Malware Analysis Report

2024-09-09 13:44

Sample ID 240503-ge2cwsaf37
Target 7fe4034acdba4834704d57533f82c13115ff452b85158be5ca94243db9eba61d.bin
SHA256 7fe4034acdba4834704d57533f82c13115ff452b85158be5ca94243db9eba61d
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7fe4034acdba4834704d57533f82c13115ff452b85158be5ca94243db9eba61d

Threat Level: Known bad

The file 7fe4034acdba4834704d57533f82c13115ff452b85158be5ca94243db9eba61d.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests modifying system settings.

Prevents application removal

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-03 05:43

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 05:43

Reported

2024-05-03 05:49

Platform

android-x86-arm-20240221-en

Max time kernel

144s

Max time network

138s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 filomarinakiraci.top udp
US 1.1.1.1:53 hayvanyemekveriyoruz.top udp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 verdilerbizeikiadam.shop udp
US 1.1.1.1:53 uzaktasimaatasehir.xyz udp
US 1.1.1.1:53 kopekuyuztedavicisi.xyz udp
US 1.1.1.1:53 topcularaktaricisisedat.shop udp
US 1.1.1.1:53 cannakliyat.top udp
US 1.1.1.1:53 tokaxtliahmetmotorcukuryesi.top udp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp

Files

/data/data/com.nameown12/kl.txt

MD5 bf3c2e08f176ef0303098bdc871f68ce
SHA1 6563f930508cacab96d180505995daeed864cfd0
SHA256 f8b320a03e136aede50580378f1adef023a7776412db9d4a33270e2044e3e61b
SHA512 c94c1b1151f470268f645e82c1527d11d939001b7340173ecc575059ac6170850d7f1ac5941e9772af219dfd4803d2ba3e06c501e94af1e99b7e11741dea712f

/data/data/com.nameown12/kl.txt

MD5 6a57712241a472ca3fbf70716f269042
SHA1 82800821468946fa23c24c09e953f4d8383af28d
SHA256 ea3789d423e8411d76377fb191548851b408ac5555d9e0ba06faa256b4829806
SHA512 6142cf7dcd75556d5670adccfeb80e99dc87dab63eafaa8b238793d129867d2e8430c644b812007fc22a15c3648e9d1019e4a030db9606572633380fd7f5a031

/data/data/com.nameown12/kl.txt

MD5 ed237f5bb40af5551cf6ca6626d301b9
SHA1 64ce6daf86c8b017cc6fc7d54b5de7988379488d
SHA256 72c8364bed920d53e2543140902a5390437db571ad9394f79e442b549d2ba68d
SHA512 ed8194a06240c4d5e7e0db823bbaffcf65289fee0e70e840e6f75a4d8935778ede258dc843de63696999fcd70b73e39e7a7dc394606c30d847418cf3a44a1021

/data/data/com.nameown12/kl.txt

MD5 5058b42aef95a69185ba417da0fe1b0a
SHA1 f734873940e4699e84535aa23a6041e9694fb4e8
SHA256 b08e4f69bb915c27ecb8533fb1ffbc2620f7b0863469e787725e9e4672d816b3
SHA512 46693f258cbe449eac1873b7bee5748a514d92f93dc894092016e65f861b2e8c4d380e9482b3e3cd5a4120658a441dee5e926ab53b75ca33dca00c8eebeba59a

/data/data/com.nameown12/kl.txt

MD5 b26e86cb618df3d04879422d6eca8d7b
SHA1 64838a987f7724ade911f7285b599d450cdff605
SHA256 5a28e4b2bcff94539f31a776f9c50ba74994e75826c6092e5e6ec28e59f1fa1e
SHA512 83a042e77bf0d23bfeea60a414b80f3335dc19acf981b322ca436ad7b9235cc9513d7c4841198a74719ece56923522d42438d1bfa418433805c604a0eb9092f3

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 05:43

Reported

2024-05-03 05:50

Platform

android-x64-20240221-en

Max time kernel

162s

Max time network

168s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 hayvanyemekveriyoruz.top udp
US 1.1.1.1:53 www.ip-api.com udp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 verdilerbizeikiadam.shop udp
US 1.1.1.1:53 topcularaktaricisisedat.shop udp
US 1.1.1.1:53 evcilkusbesleme.shop udp
US 1.1.1.1:53 filomarinakiraci.top udp
US 1.1.1.1:53 tokaxtliahmetmotorcukuryesi.top udp
US 1.1.1.1:53 cannakliyat.top udp
US 1.1.1.1:53 uzaktasimaatasehir.xyz udp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
GB 216.58.204.66:443 tcp
GB 142.250.180.14:443 tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp

Files

/data/data/com.nameown12/kl.txt

MD5 52e4a8bb24ec7573fe17e03536a6ccff
SHA1 dc3f939799dfe3e5da29a613917821e8a1ae022d
SHA256 9446d0024efdeee6189122cc80b5255dc60a9272baa0f8646b77e3cfed8eb37a
SHA512 659f15c36ec114f569f7ca708d882f148f4ddab884b6c66b9bb9864a501b0c25bbe81601b252bedc299c1a8d79f05a2f4857b4d7d215918c9720eccf7a123f9f

/data/data/com.nameown12/kl.txt

MD5 0e95ba4090772821a5fdd26f6488d48d
SHA1 3766921e6422cf9b2e14dc2ea48d80538e9fb733
SHA256 d2eb4931553f41a1cc7af17f20e1254b0f402676192da3ad004b4c5748ede061
SHA512 77e1f53bb7822b2c2c6429f8fd68d3e3acbd872d376c3e8d3d9271f968d6cb8fdbc79c1fd73f0ca2e7652c1c06a65fe24439a5d94bfe2f3ad4134c9a64e65e35

/data/data/com.nameown12/kl.txt

MD5 b0d0fe1e13f2d2f1f1e14d26d475d461
SHA1 4efb7397dbc3b14bff849be237de2e97b82e67d8
SHA256 4f9ed15950b6d961f6b129423c0d17c2f9fab67b33b7df82cbfed01ba8642328
SHA512 e3cd175608a3c202b3dcee1e9e0df48a94c9107e1250c08903c267f4e0446acf06309673fba31cd9294deab65d8abe4087f3d36d9d0c4cf9138afdddda376a4d

/data/data/com.nameown12/kl.txt

MD5 3a17b305be03b8238ac1681070bbef3c
SHA1 ef044b7f734dfe69844c2ba2e137b9dee854c0fd
SHA256 1baa8a3114d5d3ef3cf39c979a79f95d80c8f63cfd264f4c77d0e031f5d9c34c
SHA512 ce7acb1aa5388a66f45df3d548bea650771b60caeeb2d66311591d2d0b29ab81199e0edb8116d88b53031dfba4d48287d7fb4fb469a52c25e43b25a7590ce762

/data/data/com.nameown12/kl.txt

MD5 0dd8eed98858ae2e6f19798d356c23dd
SHA1 cb8a9608b0be694edb03128b16ad6a3087c9bba9
SHA256 e8cfb50bfbceef98212df5167713bd5c761e6c08abf6900edb6f1844cae48334
SHA512 0a690c4b1ba3846f220a4c3754e2dbcf55bfaceef9507f531d0683f3a61a79d98f2fd2176ccaf9d896faf0664c9a6f8a30d500f44d291b454ac9d0c0c668c6aa

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-03 05:43

Reported

2024-05-03 05:50

Platform

android-x64-arm64-20240221-en

Max time kernel

159s

Max time network

167s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 kopekuyuztedavicisi.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 verdilerbizeikiadam.shop udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 cannakliyat.top udp
US 1.1.1.1:53 evcilkusbesleme.shop udp
US 1.1.1.1:53 uzaktasimaatasehir.xyz udp
US 1.1.1.1:53 filomarinakiraci.top udp
US 1.1.1.1:53 topcularaktaricisisedat.shop udp
US 1.1.1.1:53 hayvanyemekveriyoruz.top udp
US 1.1.1.1:53 tokaxtliahmetmotorcukuryesi.top udp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp
TR 87.121.105.47:443 hayvanyemekveriyoruz.top tcp

Files

/data/user/0/com.nameown12/kl.txt

MD5 6d9b049d0596275251406459e2d21813
SHA1 8e9012742466f735d26b86e1a420f59860175974
SHA256 88e82391ac2fa6038e1aec2a6034eb03acdae352a072e96f3fe36e5ec47d8751
SHA512 64853f14a9ec8e46b779fffe3bbee03764c08307370f74e17fdb3f615661b0233e867f9c47afeaf9d635b2bc6027cc432a5a355a063ab72baf5ece9c7c1ca746

/data/user/0/com.nameown12/kl.txt

MD5 ca50e9ebe6c5afc0b301045544d2c1b4
SHA1 df26d451c7442c1e6373147f477977d034a9966e
SHA256 c31c1968d4e271a470f71d953d6023a139e0c9d9cc4b1d45a926519e4a44482f
SHA512 664e257832968fef21f2077ce04658f62c853da82aa0416ab13edfb5ecb83a1653af26af0211713831dba84a0a03bb2fea909e69b247b8281e2cfa74d7435b1e

/data/user/0/com.nameown12/kl.txt

MD5 26539a98171299bbd6bae7d77cbdce50
SHA1 7ebc6046f7eca24eb0b3f8c18dccf5d622e65236
SHA256 ffa06e86580982ae91fac51043e93287e3be52eeb22b260fff42ee8068f92ebe
SHA512 8c50285365c2e19f8cba6d3f471a8a3130331c161090af46f450c1ac18d0af73d6b1a896ba778c077d18c8dfbe2e84e86d2f8d3cd9cc20cd4508abcfdd6fbf8a

/data/user/0/com.nameown12/kl.txt

MD5 3cf272d4b6212dd28ef7731fceec00ae
SHA1 bf0eef886dd59a58213492df95ff589ee76fb2a4
SHA256 ef051301639561a5ca52b1d75c670e888d9174627182de6f7e4f619d0ee26d0d
SHA512 1d0dd07f5e56f2395067c1c746a07c5aa2351d22bac21667ecb89105417277fcdb18a6f9011aadcf2b8c1bd5a087bb7d303a0e3aa706adcc786aff2632876dd1

/data/user/0/com.nameown12/kl.txt

MD5 edf65ba91169431d67a74474c7e7498f
SHA1 a6105930e24a0df6a1dd738137ebe8c81b1e1cb0
SHA256 dbbe9f3a81867d38188d78f44fcf5d2ca3ec8ebbffb01b90db6fb7b5891bcf1c
SHA512 6cac072fbd884401c4fc9d6b266d43518ddfcab9f4524203976a5c199a089a1e2651d06866f9e568a3e265e39ba12dcd14f3f7c5fe8a12e4020a5c7ba8fbfab4

/data/user/0/com.nameown12/kl.txt

MD5 15eaa4432a1e01608964acaff5aac587
SHA1 6e2468f9857f493aece91f4489b6708c15f76748
SHA256 909603cf5f470597d4fd3aec773b4e2026fe3a339741cdc2ec05455c6480ca4f
SHA512 205d05e4163d35c5e43ef178382d82cf81b770aed6266026f094e260343d46dba0d5686397d9510c555a357f9cc2f5e83d9a3c2493646b96ba6e2d8b217deff6

/data/user/0/com.nameown12/kl.txt

MD5 bfc37af19cff146ff052c6a71a8cc897
SHA1 c3657f58a698035a582f316e30b9e400db8dc32c
SHA256 b421e61d458fc84265292253b6160b735f4613b091b0696e22de7cd385a01000
SHA512 8c3912b6f999a89c12cb2bc8fba79db6f1c37db191c811b1d75f58f7b80a117fea4f91646554b7c771f88dddf19ba2bd18997f4a69372fef5f9b5267978b7f7a

/data/user/0/com.nameown12/kl.txt

MD5 f4e84061f520c9fed197ae4c9129f2cb
SHA1 41ebd2e88cccfb13307abe1eca868f3e15701ca7
SHA256 5c969e088091c42ef4f87b2f028ffc3d06a633d450d0028a65290a604289e171
SHA512 514e78f92f8c26e154a70ba6f1db84f7ae3212d55a8a4bac52952c153856c67f83d1901b38c48b505e2ab5fa735a94a8b5de09b040fb9594187c71dd6a0f5ca5

/data/user/0/com.nameown12/kl.txt

MD5 085eac3c66a5044a60ac0af4d20ec083
SHA1 d079365b703e304813713e6f5dbcea48758ee6a3
SHA256 77aef3262b5a4eb6ae4bb001664606ceb9f63851e4870fcd9059f1dbc2f81b7d
SHA512 e674cb9401d6c9452b17abffb87c54650ec69b2aec5e7cf4606e2b055a4b369b2d8af64d1f6122d6bdc8aa6c65c97b81da37e7eb4fffbc439a82708f7fcadaf2

/data/user/0/com.nameown12/kl.txt

MD5 68a8e17658a53cc15707114f4f052597
SHA1 5a7946c579696e13795ec74e4fe0d62544a15f78
SHA256 dc7cdd1a340deb4f441ae443af970ec2d3453af15eca1c995465c94316dcc74e
SHA512 0b897dee997f693f3877082efb64e65034c1f0f1cddb74be2a16c63c7582158666a475789da789d990d7d3f5bbd4a7b277f08836d27110e2bd68787fe45859f7

/data/user/0/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c