Malware analysis https://vidssave.com/yt Malicious activity

Add for printing

URL:	https://vidssave.com/yt
Full analysis:	https://app.any.run/tasks/b51d715f-071a-4db2-95c0-cbd1228388ab
Verdict:	Malicious activity
Threats:	Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage. Malware Trends Tracker >>>
Analysis date:	February 20, 2026, 14:43:09
OS:	Android 14
Tags:	promptspy spyware
Indicators:
MD5:	501E93D226A363994C9D451E5CDCF0FB
SHA1:	346DDC8DEEC4A1760BFA1F2038BD3B32A9487530
SHA256:	EE5F36604C053F498FC1A8FEFF37C0CD1DA5E8F6191F5B68D9293AC09D6CFDFD
SSDEEP:	3:N8OWPudIHR:2Nu6R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

android (14)
android.cuttlefish.overlay (14)
android.cuttlefish.phone.overlay (14)
android.ext.services (2019-09)
android.ext.shared (1)
com.android.adservices.api (14)
com.android.apps.tag (1.1)
com.android.backupconfirm (14)
com.android.bips (14)
com.android.bluetoothmidiservice (14)
com.android.bookmarkprovider (14)
com.android.calendar (14)
com.android.calllogbackup (14)
com.android.camera2 (2.0.002)
com.android.cameraextensions (14)
com.android.captiveportallogin (14)
com.android.carrierconfig (1.0.0)
com.android.carrierdefaultapp (14)
com.android.cellbroadcastreceiver (R-initial)
com.android.cellbroadcastreceiver.module (R-initial)
com.android.cellbroadcastservice (R-initial)
com.android.certinstaller (14)
com.android.companiondevicemanager (14)
com.android.compos.payload (14)
com.android.connectivity.resources (S-initial)
com.android.connectivity.resources.cuttlefish.overlay (14)
com.android.contacts (1.7.34)
com.android.credentialmanager (14)
com.android.cts.ctsshim (14-10093150)
com.android.cts.priv.ctsshim (14-10093150)
com.android.deskclock (14)
com.android.devicelockcontroller (14)
com.android.dialer (23.0)
com.android.documentsui (14)
com.android.dreams.basic (14)
com.android.dreams.phototable (14)
com.android.dynsystem (14)
com.android.egg (1.0)
com.android.emergency (14)
com.android.ext.adservices.api (14)
com.android.externalstorage (14)
com.android.federatedcompute.services (T-initial)
com.android.gallery3d (1.1.40030)
com.android.google.gce.gceservice (14)
com.android.health.connect.backuprestore (14)
com.android.healthconnect.controller (14)
com.android.hotspot2.osulogin (14)
com.android.htmlviewer (14)
com.android.imsserviceentitlement (14)
com.android.inputdevices (14)
com.android.inputmethod.latin (14)
com.android.intentresolver (2021-11)
com.android.internal.display.cutout.emulation.corner (1.0)
com.android.internal.display.cutout.emulation.double (1.0)
com.android.internal.display.cutout.emulation.hole (1.0)
com.android.internal.display.cutout.emulation.tall (1.0)
com.android.internal.display.cutout.emulation.waterfall (1.0)
com.android.internal.systemui.navbar.gestural (1.0)
com.android.internal.systemui.navbar.gestural_extra_wide_back (1.0)
com.android.internal.systemui.navbar.gestural_narrow_back (1.0)
com.android.internal.systemui.navbar.gestural_wide_back (1.0)
com.android.internal.systemui.navbar.threebutton (1.0)
com.android.internal.systemui.navbar.transparent (1.0)
com.android.keychain (14)
com.android.launcher3 (14)
com.android.localtransport (14)
com.android.location.fused (14)
com.android.managedprovisioning (14)
com.android.messaging (1.0.001)
com.android.microdroid.empty_payload (14)
com.android.mms.service (14)
com.android.modulemetadata (14)
com.android.mtp (14)
com.android.music (14)
com.android.musicfx (1.4)
com.android.nearby.halfsheet (14)
com.android.networkstack (14)
com.android.networkstack.tethering (14)
com.android.networkstack.tethering.cuttlefishoverlay (1.0)
com.android.nfc (14)
com.android.ondevicepersonalization.services (T-initial)
com.android.ons (14)
com.android.packageinstaller (14)
com.android.pacprocessor (14)
com.android.permissioncontroller (33 system image)
com.android.phone (14)
com.android.printservice.recommendation (1.3.0)
com.android.printspooler (14)
com.android.providers.blockednumber (14)
com.android.providers.calendar (14)
com.android.providers.contacts (14)
com.android.providers.downloads (14)
com.android.providers.downloads.ui (14)
com.android.providers.media (14)
com.android.providers.media.module (14)
com.android.providers.partnerbookmarks (14)
com.android.providers.settings (14)
com.android.providers.settings.cuttlefish.overlay (14)
com.android.providers.telephony (14)
com.android.providers.userdictionary (14)
com.android.provision (14)
com.android.proxyhandler (14)
com.android.quicksearchbox (14)
com.android.rkpdapp (14)
com.android.role.notes.enabled (1.0)
com.android.safetycenter.resources (33 system image)
com.android.sdksandbox (T-initial)
com.android.se (14)
com.android.server.telecom (14)
com.android.settings (14)
com.android.settings.intelligence (14)
com.android.sharedstoragebackup (14)
com.android.shell (14)
com.android.simappdialog (14)
com.android.soundpicker (14)
com.android.statementservice (1.0)
com.android.stk (14)
com.android.storagemanager (14)
com.android.systemui (14)
com.android.systemui.accessibility.accessibilitymenu (14)
com.android.telephony.qns (14)
com.android.theme.font.notoserifsource (1.0)
com.android.traceur (1.0)
com.android.uwb.resources (T-initial)
com.android.virtualmachine.res (14)
com.android.vpndialogs (14)
com.android.wallpaper.livepicker (14)
com.android.wallpaperbackup (14)
com.android.wallpapercropper (14)
com.android.wallpaperpicker (1.0)
com.android.webview (137.0.7122.0)
com.android.wifi.dialog (14)
com.android.wifi.resources (R-initial)
com.android.wifi.resources.cf (1.0)
com.google.android.telephony.satellite (14)
org.chromium.chrome (137.0.7122.0)

Add for printing

MALICIOUS
- PROMPTSPY has been detected
  - app_process64 (PID: 4452)
- Executes system commands or scripts
  - app_process64 (PID: 4452)
- Checks whether the screen is currently on
  - app_process64 (PID: 4719)
  - app_process64 (PID: 4452)
SUSPICIOUS
- Retrieves Android OS build information
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Updates data in the storage of application settings (SharedPreferences)
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 5552)
- Creates a WakeLock to manage power state
  - app_process64 (PID: 4452)
- Uses encryption API functions
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Collects data about the device's environment (JVM version)
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 5552)
- Establishing a connection
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4719)
- Acquires a wake lock to keep the device awake
  - app_process64 (PID: 4452)
- Accesses system-level resources
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Starts a service
  - app_process64 (PID: 4452)
- Retrieves the ISO country code of the current SIM card
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 5552)
- Retrieves a list of running tasks
  - app_process64 (PID: 4452)
- Monitors changes in clipboard content
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4719)
- Scans for popular installed apps
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Abuses foreground service for persistence
  - app_process64 (PID: 4719)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 4452)
- Sets file permissions, owner, and group for a specified path
  - app_process64 (PID: 4718)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Retrieves the ISO country code of the current network
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Accesses external device storage files
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Retrieves a list of running application processes
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Retrieves the MCC and MNC of the SIM card operator
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Retrieves the file path to the APK
  - app_process64 (PID: 4452)
- Checks for the presence of Android Monkey automation
  - app_process64 (PID: 4452)
- Accesses memory information
  - app_process64 (PID: 4452)
- Executes dynamic code using class loader
  - app_process64 (PID: 4452)
- Triggers notification to user
  - app_process64 (PID: 4719)
- Detects presence of QEMU emulator
  - app_process64 (PID: 4452)
INFO
- Returns elapsed time since boot
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Gets file name without full path
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Verifies whether the device is connected to the internet
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 5552)
- Retrieves data from storage of application settings (SharedPreferences)
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Dynamically loads a class in Java
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Stores data using SQLite database
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 4718)
- Initiates a connection and sends an HTTP request
  - app_process64 (PID: 4452)
- Listens for connection changes
  - app_process64 (PID: 4452)
- Retrieves CPU core information
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Retrieves the value of a secure system setting
  - app_process64 (PID: 4452)
- Loads a native library into the application
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 5552)
- Retrieves the value of a global system setting
  - app_process64 (PID: 4452)
- Gets the display metrics associated with the device's screen
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Handles throwable exceptions in the app
  - app_process64 (PID: 4452)
- Verifies presence of SIM card
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4718)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Checks system memory usage details
  - app_process64 (PID: 4452)
- Retrieves the value of a system setting
  - app_process64 (PID: 4452)
- Creates and writes local files
  - app_process64 (PID: 4718)
  - app_process64 (PID: 4452)
  - app_process64 (PID: 4719)
  - app_process64 (PID: 5552)
- Detects if debugger is connected
  - app_process64 (PID: 4452)
- Listens for changes in sensors
  - app_process64 (PID: 4452)
- Drops script file
  - app_process64 (PID: 4452)
- Detects device power status
  - app_process64 (PID: 4452)
- Checks if Wi-Fi is enabled
  - app_process64 (PID: 4452)
- Dynamically registers broadcast event listeners
  - app_process64 (PID: 4452)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

162

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3972	org.chromium.chrome	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4011	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4035	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
4051	com.android.traceur	/system/bin/app_process64	—	app_process64
User: u0_a54 Integrity Level: UNKNOWN Exit code: 512
4069	org.chromium.chrome:privileged_process0	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4096	com.android.adservices.api	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4154	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
4180	com.android.providers.partnerbookmarks	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4289	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 9
4377	/system/bin/dmesgd	/system/bin/dmesgd	—	init
User: dmesgd Integrity Level: UNKNOWN Exit code: 0

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

653

Text files

518

Unknown types

Dropped files

PID	Process	Filename		Type
4452	app_process64	/data/data/com.video.fun.app/shared_prefs/com.google.android.gms.measurement.prefs.xml		xml
		MD5:—	SHA256:—
4452	app_process64	/data/data/com.video.fun.app/files/PersistedInstallation2758965844297794662tmp		text
		MD5:—	SHA256:—
4452	app_process64	/data/data/com.video.fun.app/files/PersistedInstallation.W0RFRkFVTFRd+MTo0NDgyMjA0OTk1NzY6YW5kcm9pZDo2MTAwYjljZGMyOWY0NWI4ZDcyNzhk.json		text
		MD5:—	SHA256:—
4452	app_process64	/data/data/com.video.fun.app/files/.com.google.firebase.crashlytics/6998736A0232-0001-1164-3AB3A33A828FBeginSession.cls_temp		binary
		MD5:—	SHA256:—
4452	app_process64	/data/data/com.video.fun.app/no_backup/androidx.work.workdb-journal		binary
		MD5:—	SHA256:—
4452	app_process64	/data/data/com.video.fun.app/shared_prefs/host_appdata.dt.xml		xml
		MD5:—	SHA256:—
4452	app_process64	/data/data/com.video.fun.app/files/.com.google.firebase.crashlytics-ndk/6998736A0232-0001-1164-3AB3A33A828F/session.json		text
		MD5:—	SHA256:—
4452	app_process64	/data/data/com.video.fun.app/shared_prefs/com.google.firebase.crashlytics.xml		xml
		MD5:—	SHA256:—
4452	app_process64	/data/data/com.video.fun.app/shared_prefs/FirebaseAppHeartBeat.xml		xml
		MD5:—	SHA256:—
4452	app_process64	/data/data/com.video.fun.app/code_cache/1771598698982.dex		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

396

TCP/UDP connections

155

DNS requests

110

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	142.251.208.4:80	http://www.google.com/gen_204	US	—	—	whitelisted
3972	app_process64	GET	200	142.251.141.110:80	http://clients2.google.com/time/1/current?cup2key=9:-zOyYkF6KR7763fJvKiyhQhiRnwdmb8n_K2MSSgmLmI&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	US	text	103 b	whitelisted
3972	app_process64	GET	200	104.18.53.154:443	https://vidssave.com/yt	US	html	154 Kb	unknown
3972	app_process64	GET	200	104.18.53.154:443	https://vidssave.com/_next/static/chunks/webpack-66719d27da4d99a7.js	US	text	4.22 Kb	unknown
3972	app_process64	GET	200	104.18.53.154:443	https://vidssave.com/_next/static/css/c3652d4fc7637a1c.css	US	text	89.3 Kb	unknown
3972	app_process64	GET	200	104.18.53.154:443	https://vidssave.com/_next/static/chunks/01ab8b0c-dce0167e46329e3f.js	US	—	168 Kb	unknown
3972	app_process64	GET	200	104.18.53.154:443	https://vidssave.com/_next/static/media/logo.80053b25.png	US	image	3.87 Kb	unknown
3972	app_process64	GET	200	104.18.53.154:443	https://vidssave.com/_next/static/chunks/5496-a29167b81b733976.js	US	text	67.6 Kb	unknown
3972	app_process64	GET	200	104.18.53.154:443	https://vidssave.com/_next/static/chunks/main-app-c27cee0267f8ace5.js	US	text	464 b	unknown
3972	app_process64	GET	200	104.18.53.154:443	https://vidssave.com/_next/static/chunks/8828-7b836f19aa9aa59a.js	US	text	5.47 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	142.251.208.4:80	www.google.com	GOOGLE	US	whitelisted
452	mdnsd	224.0.0.251:5353	—	—	—	whitelisted
—	—	142.250.186.35:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
—	—	142.251.208.4:443	www.google.com	GOOGLE	US	whitelisted
3972	app_process64	142.251.141.110:80	google.com	GOOGLE	US	whitelisted
3972	app_process64	104.18.53.154:443	vidssave.com	CLOUDFLARENET	US	whitelisted
3972	app_process64	142.251.208.4:443	www.google.com	GOOGLE	US	whitelisted
3972	app_process64	142.251.127.84:443	accounts.google.com	GOOGLE	US	whitelisted
3972	app_process64	142.251.36.106:443	content-autofill.googleapis.com	GOOGLE	US	whitelisted
3972	app_process64	142.251.208.8:443	www.googletagmanager.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.251.141.110	whitelisted
www.google.com	142.251.208.4 142.251.156.119 142.251.157.119 142.251.155.119 142.251.151.119 142.251.153.119 142.251.152.119 142.251.150.119 142.251.154.119	whitelisted
clients2.google.com	142.251.141.110	whitelisted
vidssave.com	104.18.53.154 104.18.51.115	whitelisted
accounts.google.com	142.251.127.84	whitelisted
content-autofill.googleapis.com	142.251.36.106 142.251.143.106 142.250.186.74 142.250.186.42 172.217.16.202 216.58.206.42 142.251.141.138 142.251.127.95 172.217.16.170 216.58.206.74 142.250.201.74 142.251.37.10 142.251.141.106 142.251.141.74 142.251.140.170 172.217.168.74	whitelisted
www.googletagmanager.com	142.251.208.8	whitelisted
res-cf.jscssfunny.com	104.18.6.222 104.18.7.222	unknown
region1.google-analytics.com	216.239.34.36 216.239.32.36	whitelisted
www.clarity.ms	20.250.198.32	whitelisted

Threats

PID	Process	Class	Message
3972	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
3972	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
1921	app_process64	Misc activity	ET INFO Android Device Connectivity Check
4452	app_process64	Misc activity	ET INFO Observed ZeroSSL SSL/TLS Certificate
4452	app_process64	Misc activity	ET INFO Observed ZeroSSL SSL/TLS Certificate
4719	app_process64	Misc activity	ET INFO Observed ZeroSSL SSL/TLS Certificate
4452	app_process64	Misc activity	ET INFO Observed ZeroSSL SSL/TLS Certificate
4452	app_process64	Unknown Traffic	ET HUNTING Suspicious Empty User-Agent
4452	app_process64	Unknown Traffic	ET HUNTING Suspicious Empty User-Agent
4452	app_process64	Unknown Traffic	ET HUNTING Suspicious Empty User-Agent

Add for printing

No debug info

General Info

https://vidssave.com/yt

501E93D226A363994C9D451E5CDCF0FB

346DDC8DEEC4A1760BFA1F2038BD3B32A9487530

EE5F36604C053F498FC1A8FEFF37C0CD1DA5E8F6191F5B68D9293AC09D6CFDFD

3:N8OWPudIHR:2Nu6R

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

PROMPTSPY has been detected

Executes system commands or scripts

Checks whether the screen is currently on

SUSPICIOUS

Retrieves Android OS build information

Updates data in the storage of application settings (SharedPreferences)

Creates a WakeLock to manage power state

Uses encryption API functions

Collects data about the device's environment (JVM version)

Establishing a connection

Acquires a wake lock to keep the device awake

Accesses system-level resources

Starts a service

Retrieves the ISO country code of the current SIM card

Retrieves a list of running tasks

Monitors changes in clipboard content

Scans for popular installed apps

Abuses foreground service for persistence

Sets file permissions, owner, and group for a specified path

Retrieves the ISO country code of the current network

Accesses external device storage files

Retrieves a list of running application processes

Retrieves the MCC and MNC of the SIM card operator

Retrieves the file path to the APK

Checks for the presence of Android Monkey automation

Accesses memory information

Executes dynamic code using class loader

Triggers notification to user

Detects presence of QEMU emulator

INFO

Returns elapsed time since boot

Dynamically inspects or modifies classes, methods, and fields at runtime

Gets file name without full path

Verifies whether the device is connected to the internet

Retrieves data from storage of application settings (SharedPreferences)

Dynamically loads a class in Java

Stores data using SQLite database

Initiates a connection and sends an HTTP request

Listens for connection changes

Retrieves CPU core information

Retrieves the value of a secure system setting

Loads a native library into the application

Retrieves the value of a global system setting

Gets the display metrics associated with the device's screen

Handles throwable exceptions in the app

Verifies presence of SIM card

Checks system memory usage details

Retrieves the value of a system setting

Creates and writes local files

Detects if debugger is connected

Listens for changes in sensors

Drops script file

Detects device power status

Checks if Wi-Fi is enabled

Dynamically registers broadcast event listeners

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information