Malware Analysis Report

2024-09-09 13:47

Sample ID 240601-2knn7shc4s
Target 8554d0c0db41ac22a8959b1bf4d3a11e9439f502cea86373308526596733d348.bin
SHA256 8554d0c0db41ac22a8959b1bf4d3a11e9439f502cea86373308526596733d348
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8554d0c0db41ac22a8959b1bf4d3a11e9439f502cea86373308526596733d348

Threat Level: Known bad

The file 8554d0c0db41ac22a8959b1bf4d3a11e9439f502cea86373308526596733d348.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests accessing notifications (often used to intercept notifications before users become aware).

Removes its main activity from the application launcher

Prevents application removal

Loads dropped Dex/Jar

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the unique device ID (IMEI, MEID, IMSI)

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 22:38

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 22:38

Reported

2024-06-01 22:41

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

149s

Command Line

com.airtellql

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.airtellql/cache/dmbgcypmavpl N/A N/A
N/A /data/user/0/com.airtellql/cache/dmbgcypmavpl N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.airtellql

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 rizyat.top udp
US 1.1.1.1:53 zupqel.xyz udp
US 1.1.1.1:53 hudxap.top udp
US 1.1.1.1:53 lupzod.xyz udp
US 1.1.1.1:53 tupfij.xyz udp
US 1.1.1.1:53 fozkiv.xyz udp
US 1.1.1.1:53 gikmuv.xyz udp
BG 185.216.70.208:443 fozkiv.xyz tcp
US 1.1.1.1:53 xotpin.top udp
US 1.1.1.1:53 nevdiz.xyz udp
US 1.1.1.1:53 qowzef.top udp
US 1.1.1.1:53 qidvob.top udp
US 1.1.1.1:53 xepmeq.xyz udp
US 1.1.1.1:53 leoyuz.top udp
US 1.1.1.1:53 werboq.xyz udp
US 1.1.1.1:53 kovjep.top udp
US 1.1.1.1:53 yiqvux.xyz udp
US 1.1.1.1:53 xulqir.top udp
US 1.1.1.1:53 juxleq.top udp
US 1.1.1.1:53 gufwap.xyz udp
BG 185.216.70.208:443 fozkiv.xyz tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
BG 185.216.70.208:443 fozkiv.xyz tcp
BG 185.216.70.208:443 fozkiv.xyz tcp
BG 185.216.70.208:443 fozkiv.xyz tcp
BG 185.216.70.208:443 fozkiv.xyz tcp

Files

/data/data/com.airtellql/cache/dmbgcypmavpl

MD5 555d7d83ed1e7fd974b12869150211a6
SHA1 dd238b54cf6d8d1bd76903e06a46f21d3f5d2620
SHA256 505d2049a856697ce0d0ffcb24e92c33fce95b55bb195f902f3afecea417d869
SHA512 76cd63f13fddb0185aea7699c9dbf16aaf93693c68070e733f6a404d43c424c1673aa1bef92aaafbabf88e3fbf6eff35485ba0c94227a30f10fa682ebb05fbb1

/data/data/com.airtellql/kl.txt

MD5 900ef2f869bda24991870e87c6ff720b
SHA1 ebb5937b6e38f4fc2f2a207e1f329981785f8a89
SHA256 1f1efae456434f68ed756cbf7555ada1ea44b1ec85375813dfe485bf12add3b6
SHA512 54a62cd86b58becbfc043cfd797dcd79dad42ce86e2b75d6cfbac71c2c3301c61e5e920a2ba47a2c5a02c8b2c7ced50192bd30858ce1b2942ceea27b3057997d

/data/data/com.airtellql/kl.txt

MD5 19cc49dafb3648ba4b33f07eb6c8b453
SHA1 39a2e68408e74e52200164f25cb477d998cce65b
SHA256 6e8b108b9612416cbba7b19b8ad34a7bf4e2722844e3199d12612a29446cd262
SHA512 d7f4c1a28f10171666c7662d366c9cf15ff9cf9d7452c1eedc0a237af58b0f78b1f1993e24cf8e2d54c8a9509de824643c27ae3ddb42e22005663fed195c547d

/data/data/com.airtellql/kl.txt

MD5 ebbb845b1c80528f99b826fc84ea0a13
SHA1 f92904946c4f7d5db472e742752e57a43ae7c136
SHA256 a5a022b17a4b2baf4b68baa746342e38fa65ffe7adca2aabb8fb55a693bb30ea
SHA512 e285eb0603010249da10f3ab5c26bd45fd48a041c73a6ce1834750c959a255428e61081fdc3e53fc989e04cefdef4ac8496a1a3f62baa935e472b876b2ec2518

/data/data/com.airtellql/kl.txt

MD5 2b2437c4ecf254b439b90d5aa41d7716
SHA1 5a781b10e3fc85109f892e47b8611c0ca4fb5f26
SHA256 938f66f08ca3db1fbe03198c8f5b8c67f9537933b182de925a2c698fc2524862
SHA512 b96e711f24e6435a3ead6f1ffe951a5719ded2caf41f7fd5e7ce9f3194c27cea9896eec43449ef5a7ba4ac9ea7220fcefd52334344944284ab2c50f4156dfa7d

/data/data/com.airtellql/kl.txt

MD5 2a0324b2c6cc73d04df35c5451967824
SHA1 43bfa38c4803b07e053c99c47db9dbc243b3f31f
SHA256 3d4e9da969a3c27edc746ac437071b68285799e8b011ec939a1a1792825b1ccf
SHA512 1cb425df9fba22bb13d786fa0372b3b1c8c64152ff8f8761f0474c2e3f8fc3a9e6452b6e5d03b6b3cbc90e71dc4b48eb4a6306a2df45ec6f34b1d9972c7fe35f

/data/data/com.airtellql/cache/oat/dmbgcypmavpl.cur.prof

MD5 f5dd7673f6c08258dde8eeaf2463b856
SHA1 bbc5f1fc4145c2eb0c51f949d8363911035268b9
SHA256 e71721a9e75671570ee5d389971a5a381b3f1a57a1c6e095e095ad9bd17c5e44
SHA512 d4b25752335ddf1ef0d7a636a041d1284bfcbf3e2d7664b483b81e64f921797c9b1ec62dc33c047a694f89fc2041ce8b13338aecff52035af91c4c6e6560623f

/data/data/com.airtellql/.qcom.airtellql

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 22:38

Reported

2024-06-01 22:41

Platform

android-x64-arm64-20240514-en

Max time kernel

170s

Max time network

151s

Command Line

com.airtellql

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.airtellql/cache/dmbgcypmavpl N/A N/A
N/A /data/user/0/com.airtellql/cache/dmbgcypmavpl N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.airtellql

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 xepmeq.xyz udp
US 1.1.1.1:53 tupfij.xyz udp
US 1.1.1.1:53 werboq.xyz udp
US 1.1.1.1:53 gikmuv.xyz udp
US 1.1.1.1:53 leoyuz.top udp
US 1.1.1.1:53 lupzod.xyz udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 juxleq.top udp
US 1.1.1.1:53 wemdap.top udp
US 1.1.1.1:53 qowzef.top udp
US 1.1.1.1:53 qidvob.top udp
US 1.1.1.1:53 gufwap.xyz udp
US 1.1.1.1:53 kovjep.top udp
US 1.1.1.1:53 xulqir.top udp
US 1.1.1.1:53 yiqvux.xyz udp
US 1.1.1.1:53 xotpin.top udp
US 1.1.1.1:53 nevdiz.xyz udp
US 1.1.1.1:53 fozkiv.xyz udp
BG 185.216.70.208:443 fozkiv.xyz tcp
US 1.1.1.1:53 rizyat.top udp
BG 185.216.70.208:443 fozkiv.xyz tcp
BG 185.216.70.208:443 fozkiv.xyz tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
BG 185.216.70.208:443 fozkiv.xyz tcp
BG 185.216.70.208:443 fozkiv.xyz tcp
BG 185.216.70.208:443 fozkiv.xyz tcp
BG 185.216.70.208:443 fozkiv.xyz tcp

Files

/data/user/0/com.airtellql/cache/dmbgcypmavpl

MD5 555d7d83ed1e7fd974b12869150211a6
SHA1 dd238b54cf6d8d1bd76903e06a46f21d3f5d2620
SHA256 505d2049a856697ce0d0ffcb24e92c33fce95b55bb195f902f3afecea417d869
SHA512 76cd63f13fddb0185aea7699c9dbf16aaf93693c68070e733f6a404d43c424c1673aa1bef92aaafbabf88e3fbf6eff35485ba0c94227a30f10fa682ebb05fbb1

/data/user/0/com.airtellql/kl.txt

MD5 f7421fc696388f739730f88363e02737
SHA1 5d8c3cd52b51c650c68a1d3f9b70f149efc06d34
SHA256 cd4ccb07270e64f73d4ff7ff1136b77698db4f7f20e5925d1da30d064e7b6133
SHA512 ed1f738c487bb349adcd728e79443bcfd0803e0eacc5567b1897067c02740e482d06216a861367e926740215747a003510ad6e71057cbbbf55c3f9002348a553

/data/user/0/com.airtellql/kl.txt

MD5 2b2437c4ecf254b439b90d5aa41d7716
SHA1 5a781b10e3fc85109f892e47b8611c0ca4fb5f26
SHA256 938f66f08ca3db1fbe03198c8f5b8c67f9537933b182de925a2c698fc2524862
SHA512 b96e711f24e6435a3ead6f1ffe951a5719ded2caf41f7fd5e7ce9f3194c27cea9896eec43449ef5a7ba4ac9ea7220fcefd52334344944284ab2c50f4156dfa7d

/data/user/0/com.airtellql/kl.txt

MD5 6ff2345a4449df67aa3b4a4a5af5d9a9
SHA1 e0f99705995a0b2af2f24ec60d586960e6b85e07
SHA256 c72b921d27c93e35783584590c46ed086914c9e7f1b6fc4584d7944e41329018
SHA512 7ae65253bd5abfa2b58d58a2717452e813ee561a0797c42f2370b77236cd73800afcba4d75bf3621226cc2353df22134f7a5028e7dd5eaeba022f625541e3961

/data/user/0/com.airtellql/kl.txt

MD5 83d230a08afc041b30809bdedac36d34
SHA1 4aee2eed3a5d0b2afd474ffeac3b6ddada76f1c6
SHA256 72a627d39b6cc0a10a8b5d0de8ccfbd4a33cecfa18ebef30c15bf6d41f2f5449
SHA512 afd7d3324019a2e3d31071f8cab481c8ffb48d53cd792cd6d434f1ea20e1d994416a2c3fd9dc382a774a6bdbfdce5c79e285147275f35c396ed33c60e036b185

/data/user/0/com.airtellql/kl.txt

MD5 9828e003fccdaec8c7e9553cd411c5ba
SHA1 1dc1a809a51badb9ac08481376ff803524182614
SHA256 1dff07d4ce0a323f11e042e84aefa8e935724aeedccb9110341635a1e4dc4cd7
SHA512 88cb41af3e4fb3eaa2eac7b9e01a915f3421eb57a3ce9a1378229e35ea33a45fb7784eca85d10402b0aa2833ba11cea43b4d5b550b405c1fba8af29949b1c098

/data/user/0/com.airtellql/kl.txt

MD5 4b985e4f42efcd1e044e5d56ac1d0e6f
SHA1 2493c587ba0a344382159138a9a9387bb0f4c527
SHA256 31799cba5f9672668840fe6941e3444209ab7c988d6d9d979cb11398ba9fd4b3
SHA512 0df3b4cd105e1f9006c4f5fe9b207d4b8ccb4fc3fa3c7332622127f9cdbafa933458f162a28ef74537cea6fda42e9373f059b89d822d44d3ca5cf68bf1b72138

/data/user/0/com.airtellql/kl.txt

MD5 ef2daa706ff257ea2b5a0324dd623768
SHA1 f3dfbad00ee30c0cbb9acf001a06b7b8a417cb01
SHA256 178371ee43cf022b54dcb1792f48a6598b9710bd8dd3b57bf4bf4c2da232092d
SHA512 dd149c4668b9ad147fa8bbba8cea790664a9d76634bd057676c091b19288a364608176c7cac821a4610b252a828bd3453f36a67809aaa67e2be70fa8a367e3f6

/data/user/0/com.airtellql/kl.txt

MD5 af0dbbb3149be63daf12914a94c5f60b
SHA1 a29c75d1ab89ae9b4b77790b17655f37bdade30b
SHA256 c8ac83fe230580bbac766762c9595a8f6f13e3e9069ee15618e03e3c096eae1a
SHA512 0437fb1fd60714bc3a1ef42929b20553474c706114d528b22e77037ae8969b7af8a101b106a5a82a6e8ded6f06f1bd42aa41d731e4b75f8138a7e66dc74b8fdc

/data/user/0/com.airtellql/kl.txt

MD5 ec24a39dc489f952caee79f60ffd4260
SHA1 5db8608f0e44bf75d355586b96e008020eb14a17
SHA256 319c105254c3cc4aaeadf3fa96ee08e70cf0a42219401a85c677b813564163f4
SHA512 b35a1ed054e0fe2900e2295ae5990b0cb6c113b52edd562a9fd4496d21ccbb0e339362dd44346d84b8f9fa4acc84eeab72594625bb5df104eb6779902d14dd33

/data/user/0/com.airtellql/kl.txt

MD5 8dfc88e90f372648bad2bb4daa91039e
SHA1 ac4f0a78970f033c0f0a1a5112ff97bff4612230
SHA256 d98aa53f2a23403d58a493e4d06113c64d636a81d11092c1e7524a886820f4ab
SHA512 9f5e87eb8b0add2095418e4921278276d0fa445c485e5610f0a4424f4f7538302dbda0de1d23bfed93b6105f17131192ef135249bd066c1414d50b76e1c7119c

/data/user/0/com.airtellql/kl.txt

MD5 54aaf4d54f00788c046a0a617a7817e2
SHA1 6273057894773b744ebe7743da68055b992a7010
SHA256 c4175f4c618e4c85c2e95b7be4fff6de50c891fd60d537bf621160fecfdefeb0
SHA512 d162f3eed5ac2031989b9b643d48b6516cfe2bf0158df7728af6649af9bf816223af4fe24191a823fdb8830672d7506bc16239d9a1984740e4231e0804a0d54b

/data/user/0/com.airtellql/kl.txt

MD5 2a3b78d0269255503c5e4faa4ae45e5a
SHA1 d5205f0abbccfe73928f6024d8bbd74094997cc6
SHA256 4a2dd4deba2470ea66d1a4c874086eab8441af5c3408d9ffb0cdd536fc135ea7
SHA512 425dac097ac7d88f34d17034c188666c132d2a2ad3eee31f7f1af701c3a6fccbebacd518edb17d0d69b8a9998c60c6c12b3099a41bea48ecb525a4084968688c

/data/user/0/com.airtellql/kl.txt

MD5 fd68b34fdb4ab95e82c3df51a2371ef8
SHA1 9d9bf7394086f646eab2a5798f25277326a5aff9
SHA256 26708f07a825c49940c943a21c9618233bcefc5a7c5869d4c324a48f7a7a40a0
SHA512 f224632c4159c08e191cc04cca7c8cc5773fe9788a2318482b4b10af7eb3981e3f444d5b345123fc3cb3639b1a4d251f8f418c70b09fa49dee934e9f1eb090fa

/data/user/0/com.airtellql/kl.txt

MD5 9bbb57a08b9ec3cf61809258bb52dd45
SHA1 025508df99d97b09d653e54b45cf460d76387b8b
SHA256 1f72ac2cd96633dbbcff8783f99e8b629e26f38500e75fb20f7fd860da9199e0
SHA512 09eb8f1db67d4db8e5dfb52cdfebfdc1667a9e3e101dd7d71f0e835cd424a7523484f10b94a482645de9d15fb3c426fbc2d1b2b84be923a809bccca72c7b56f0

/data/user/0/com.airtellql/kl.txt

MD5 8d4f178b1c71698e21b23c26fa4afca2
SHA1 8c7b75e98b2916c36e171304ad1c51190616d14a
SHA256 3f1c548ffe790192fd07fbfced72bdd3f3f63d7b4d1954d762f644f6b1759c30
SHA512 0ebfc8a5aeef325b258582f02f748c2f5dd4afc273b7dceec4e326a3574e466da11ac4ecdb92aedf67d6a6d4b6541fb2b3318867fd091434bee8dbb88f9359a5

/data/user/0/com.airtellql/cache/oat/dmbgcypmavpl.cur.prof

MD5 bae7fc7688bd89ee9c94f7e985de9b61
SHA1 60533e58cab2f16daf420c4989a32b24e4f71b82
SHA256 aa1fb89a60c2a969cd19cee459a55ae6feacd075f14714c2443c00f667b71511
SHA512 b00fbac159ffa6c9338380e9c52d99983726a75a96db3ae2f4e85348cd9cd722ab55cabe351dabcfbc15986a6f2c6b1b48c16551acc3c0790f2e32ea3ad496e6

/data/user/0/com.airtellql/kl.txt

MD5 098e3f06122f84b30718e9b0cf63f574
SHA1 fba36e79efbe817a9fe3e5157a8caf20942430b6
SHA256 8191a5b75b3952c592a96b825c8646f51dd9d0141ee10d4e8f119dcb4ef27c34
SHA512 680308f5bdc69174a00b2dc5bb7aa473cfeea3617a1e67bbb44e68593bad9af95a991fdc10440ea72433343cb1ba5605ec2f9d3f0d1a0538edfd5a3d55eedc98

/data/user/0/com.airtellql/kl.txt

MD5 ddb5c631bc598a9245def39c3d68c862
SHA1 c832afa20dfaa6a56bc03928606bf98ee1affb49
SHA256 32d4f1cd62624b863656c64e1871862e32ef3b74e0901863a7259bd45caa5714
SHA512 3ad820ff25f22382f3fff7d7060329411c64656b4325e7a54063f8b70197a7d32a3723b09d966e40c7ddb02a1690fe2378d468a2a56501a12842368b4fb54bae

/data/user/0/com.airtellql/.qcom.airtellql

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c