Malware analysis https://files.union-crax.xyz/f/KBm-vLvE7ksajIby Malicious activity

Add for printing

URL:	https://files.union-crax.xyz/f/KBm-vLvE7ksajIby
Full analysis:	https://app.any.run/tasks/e1bfec23-8e36-43f5-98fa-eb429643d9dd
Verdict:	Malicious activity
Threats:	Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage. Malware Trends Tracker >>>
Analysis date:	March 03, 2026, 16:34:00
OS:	Android 14
Tags:	promptspy spyware
Indicators:
MD5:	6193493C36F48C3A9F99DE95E42E6772
SHA1:	0C9B784FE847FAE6C522C36622856637C338F4C6
SHA256:	74A7513A873FD7A4E195E6FBBC8E7196C987820E07BBE951D51E7BA5F66C094E
SSDEEP:	3:N8McOd51nZpTOn:2McOxDO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

android (14)
android.cuttlefish.overlay (14)
android.cuttlefish.phone.overlay (14)
android.ext.services (2019-09)
android.ext.shared (1)
com.android.adservices.api (14)
com.android.apps.tag (1.1)
com.android.backupconfirm (14)
com.android.bips (14)
com.android.bluetoothmidiservice (14)
com.android.bookmarkprovider (14)
com.android.calendar (14)
com.android.calllogbackup (14)
com.android.camera2 (2.0.002)
com.android.cameraextensions (14)
com.android.captiveportallogin (14)
com.android.carrierconfig (1.0.0)
com.android.carrierdefaultapp (14)
com.android.cellbroadcastreceiver (R-initial)
com.android.cellbroadcastreceiver.module (R-initial)
com.android.cellbroadcastservice (R-initial)
com.android.certinstaller (14)
com.android.companiondevicemanager (14)
com.android.compos.payload (14)
com.android.connectivity.resources (S-initial)
com.android.connectivity.resources.cuttlefish.overlay (14)
com.android.contacts (1.7.34)
com.android.credentialmanager (14)
com.android.cts.ctsshim (14-10093150)
com.android.cts.priv.ctsshim (14-10093150)
com.android.deskclock (14)
com.android.devicelockcontroller (14)
com.android.dialer (23.0)
com.android.documentsui (14)
com.android.dreams.basic (14)
com.android.dreams.phototable (14)
com.android.dynsystem (14)
com.android.egg (1.0)
com.android.emergency (14)
com.android.ext.adservices.api (14)
com.android.externalstorage (14)
com.android.federatedcompute.services (T-initial)
com.android.gallery3d (1.1.40030)
com.android.google.gce.gceservice (14)
com.android.health.connect.backuprestore (14)
com.android.healthconnect.controller (14)
com.android.hotspot2.osulogin (14)
com.android.htmlviewer (14)
com.android.imsserviceentitlement (14)
com.android.inputdevices (14)
com.android.inputmethod.latin (14)
com.android.intentresolver (2021-11)
com.android.internal.display.cutout.emulation.corner (1.0)
com.android.internal.display.cutout.emulation.double (1.0)
com.android.internal.display.cutout.emulation.hole (1.0)
com.android.internal.display.cutout.emulation.tall (1.0)
com.android.internal.display.cutout.emulation.waterfall (1.0)
com.android.internal.systemui.navbar.gestural (1.0)
com.android.internal.systemui.navbar.gestural_extra_wide_back (1.0)
com.android.internal.systemui.navbar.gestural_narrow_back (1.0)
com.android.internal.systemui.navbar.gestural_wide_back (1.0)
com.android.internal.systemui.navbar.threebutton (1.0)
com.android.internal.systemui.navbar.transparent (1.0)
com.android.keychain (14)
com.android.launcher3 (14)
com.android.localtransport (14)
com.android.location.fused (14)
com.android.managedprovisioning (14)
com.android.messaging (1.0.001)
com.android.microdroid.empty_payload (14)
com.android.mms.service (14)
com.android.modulemetadata (14)
com.android.mtp (14)
com.android.music (14)
com.android.musicfx (1.4)
com.android.nearby.halfsheet (14)
com.android.networkstack (14)
com.android.networkstack.tethering (14)
com.android.networkstack.tethering.cuttlefishoverlay (1.0)
com.android.nfc (14)
com.android.ondevicepersonalization.services (T-initial)
com.android.ons (14)
com.android.packageinstaller (14)
com.android.pacprocessor (14)
com.android.permissioncontroller (33 system image)
com.android.phone (14)
com.android.printservice.recommendation (1.3.0)
com.android.printspooler (14)
com.android.providers.blockednumber (14)
com.android.providers.calendar (14)
com.android.providers.contacts (14)
com.android.providers.downloads (14)
com.android.providers.downloads.ui (14)
com.android.providers.media (14)
com.android.providers.media.module (14)
com.android.providers.partnerbookmarks (14)
com.android.providers.settings (14)
com.android.providers.settings.cuttlefish.overlay (14)
com.android.providers.telephony (14)
com.android.providers.userdictionary (14)
com.android.provision (14)
com.android.proxyhandler (14)
com.android.quicksearchbox (14)
com.android.rkpdapp (14)
com.android.role.notes.enabled (1.0)
com.android.safetycenter.resources (33 system image)
com.android.sdksandbox (T-initial)
com.android.se (14)
com.android.server.telecom (14)
com.android.settings (14)
com.android.settings.intelligence (14)
com.android.sharedstoragebackup (14)
com.android.shell (14)
com.android.simappdialog (14)
com.android.soundpicker (14)
com.android.statementservice (1.0)
com.android.stk (14)
com.android.storagemanager (14)
com.android.systemui (14)
com.android.systemui.accessibility.accessibilitymenu (14)
com.android.telephony.qns (14)
com.android.theme.font.notoserifsource (1.0)
com.android.traceur (1.0)
com.android.uwb.resources (T-initial)
com.android.virtualmachine.res (14)
com.android.vpndialogs (14)
com.android.wallpaper.livepicker (14)
com.android.wallpaperbackup (14)
com.android.wallpapercropper (14)
com.android.wallpaperpicker (1.0)
com.android.webview (137.0.7122.0)
com.android.wifi.dialog (14)
com.android.wifi.resources (R-initial)
com.android.wifi.resources.cf (1.0)
com.google.android.telephony.satellite (14)
org.chromium.chrome (137.0.7122.0)

Add for printing

MALICIOUS
- PROMPTSPY has been detected
  - app_process64 (PID: 4479)
SUSPICIOUS
- Accesses system-level resources
  - app_process64 (PID: 4479)
  - app_process64 (PID: 5124)
- Returns the name of the current network operator
  - app_process64 (PID: 4479)
  - app_process64 (PID: 5124)
- Collects data about the device's environment (JVM version)
  - app_process64 (PID: 4479)
  - app_process64 (PID: 5124)
- Accesses external device storage files
  - app_process64 (PID: 4479)
  - app_process64 (PID: 5124)
- Retrieves the ISO country code of the current network
  - app_process64 (PID: 4479)
  - app_process64 (PID: 5124)
- Uses encryption API functions
  - app_process64 (PID: 4479)
  - app_process64 (PID: 5124)
- Establishing a connection
  - app_process64 (PID: 4479)
  - app_process64 (PID: 5124)
- Updates data in the storage of application settings (SharedPreferences)
  - app_process64 (PID: 4479)
  - app_process64 (PID: 5124)
- Creates a WakeLock to manage power state
  - app_process64 (PID: 4479)
  - app_process64 (PID: 5124)
INFO
- Loads a native library into the application
  - app_process64 (PID: 4479)
  - app_process64 (PID: 5124)
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 4479)
  - app_process64 (PID: 5124)
- Dynamically registers broadcast event listeners
  - app_process64 (PID: 4479)
  - app_process64 (PID: 5124)
- Dynamically loads a class in Java
  - app_process64 (PID: 4479)
  - app_process64 (PID: 5124)
- Retrieves the value of a secure system setting
  - app_process64 (PID: 4479)
  - app_process64 (PID: 5124)
- Gets the display metrics associated with the device's screen
  - app_process64 (PID: 4479)
  - app_process64 (PID: 5124)
- Verifies whether the device is connected to the internet
  - app_process64 (PID: 4479)
  - app_process64 (PID: 5124)
- Retrieves data from storage of application settings (SharedPreferences)
  - app_process64 (PID: 4479)
  - app_process64 (PID: 5124)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

183

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3967	org.chromium.chrome	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 9
4014	com.android.traceur	/system/bin/app_process64	—	app_process64
User: u0_a54 Integrity Level: UNKNOWN Exit code: 512
4027	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 9
4049	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 9
4064	org.chromium.chrome:privileged_process0	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 9
4106	com.android.adservices.api	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4143	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
4169	com.android.providers.partnerbookmarks	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4230	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
4319	/system/bin/dmesgd	/system/bin/dmesgd	—	init
User: dmesgd Integrity Level: UNKNOWN Exit code: 0

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

382

Text files

129

Unknown types

Dropped files

PID	Process	Filename		Type
4353	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.UdpywT/list.pb		binary
		MD5:—	SHA256:—
4353	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.UdpywT/manifest.json		text
		MD5:—	SHA256:—
4353	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.UdpywT/LICENSE		text
		MD5:—	SHA256:—
4353	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.UdpywT/_metadata/verified_contents.json		text
		MD5:—	SHA256:—
4353	app_process64	/data/data/org.chromium.chrome/app_chrome/component_crx_cache/cab4d1f0a6a2a1afecae808a520f6690dd2b9d58bf54762877f2dc9715d55461		binary
		MD5:—	SHA256:—
4372	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.4j6aIu/privacy-sandbox-attestations.dat		binary
		MD5:—	SHA256:—
4372	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.4j6aIu/manifest.json		text
		MD5:—	SHA256:—
4372	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.4j6aIu/_metadata/verified_contents.json		text
		MD5:—	SHA256:—
4372	app_process64	/data/data/org.chromium.chrome/app_chrome/component_crx_cache/38c89b12bb20a8f2751c9c7cd2e31c173a47af08c115e1ecccc2f5151a2cf2c6		binary
		MD5:—	SHA256:—
4391	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.MfdpRx/decoded_xz		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3967	app_process64	OPTIONS	200	35.190.80.1:443	https://a.nel.cloudflare.com/report/v4?s=vlm%2FP%2FpHpMtEp6kfkb0CKardjjBrbDXyms3CKAPqTWAEXDrE3UJihyvD4ww0XE3f6y5qU1kjoFIr%2FnWnXX9Eu9Tm786T2WuL2%2BjbIfRAevArnv1V	unknown	—	—	unknown
1921	app_process64	GET	204	142.251.36.100:443	https://www.google.com/generate_204	unknown	—	—	whitelisted
—	—	GET	204	142.251.36.100:80	http://www.google.com/gen_204	unknown	—	—	whitelisted
3967	app_process64	POST	200	35.190.80.1:443	https://a.nel.cloudflare.com/report/v4?s=vlm%2FP%2FpHpMtEp6kfkb0CKardjjBrbDXyms3CKAPqTWAEXDrE3UJihyvD4ww0XE3f6y5qU1kjoFIr%2FnWnXX9Eu9Tm786T2WuL2%2BjbIfRAevArnv1V	unknown	—	—	unknown
4479	app_process64	HEAD	200	52.86.188.173:443	https://ping1.tnt-ea.com/	unknown	—	—	unknown
3967	app_process64	GET	200	104.16.80.73:443	https://static.cloudflareinsights.com/beacon.min.js/v67327c56f0bb4ef8b305cae61679db8f1769101564043	unknown	text	29.4 Kb	whitelisted
3967	app_process64	POST	200	142.251.127.84:443	https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&laf=b64bin&json=standard	unknown	—	—	whitelisted
1921	app_process64	GET	204	142.251.36.99:80	http://connectivitycheck.gstatic.com/generate_204	unknown	—	—	whitelisted
2931	app_process64	POST	200	142.251.168.81:443	https://staging-remoteprovisioning.sandbox.googleapis.com/v1:fetchEekChain	unknown	binary	778 b	whitelisted
2931	app_process64	POST	200	142.251.168.81:443	https://staging-remoteprovisioning.sandbox.googleapis.com/v1:signCertificates?challenge=AAABnLSNF7MBILStY-JsQE-MBmhRTxmkYSFBvgY=&request_id=60879d73-bda9-474d-98b2-42fed074d478	unknown	binary	11.8 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
452	mdnsd	224.0.0.251:5353	—	—	—	whitelisted
—	—	142.251.36.100:80	www.google.com	GOOGLE	US	whitelisted
—	—	142.251.36.99:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
—	—	142.251.36.100:443	www.google.com	GOOGLE	US	whitelisted
3967	app_process64	216.58.206.46:80	clients2.google.com	GOOGLE	US	whitelisted
3967	app_process64	188.114.96.3:443	files.union-crax.xyz	CLOUDFLARENET	US	whitelisted
3967	app_process64	142.251.127.84:443	accounts.google.com	GOOGLE	US	whitelisted
3967	app_process64	142.251.36.100:443	www.google.com	GOOGLE	US	whitelisted
3967	app_process64	104.16.80.73:443	static.cloudflareinsights.com	CLOUDFLARENET	US	whitelisted
3967	app_process64	35.190.80.1:443	a.nel.cloudflare.com	GOOGLE-CLOUD-PLATFORM	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.251.141.78	whitelisted
www.google.com	142.251.36.100 216.58.206.36	whitelisted
clients2.google.com	216.58.206.46	whitelisted
files.union-crax.xyz	188.114.96.3 188.114.97.3	unknown
accounts.google.com	142.251.127.84	whitelisted
static.cloudflareinsights.com	104.16.80.73 104.16.79.73	whitelisted
a.nel.cloudflare.com	35.190.80.1	whitelisted
connectivitycheck.gstatic.com	142.251.36.99	whitelisted
time.android.com	216.239.35.4 216.239.35.12 216.239.35.8 216.239.35.0	whitelisted
staging-remoteprovisioning.sandbox.googleapis.com	142.251.168.81	whitelisted

Threats

PID	Process	Class	Message
3967	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
3967	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
1921	app_process64	Misc activity	ET INFO Android Device Connectivity Check

Add for printing

No debug info

General Info

https://files.union-crax.xyz/f/KBm-vLvE7ksajIby

6193493C36F48C3A9F99DE95E42E6772

0C9B784FE847FAE6C522C36622856637C338F4C6

74A7513A873FD7A4E195E6FBBC8E7196C987820E07BBE951D51E7BA5F66C094E

3:N8McOd51nZpTOn:2McOxDO

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

PROMPTSPY has been detected

SUSPICIOUS

Accesses system-level resources

Returns the name of the current network operator

Collects data about the device's environment (JVM version)

Accesses external device storage files

Retrieves the ISO country code of the current network

Uses encryption API functions

Establishing a connection

Updates data in the storage of application settings (SharedPreferences)

Creates a WakeLock to manage power state

INFO

Loads a native library into the application

Dynamically inspects or modifies classes, methods, and fields at runtime

Dynamically registers broadcast event listeners

Dynamically loads a class in Java

Retrieves the value of a secure system setting

Gets the display metrics associated with the device's screen

Verifies whether the device is connected to the internet

Retrieves data from storage of application settings (SharedPreferences)

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings