Analysis Overview
SHA256
a6e664bd38d4c2030e107e16efc00905f85554196bc3c4ba777edad54efefd09
Threat Level: Known bad
The file chrome-update23586.apk was found to be: Known bad.
Malicious Activity Summary
Octo
Octo payload
Removes its main activity from the application launcher
Makes use of the framework's Accessibility service.
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
Loads dropped Dex/Jar
Requests dangerous framework permissions
Acquires the wake lock.
Requests disabling of battery optimizations (often used to enable hiding in the background).
Reads information about phone network operator.
Removes a system notification.
Uses Crypto APIs (Might try to encrypt user data).
Enumerates physical storage devices
Opens file in notepad (likely ransom note)
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-20 06:58
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an app to access location in the background. | android.permission.ACCESS_BACKGROUND_LOCATION | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win7-20230831-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\json_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\.json | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\json_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\json_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\.json\ = "json_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\json_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\json_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1704 wrote to memory of 2656 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1704 wrote to memory of 2656 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1704 wrote to memory of 2656 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2656 wrote to memory of 2620 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2656 wrote to memory of 2620 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2656 wrote to memory of 2620 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2656 wrote to memory of 2620 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\clips_onboarding.json
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\clips_onboarding.json
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\clips_onboarding.json"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 420ddba988de5005ee5a10b465384f70 |
| SHA1 | 83d9ba84f4d9c5984bd7c9021b954e60a418e210 |
| SHA256 | fc878b38ef110316dfe13a37fbf909a4437b9e9205df9a865a39c688a28e3fe2 |
| SHA512 | 369ac218b6d624cd3aed2cdf811a27ae26cf5c8a650dcd41639f397e160bf317a3ee1320112b302731ff96135da2be8afb3d204019f5b0aed0538873d088009a |
Analysis: behavioral21
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win7-20230831-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_ua.txt
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win10v2004-20230915-en
Max time kernel
86s
Max time network
126s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\data_2.json
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win10v2004-20230915-en
Max time kernel
91s
Max time network
154s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\check_circle_outline_56.json
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.105.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win7-20230831-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\json_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\json_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\json_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\json_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\json_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\.json | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\.json\ = "json_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1940 wrote to memory of 696 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1940 wrote to memory of 696 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1940 wrote to memory of 696 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 696 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 696 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 696 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 696 wrote to memory of 2056 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\data_1.json
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\data_1.json
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\data_1.json"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 6e3f84ea610a10a13b8794afc785b385 |
| SHA1 | 8242da2f313a6c5529bc6b3439bd4d512bfd4701 |
| SHA256 | 5b7cfbc8505456818f9db4755f78f3ea7eae7892d81ded0ed078b5eb65e24df9 |
| SHA512 | ef30ce4ad831867a73a9873c92de54890be56f639c87ee73dc2d7a5e46a8da6005c5324987c989c2d28f416c475eeaaccc32ceaa968e5342c1ab51329ea51f59 |
Analysis: behavioral24
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win10v2004-20230915-en
Max time kernel
137s
Max time network
143s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\data_1.json
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win10v2004-20230915-en
Max time kernel
139s
Max time network
154s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\data_1_en.json
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win7-20230831-en
Max time kernel
151s
Max time network
126s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.json | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.json\ = "json_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2040 wrote to memory of 2676 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2040 wrote to memory of 2676 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2040 wrote to memory of 2676 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2676 wrote to memory of 2460 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2676 wrote to memory of 2460 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2676 wrote to memory of 2460 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2676 wrote to memory of 2460 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\data_2.json
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\data_2.json
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\data_2.json"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 15f2cbffd31e41c6d38bf7e0b70eee36 |
| SHA1 | 8ebd901df11d706ad97e9cc772d7843f0680db66 |
| SHA256 | c6348426437f17b8cb8d7afc2c57c85a5122b7448f335b35e1bce7531d3f5a7b |
| SHA512 | 9e0310c90565a3a5f8d5aeba6ff6a5f9a11b1becd63bfbb4974d3e386d2c82c20ac2170ff336a5a0dd184e977b1e1ab1426bc90df8a8bcc7f5928ec79ac0648b |
Analysis: behavioral11
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win7-20230831-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_kz.txt
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win10v2004-20230915-en
Max time kernel
103s
Max time network
119s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_kz.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 254.105.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.21.238.8.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win7-20230831-en
Max time kernel
152s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\json_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\json_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\.json\ = "json_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\json_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\json_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\json_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\.json | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2140 wrote to memory of 2716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2140 wrote to memory of 2716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2140 wrote to memory of 2716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2716 wrote to memory of 1644 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2716 wrote to memory of 1644 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2716 wrote to memory of 1644 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2716 wrote to memory of 1644 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\data_3.json
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\data_3.json
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\data_3.json"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | ab2e1baee0c3dcb228aef5754e8c3a89 |
| SHA1 | 1d0ce085cf9fdc67aa97830ca9ff6b850f716269 |
| SHA256 | 5ce250d0df14e82096b0ba68111e744d4d332a687287aba66b28110403c841e0 |
| SHA512 | 75690e239a00b32032941ae0efd10a964c470fd362c3273e72dab80204945e76dd357d45b8651ac3ce8ae8ae4cda7e96feca1faef8ad64a63b6cbb8c4489b42b |
Analysis: behavioral3
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win7-20230831-en
Max time kernel
152s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.json | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.json\ = "json_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1768 wrote to memory of 2660 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1768 wrote to memory of 2660 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1768 wrote to memory of 2660 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2660 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2660 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2660 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2660 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NKFq.json
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NKFq.json
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NKFq.json"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 0b467a4c4c3fc3b333fc4c3baae0edc6 |
| SHA1 | e5fb687d875ba9529aeb018d23bf5ac24858193b |
| SHA256 | 3e36550c33d765ef5ea2e200d5f91b3f6f1fa71be061a75c886273d6e5d321d4 |
| SHA512 | b51b03e8f9208be4ca0e30f33c00b95cad49ffecf4a23af651ca6eedf1e36e94913ddcbfc790769632857e9ad986503bb60d34e22c65c2e9e5c11f865ed221a2 |
Analysis: behavioral13
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win7-20230831-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_min_age_16.txt
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
154s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_ru.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.3.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win7-20230831-en
Max time kernel
151s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.json | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.json\ = "json_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1884 wrote to memory of 2724 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1884 wrote to memory of 2724 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1884 wrote to memory of 2724 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2724 wrote to memory of 3036 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2724 wrote to memory of 3036 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2724 wrote to memory of 3036 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2724 wrote to memory of 3036 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\data_1_en.json
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\data_1_en.json
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\data_1_en.json"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 8aecb5421616ba72a39977b4888209d1 |
| SHA1 | f87db84b13a3a195479182a0d91a3fec13b379a3 |
| SHA256 | 8675284f848ed7fc77195a33ac74f018dfb7e333770d16c7f96e99fc8e121cb2 |
| SHA512 | c3ab50b3b61563edfee7856b9c0c6ff3b4779643c80b54b3775c9ee49840c49a2f8bc4f13c594b3a8b57c0fa1664789b90215adb610a9a71d19648af27dc1db2 |
Analysis: behavioral8
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\clips_onboarding.json
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_min_age_16.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win7-20230831-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_ru.txt
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win7-20230831-en
Max time kernel
151s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\json_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\json_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\.json | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\.json\ = "json_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\json_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\json_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\json_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2036 wrote to memory of 2704 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2036 wrote to memory of 2704 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2036 wrote to memory of 2704 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2704 wrote to memory of 2760 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2704 wrote to memory of 2760 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2704 wrote to memory of 2760 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2704 wrote to memory of 2760 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\data_2_en.json
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\data_2_en.json
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\data_2_en.json"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 4078bb3693dbf7863c80c62cbd6c7c7f |
| SHA1 | d830686b40de3bd08809ed16daeddec574ad330c |
| SHA256 | 208d801c7b567fdefa7ef7d49672512420c0dc039ab9067e51801170525ccdc5 |
| SHA512 | 7d1913fe0dcc3ef2e26d71cef32b0be193bc807cdc27affb7d1ac178683ead338a7cdc9af0380c67c560cedb6a892c0aad21805ef676366c2e613c20487a4cdf |
Analysis: behavioral9
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win7-20230831-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_en.txt
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
android-x86-arm-20230831-en
Max time kernel
2992017s
Max time network
134s
Command Line
Signatures
Octo
Octo payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
| Description | Indicator | Process | Target |
| Framework service call | android.content.pm.IPackageManager.getInstalledApplications | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json | N/A | N/A |
| N/A | /data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json | N/A | N/A |
| N/A | /data/user/0/com.pressfigure65/cache/hcjfh | N/A | N/A |
| N/A | /data/user/0/com.pressfigure65/cache/hcjfh | N/A | N/A |
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.pressfigure65
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.pressfigure65/app_DynamicOptDex/oat/x86/NKFq.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| DE | 172.217.23.202:443 | infinitedata-pa.googleapis.com | tcp |
| NL | 142.251.36.10:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| NL | 142.250.179.170:443 | semanticlocation-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | 9r8i1u84t2gp1.online | udp |
| US | 1.1.1.1:53 | www.ip-api.com | udp |
| US | 208.95.112.1:80 | www.ip-api.com | tcp |
| N/A | 185.161.248.142:443 | 9r8i1u84t2gp1.online | tcp |
| US | 1.1.1.1:53 | arw2he7x57wp.pw | udp |
| N/A | 185.161.248.142:443 | arw2he7x57wp.pw | tcp |
| N/A | 185.161.248.142:443 | arw2he7x57wp.pw | tcp |
| DE | 172.217.23.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.174:443 | android.apis.google.com | tcp |
| N/A | 185.161.248.142:443 | arw2he7x57wp.pw | tcp |
| N/A | 185.161.248.142:443 | arw2he7x57wp.pw | tcp |
| N/A | 185.161.248.142:443 | arw2he7x57wp.pw | tcp |
| N/A | 185.161.248.142:443 | arw2he7x57wp.pw | tcp |
Files
/data/data/com.pressfigure65/app_DynamicOptDex/NKFq.json
| MD5 | a8f77d5722a4e089752397852a305a2e |
| SHA1 | 99124b37a548883dd05eb4007f2b697cef33898a |
| SHA256 | 91fd4d4ac57df1b30bc40406d2e03d68055633d5bf2cd8a184eba6f4a222c7ee |
| SHA512 | a29486bb4abcff207030c8ea1d3fa4fd98654b178993847e50da19501e86360197bfb15067a7ece47ad75181e48c05f4ad1596ea436ef64490f4ae4992a5865b |
/data/data/com.pressfigure65/app_DynamicOptDex/NKFq.json
| MD5 | 87f9025a2e6ce4806027e51a2d05a15a |
| SHA1 | ff1b6e1f28e153f9b3f74e957953c8b53c355d01 |
| SHA256 | f130a5bfcfa239dfb6c9807a02599916683bb334be342c7f3e3d97a725a55a76 |
| SHA512 | 98011fe3bc58cbd91c3c074104dd443c517e58522628a33b495f73f5b61f2fa58bb2b5597232341f3a44c2b56f98d71cde635c8d6352673c1e4566b956febf32 |
/data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json
| MD5 | af73f1889e4ada2c7fbb0512c31c6dbb |
| SHA1 | 927cae26592a79b9eefda0dc8e8473954b3b49cc |
| SHA256 | 67b19fae633db8d33717975a406969e59cc00f2e70bd43ae41c79349c6f74a7d |
| SHA512 | be7a9381f6169910e0baf052bd2978ea5577e024074d68e909244e3e5c248e856d90a9cf42bb9819a7e285a8e9fcf159f4a8de9a5c099e6f0f6b87e3e2f3916d |
/data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json
| MD5 | d081aaa8c167bf676a3521d7dc6c888e |
| SHA1 | cb56830b448ab1c485656d22d509b36839ce9acc |
| SHA256 | d38501e22d23feb948612ea574812d167bc04874ec194ddb20864ca12b5f961c |
| SHA512 | aa85ee5587af1c8565dd32ef2c38a8d0612d5be0fb76cff94707e2b7fa4d44dd6c2106deafcd2df9f9b2fec633f78c98ccb745e567c5cace9b5af0901a4b7fbd |
/data/data/com.pressfigure65/cache/hcjfh
| MD5 | 59e431e1f02923d8d1de501547797bb6 |
| SHA1 | 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17 |
| SHA256 | 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0 |
| SHA512 | 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa |
/data/user/0/com.pressfigure65/cache/hcjfh
| MD5 | 59e431e1f02923d8d1de501547797bb6 |
| SHA1 | 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17 |
| SHA256 | 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0 |
| SHA512 | 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa |
/data/user/0/com.pressfigure65/cache/hcjfh
| MD5 | 59e431e1f02923d8d1de501547797bb6 |
| SHA1 | 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17 |
| SHA256 | 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0 |
| SHA512 | 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa |
/data/data/com.pressfigure65/kl.txt
| MD5 | 6311c3fd15588bb5c126e6c28ff5fffe |
| SHA1 | ce81d136fce31779f4dd62e20bdaf99c91e2fc57 |
| SHA256 | 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8 |
| SHA512 | 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6 |
/data/data/com.pressfigure65/kl.txt
| MD5 | 0e98c491011e242b195c9e5e169f4e4c |
| SHA1 | f2454484747991d786b1ea517e977890a86947b1 |
| SHA256 | c25559353ad38fb1cf95921d4b382833f917761fc18a46e9c961ef015c9bdc3e |
| SHA512 | fddd7b77ca7dd37dbb2368e8da2e6f16c0c4d3aefe4ef967c7b723dad31c71ac72264cebcfbb9fad3927ab3bfb6165b29547a2bf9996cde362382594859e7f7c |
/data/data/com.pressfigure65/kl.txt
| MD5 | 865fef754e4774ad095dd4d3b3fd2720 |
| SHA1 | dfcb9513b1f398af56ee6f8d4b3e756de7d4a1d8 |
| SHA256 | 8074ad1bd7934ab750f4870df2d520539d58c7b243eee1e6940b597c5bf719b9 |
| SHA512 | 0d51de9d1ba3eb7806ed0886c17e5ce641e011a5271af0371d465934127ed5a503a3022f08cb2d746ae4b0bdcb4254a7bc5cbc7d403fd317309c1d5538382c78 |
/data/data/com.pressfigure65/kl.txt
| MD5 | fc78b26475c708f52b439885c8d5e1ff |
| SHA1 | dee0fbcde0e6cd5caf92dd349fd3b0f68d1aaf29 |
| SHA256 | 2e909ccc2d94eb5487e80d4b092d84b4dadfc4a956c3fe873252f908f73d706b |
| SHA512 | cb7cc46114986064b69c8cd3af3d1482c2f3f2832b138dc805960be2ba39c059e33b4018829a21383623d23a767f43437a2c1c808bc4568a0fb561b9613c7396 |
/data/data/com.pressfigure65/kl.txt
| MD5 | d0f3085ab000d7c808b4a707de417add |
| SHA1 | 24c1191c820d75c61adea1794320cef8eea1b799 |
| SHA256 | f0ed5e887ab0f464c4c03d2f17b36a8dbcfb0a0772d98ffdd9c9a32ce91b5545 |
| SHA512 | ecd75d16ddde47ff69dca3de54bf83ee2fceff731dc021aaaf7f9f305dc732bd4ea260c5a984bdb17529569d7f5056c4af8681d6b0d4e9d0bbed28d4ec43e8b8 |
/data/data/com.pressfigure65/cache/oat/hcjfh.cur.prof
| MD5 | 1828bc0f2f177421c47b268d04ad8319 |
| SHA1 | 5ef4f025dcc3fd3ddbc0f5acf423730e5d232c39 |
| SHA256 | 198195a745c211b29813da215269affe2f076f8f83f1bdf6a83c1cc574e41e2a |
| SHA512 | 7c6b95e3a49581cf55c8ec4ff36778cedf0d2f8b2fb5c68b3e9d38a8d7cd9c82e48ddda534d4677d1ae15f245ab4e5793c7ccad1c5453117e1397fc05895a896 |
/data/data/com.pressfigure65/.qcom.pressfigure65
| MD5 | 046a414913add6f5bb60072c7db819b6 |
| SHA1 | 451ee4f6809260aec622d772fd329c7d0297a842 |
| SHA256 | b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a |
| SHA512 | 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c |
Analysis: behavioral4
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NKFq.json
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win10v2004-20230915-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_pt_br.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.105.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 13.85.23.206:443 | tcp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_ua.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.210.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\data_2_en.json
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.3.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win10v2004-20230915-en
Max time kernel
139s
Max time network
155s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_en.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.3.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win7-20230831-en
Max time kernel
151s
Max time network
125s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.json | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.json\ = "json_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1264 wrote to memory of 2732 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1264 wrote to memory of 2732 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1264 wrote to memory of 2732 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2732 wrote to memory of 2796 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2732 wrote to memory of 2796 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2732 wrote to memory of 2796 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2732 wrote to memory of 2796 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\check_circle_outline_56.json
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\check_circle_outline_56.json
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\check_circle_outline_56.json"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 0b4e302f2dd8523b3ea26b0021f94d69 |
| SHA1 | 493f01f0da3381b50db8eee9c35623d75b92e73c |
| SHA256 | d6c9e45106defcdab08069324118108183466530a72d1de501842b4e6774b25f |
| SHA512 | df3a70db67cd11c31413bd3c72f0deaf1166bfed6092a303679ae3eded01e25ec8b8ece75fe5e58f70c824c5151a34923a660bc91a5d4e20ea65c6c621e48c25 |
Analysis: behavioral15
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win7-20230831-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_pt.txt
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win10v2004-20230915-en
Max time kernel
133s
Max time network
156s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_pt.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win7-20230831-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_pt_br.txt
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\data_3.json
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.105.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-20 06:58
Reported
2023-09-20 11:25
Platform
android-x64-20230831-en
Max time kernel
2992021s
Max time network
162s
Command Line
Signatures
Octo
Octo payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
| Description | Indicator | Process | Target |
| Framework service call | android.content.pm.IPackageManager.getInstalledApplications | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json | N/A | N/A |
| N/A | /data/user/0/com.pressfigure65/cache/hcjfh | N/A | N/A |
| N/A | /data/user/0/com.pressfigure65/cache/hcjfh | N/A | N/A |
Reads information about phone network operator.
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.pressfigure65
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.251.39.110:443 | tcp | |
| NL | 142.251.39.110:443 | tcp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | 9r8i1u84t2gp.online | udp |
| US | 1.1.1.1:53 | www.ip-api.com | udp |
| US | 208.95.112.1:80 | www.ip-api.com | tcp |
| US | 1.1.1.1:53 | cm603lzeyxdw1.site | udp |
| N/A | 185.161.248.142:443 | cm603lzeyxdw1.site | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| N/A | 185.161.248.142:443 | cm603lzeyxdw1.site | tcp |
| US | 1.1.1.1:53 | 9r8i1u84t2gp.online | udp |
| N/A | 185.161.248.142:443 | cm603lzeyxdw1.site | tcp |
| N/A | 185.161.248.142:443 | cm603lzeyxdw1.site | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| N/A | 185.161.248.142:443 | cm603lzeyxdw1.site | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | cm603lzeyxdw.space | udp |
| US | 1.1.1.1:53 | arw2he7x57wp1.pw | udp |
| US | 1.1.1.1:53 | cm603lzeyxdw.site | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | cm603lzeyxdw.space | udp |
| US | 1.1.1.1:53 | arw2he7x57wp1.pw | udp |
| DE | 172.217.23.202:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | cm603lzeyxdw.site | udp |
| N/A | 185.161.248.142:443 | cm603lzeyxdw.site | tcp |
| US | 1.1.1.1:53 | 9r8i1u84t2gp1.online | udp |
| N/A | 185.161.248.142:443 | cm603lzeyxdw.site | tcp |
| US | 1.1.1.1:53 | 9r8i1u84t2gp1.online | udp |
| US | 1.1.1.1:53 | cm603lzeyxdw.biz | udp |
| N/A | 185.161.248.142:443 | cm603lzeyxdw.biz | tcp |
| N/A | 185.161.248.142:443 | cm603lzeyxdw.biz | tcp |
| NL | 142.251.39.98:443 | tcp | |
| NL | 142.250.179.170:443 | infinitedata-pa.googleapis.com | tcp |
| N/A | 185.161.248.142:443 | cm603lzeyxdw.biz | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.208.104:443 | ssl.google-analytics.com | tcp |
Files
/data/data/com.pressfigure65/app_DynamicOptDex/NKFq.json
| MD5 | a8f77d5722a4e089752397852a305a2e |
| SHA1 | 99124b37a548883dd05eb4007f2b697cef33898a |
| SHA256 | 91fd4d4ac57df1b30bc40406d2e03d68055633d5bf2cd8a184eba6f4a222c7ee |
| SHA512 | a29486bb4abcff207030c8ea1d3fa4fd98654b178993847e50da19501e86360197bfb15067a7ece47ad75181e48c05f4ad1596ea436ef64490f4ae4992a5865b |
/data/data/com.pressfigure65/app_DynamicOptDex/NKFq.json
| MD5 | 87f9025a2e6ce4806027e51a2d05a15a |
| SHA1 | ff1b6e1f28e153f9b3f74e957953c8b53c355d01 |
| SHA256 | f130a5bfcfa239dfb6c9807a02599916683bb334be342c7f3e3d97a725a55a76 |
| SHA512 | 98011fe3bc58cbd91c3c074104dd443c517e58522628a33b495f73f5b61f2fa58bb2b5597232341f3a44c2b56f98d71cde635c8d6352673c1e4566b956febf32 |
/data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json
| MD5 | af73f1889e4ada2c7fbb0512c31c6dbb |
| SHA1 | 927cae26592a79b9eefda0dc8e8473954b3b49cc |
| SHA256 | 67b19fae633db8d33717975a406969e59cc00f2e70bd43ae41c79349c6f74a7d |
| SHA512 | be7a9381f6169910e0baf052bd2978ea5577e024074d68e909244e3e5c248e856d90a9cf42bb9819a7e285a8e9fcf159f4a8de9a5c099e6f0f6b87e3e2f3916d |
/data/data/com.pressfigure65/cache/hcjfh
| MD5 | 59e431e1f02923d8d1de501547797bb6 |
| SHA1 | 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17 |
| SHA256 | 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0 |
| SHA512 | 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa |
/data/user/0/com.pressfigure65/cache/hcjfh
| MD5 | 59e431e1f02923d8d1de501547797bb6 |
| SHA1 | 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17 |
| SHA256 | 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0 |
| SHA512 | 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa |
/data/user/0/com.pressfigure65/cache/hcjfh
| MD5 | 59e431e1f02923d8d1de501547797bb6 |
| SHA1 | 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17 |
| SHA256 | 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0 |
| SHA512 | 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa |
/data/data/com.pressfigure65/kl.txt
| MD5 | 6311c3fd15588bb5c126e6c28ff5fffe |
| SHA1 | ce81d136fce31779f4dd62e20bdaf99c91e2fc57 |
| SHA256 | 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8 |
| SHA512 | 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6 |
/data/data/com.pressfigure65/kl.txt
| MD5 | e6f1eb63ff96ca35f6b052e51d75c0b0 |
| SHA1 | 7700cecd750211786a601af7039d6b48b5f0efc6 |
| SHA256 | 675cf26a834e7c8266a0d5c8957439236699a6ea80dc9d3e74dd7e8f81fc371e |
| SHA512 | c2fb15197d675542e6d7b32ee6bf205d7b9963c61d96918445c9ec446cee74aec6681cf2bdf0d519157824986240a32d974a18ddb318d3e6f1a6b38f0df652ae |
/data/data/com.pressfigure65/kl.txt
| MD5 | d6f4ade7382b70118217ee0550114b0b |
| SHA1 | b72c7518754e64394dfc418819b234dbe711ac69 |
| SHA256 | c345230d52ae20c9b6b4710eeedf2772f1c31e7d6ebba16f1249a91fcc5a2932 |
| SHA512 | e458fbc20a5babaa01f714dec95dbb88be05815e90072d3c09a5a50ab1a55d2ae7f61c76d29a45a207452114584a1b9227268120a2e28f76c53d676b0509f0a7 |
/data/data/com.pressfigure65/kl.txt
| MD5 | adbc36bfa788b1817ddfb9d81e11e73c |
| SHA1 | 70b7297451a86c57c4024872add4c59858e1ee7a |
| SHA256 | 500fb06f28c997a2858bbc751b99a22f01759a9fc1acfc3e8e97357c62980650 |
| SHA512 | 4075a3bcdcc52b424419b2f62e0c1fe6399ce8d64e08e0073f781c1827779e3404f1b8f24e9059b34d53325a4476a8a0d11e50ede319aa1077fcf43a9f381f2c |
/data/data/com.pressfigure65/kl.txt
| MD5 | 5042f8330af020ddf6cba1dbe438f568 |
| SHA1 | a42a9b25a34bbcec7d354693c98be8a80ddd8b8e |
| SHA256 | 07d0787ba363cb8edebe83a22d7c0ec7ba82e79a06f2fa442dbabad0339d380e |
| SHA512 | 64fb6fb0e9f1b250a97208659fe6b74efd02c9b20e4be9941daedb5049cb02cb44a895652d2691f3cbcd8c5ad3762766633992fee5d8c5663c9682adbb6d4333 |
/data/data/com.pressfigure65/cache/oat/hcjfh.cur.prof
| MD5 | ff76f46883ba92a357c1da3ddc28e0b9 |
| SHA1 | 6cb1c4d555c0219723bbcd3855ea4983fe93c3f6 |
| SHA256 | 84d6720a5da1aaf0da7813f26114283c377388ec1710af33a8c33bae84f601fc |
| SHA512 | a692abeda00ef50b9301aab69c054eff4270a7a3af4c9e59fe01cdea780f52b23dace022f71fc4c50f15d2cfa574a6c9df22d3de018a190d1e439b06d78df939 |
/data/data/com.pressfigure65/.qcom.pressfigure65
| MD5 | 046a414913add6f5bb60072c7db819b6 |
| SHA1 | 451ee4f6809260aec622d772fd329c7d0297a842 |
| SHA256 | b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a |
| SHA512 | 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c |