b275d650166a00cf419d826a7f92754707971750eb7f76bc368f6006662744c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40aa17a730b6647948418092ed41af5c
SHA1 db590103dcfcb7741d1313e4ff85c7fbbee752b2
SHA256 f3f6d7b493b9d8d48870175bc163c9eaa6fcbae481ea8c544ba19765cbefd818
SHA512 e8586981c1c70e0d2eba4e249d78d0b57f263697690631503c1219a67d1fd9e99e6bbe50aa7bdafb76a573252a7351ed998bb4376cde1acc68e2b94c8b7d84b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f79c37a94c7b67885ee5aeb50b9c872
SHA1 86c7a146ce36e15b1a71182606b3bddec8b6438e
SHA256 f11b2ab38d0238b9d07beb1c382e616ae4295978e43d5fb1ed7f40791af31ce8
SHA512 e7d605792b8bb03a64a0daf5c8c8c853bfcf15313cd9e6ef1819505d8d0b21e9e40fb801ebca3359c4559d8f01189adf99347f7de1e25bd8dcf4e938ce994186

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e9e7f1a934f7faad4762d0beb7b9197
SHA1 6a72650f391ac96a7a4e2067f0338f6ee41e377a
SHA256 ce6047878fc58e2a49f707ce926fdd7131780cc78876dd9ea5b8664449187a0c
SHA512 e8e566c23eeb98498887b89eed8530e313f163eee096b60cc6047b0010e568fb098e2b024438ca99b9da36542c644aa34f63739b14add367e494d3f9ccd0e351

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1b1f6b88b47779231b9e8400fe2d418
SHA1 9ae2f4494aba7c1cfe29d59cb8dda3f14a3209e4
SHA256 4c87865a681deeb8c0e00e363ee1aaebf10d5a1c8694ee1a2d357e7700ec97cc
SHA512 0ee2ca74a9f5ca7840566d4c780607a600293decdcc26ebf2e9fe0bd80369e76a220372946642861138f27d3dc1c30f9e1a7b064bdfbdf088708f6e4ab1af662

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4889f9de5cad2ede09da702127b7b23c
SHA1 625173fa7463eab2b5d36ab32547f903b681229c
SHA256 86de31d39ad5661f7a5c1e7313bb8a3c13f28fc06520e1b895f286008249b2d6
SHA512 e6a5c442d44f6c0790f6cb2a056d3afba227e1d75604926705c31c943e3f223c7155fec528fae7bd688e838d781f3e92d4e6922c26019f32da0bc1054c72ecd7