Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
sakura
|
Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL>
|
initial sample
|
||
/opt/sakura/data.db
|
data
|
dropped
|
||
/opt/sakura/data.db-journal
|
data
|
dropped
|
||
/opt/sakura/data.db-shm
|
data
|
dropped
|
||
/opt/sakura/data.db-wal
|
SQLite Write-Ahead Log, version 3007000
|
dropped
|
||
/opt/sakura/logs/agent.log
|
Unicode text, UTF-8 text
|
dropped
|
||
/private/etc/machine-id
|
ASCII text
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
|
-
|
||
/Users/bernard/Desktop/sakura
|
/Users/bernard/Desktop/sakura
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/bin/sw_vers
|
sw_vers -productVersion
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/ioreg
|
ioreg -rd1 -c IOPlatformExpertDevice
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/bin/id
|
id -u
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl list | awk '/sshd\.|loginwindow\./ {print $1}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl list
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /sshd\.|loginwindow\./ {print $1}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkgs
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.apple.pkg.TCCConfigData.16U1777
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/bin/uname
|
uname -m
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.apple.pkg.IncompatibleAppList.10_14.16U1638
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.apple.pkg.EmbeddedOSFirmware
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.apple.pkg.XProtectPlistConfigData.16U4052
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.apple.pkg.GatekeeperConfigData.16U1809
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.apple.pkg.MRTConfigData.16U4054
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.apple.pkg.SecureBoot
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.apple.pkg.Core
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.adobe.acrobat.DC.reader.app.pkg.MUI
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.adobe.RdrServicesUpdater
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.oracle.jdk-11.0.3
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.microsoft.package.Fonts
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.microsoft.package.Microsoft_Excel.app
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.xamarin.mono-MDK.pkg
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.adobe.pkg.FlashPlayer
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.microsoft.package.Microsoft_Word.app
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.microsoft.OneDrive
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.microsoft.package.Frameworks
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.microsoft.package.Microsoft_OneNote.app
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.microsoft.package.Microsoft_Outlook.app
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.adobe.acrobat.DC.reader.browser.pkg.MUI
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.microsoft.package.Proofing_Tools
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.microsoft.package.Microsoft_AutoUpdate.app
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.adobe.armdc.app.pkg
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.adobe.acrobat.DC.reader.appsupport.pkg.MUI
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.microsoft.pkg.licensing
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info com.microsoft.package.Microsoft_PowerPoint.app
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/usr/sbin/pkgutil
|
/usr/sbin/pkgutil --pkg-info
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c launchctl list | awk '{if ($3 == 'org.sakura.agent') {print $1}}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
launchctl list
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk {if ($3 == 'org.sakura.agent') {print $1}}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c echo show com.apple.opendirectoryd.ActiveDirectory | /usr/sbin/scutil | awk -F ':' '/DomainNameDns/ {print $2}'
|
||
/bin/bash
|
-
|
||
/bin/bash
|
-
|
||
/usr/sbin/scutil
|
/usr/sbin/scutil
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk -F : /DomainNameDns/ {print $2}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl list|awk '/^[0-9]+.*loginwindow\./ {print $1}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl list
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /^[0-9]+.*loginwindow\./ {print $1}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl procinfo |awk '/session id/, /flags/ {print}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl procinfo
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /session id/, /flags/ {print}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl list|awk '/^[0-9]+.*loginwindow\./ {print $1}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl list
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /^[0-9]+.*loginwindow\./ {print $1}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl procinfo |awk '/session id/, /flags/ {print}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl procinfo
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /session id/, /flags/ {print}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl list | awk '/sshd\.|loginwindow\./ {print $1}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl list
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /sshd\.|loginwindow\./ {print $1}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c ioreg -rd1 -c IOPlatformExpertDevice| awk -F '=' '/product-name/ {print $2}' | sed -e 's|.*'\(.*\)'.*|\1|g'
|
||
/bin/bash
|
-
|
||
/usr/sbin/ioreg
|
ioreg -rd1 -c IOPlatformExpertDevice
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk -F = /product-name/ {print $2}
|
||
/bin/bash
|
-
|
||
/usr/bin/sed
|
sed -e s|.*'\(.*\)'.*|\1|g
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c ioreg -rd1 -c IOPlatformExpertDevice| awk -F '=' '/IOPlatformSerialNumber/ {print $2}' | sed -e 's|.*'\(.*\)'.*|\1|g'
|
||
/bin/bash
|
-
|
||
/usr/sbin/ioreg
|
ioreg -rd1 -c IOPlatformExpertDevice
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk -F = /IOPlatformSerialNumber/ {print $2}
|
||
/bin/bash
|
-
|
||
/usr/bin/sed
|
sed -e s|.*'\(.*\)'.*|\1|g
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/hostname
|
hostname -f
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/hostname
|
hostname -f
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/hostname
|
hostname -f
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl list|awk '/^[0-9]+.*loginwindow\./ {print $1}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl list
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /^[0-9]+.*loginwindow\./ {print $1}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl procinfo |awk '/session id/, /flags/ {print}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl procinfo
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /session id/, /flags/ {print}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl list|awk '/^[0-9]+.*loginwindow\./ {print $1}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl list
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /^[0-9]+.*loginwindow\./ {print $1}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl procinfo |awk '/session id/, /flags/ {print}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl procinfo
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /session id/, /flags/ {print}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl list | awk '/sshd\.|loginwindow\./ {print $1}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl list
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /sshd\.|loginwindow\./ {print $1}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/hostname
|
hostname -f
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/hostname
|
hostname -f
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/hostname
|
hostname -f
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl list|awk '/^[0-9]+.*loginwindow\./ {print $1}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl list
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /^[0-9]+.*loginwindow\./ {print $1}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl procinfo |awk '/session id/, /flags/ {print}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl procinfo
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /session id/, /flags/ {print}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl list|awk '/^[0-9]+.*loginwindow\./ {print $1}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl list
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /^[0-9]+.*loginwindow\./ {print $1}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl procinfo |awk '/session id/, /flags/ {print}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl procinfo
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /session id/, /flags/ {print}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl list | awk '/sshd\.|loginwindow\./ {print $1}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl list
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /sshd\.|loginwindow\./ {print $1}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/hostname
|
hostname -f
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/hostname
|
hostname -f
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/hostname
|
hostname -f
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl list|awk '/^[0-9]+.*loginwindow\./ {print $1}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl list
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /^[0-9]+.*loginwindow\./ {print $1}
|
||
/Users/bernard/Desktop/sakura
|
-
|
||
/bin/bash
|
/bin/bash -c /bin/launchctl procinfo |awk '/session id/, /flags/ {print}'
|
||
/bin/bash
|
-
|
||
/bin/launchctl
|
/bin/launchctl procinfo
|
||
/bin/bash
|
-
|
||
/usr/bin/awk
|
awk /session id/, /flags/ {print}
|
||
/usr/libexec/xpcproxy
|
-
|
||
/usr/libexec/firmwarecheckers/eficheck/eficheck
|
/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon
|
There are 220 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://127.0.0.1:4567/w/metricsn/usr/libexec/networkserviceproxy/usr/libexec/keyboardservicesd
|
unknown
|
||
http://127.0.0.1:4567/w/metricsn/usr/libexec/networkserviceproxy/usr/libexec/keyboardservicesd/usr/s
|
unknown
|
||
http://127.0.0.1:4567/w/metrics/usr/libexec/findmydeviced
|
unknown
|
||
http://127.0.0.1:4567/w/metricsror:
|
unknown
|
||
http://127.0.0.1:4567/w/metrics
|
unknown
|
||
http://127.0.0.1:4567/w/metrics/usr/libexec/networkserviceproxy/usr/libexec/keyboardservicesd/usr/sb
|
unknown
|
||
http://127.0.0.1:1323http://127.0.0.1:4567http://localhost:1323illegal
|
unknown
|
||
http://127.0.0.1:4567/w/metrics/softwar/hardwar/window-/antivir/trace/proc
|
unknown
|
||
http://hw.ncpuinstallinvalidlookup
|
unknown
|
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
appledownload.map.fastly.net
|
151.101.3.8
|
||
h3.apis.apple.map.fastly.net
|
151.101.3.6
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
151.101.3.8
|
appledownload.map.fastly.net
|
United States
|
||
104.126.113.20
|
unknown
|
United States
|
||
151.101.3.6
|
h3.apis.apple.map.fastly.net
|
United States
|
||
151.101.67.6
|
unknown
|
United States
|
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
101741000
|
page read and write
|
|||
10d4d7000
|
page read and write
|
|||
109160000
|
page read and write
|
|||
100fae000
|
page read and write
|
|||
10082b000
|
page read and write
|
|||
10d62b000
|
page execute read
|
|||
10da78000
|
page read and write
|
|||
104830000
|
page read and write
|
|||
1010b2000
|
page read and write
|
|||
109160000
|
page read and write
|
|||
1092e0000
|
page read and write
|
|||
105a69000
|
page readonly
|
|||
103f41000
|
page readonly
|
|||
c000800000
|
page read and write
|
|||
10da73000
|
page read and write
|
|||
10d6e3000
|
page readonly
|
|||
c000000000
|
page read and write
|
|||
100000000
|
page execute read
|
|||
10d6aa000
|
page read and write
|
|||
101791000
|
page read and write
|
|||
109220000
|
page read and write
|
|||
11d88c000
|
page read and write
|
|||
101631000
|
page read and write
|
|||
109000000
|
page read and write
|
|||
109000000
|
page read and write
|
|||
1092a0000
|
page read and write
|
|||
10fc97000
|
page execute read
|
|||
109000000
|
page read and write
|
|||
101751000
|
page read and write
|
|||
10d6aa000
|
page read and write
|
|||
10b568000
|
page read and write
|
|||
101731000
|
page read and write
|
|||
10b55b000
|
page read and write
|
|||
10d6e3000
|
page readonly
|
|||
102406000
|
page read and write
|
|||
104830000
|
page read and write
|
|||
1013a0000
|
page read and write
|
|||
1017d1000
|
page read and write
|
|||
1143f8000
|
page read and write
|
|||
104830000
|
page read and write
|
|||
109160000
|
page read and write
|
|||
10d6aa000
|
page read and write
|
|||
10d6e3000
|
page readonly
|
|||
106800000
|
page read and write
|
|||
101300000
|
page read and write
|
|||
1092e0000
|
page read and write
|
|||
100fae000
|
page read and write
|
|||
1017d1000
|
page read and write
|
|||
c000000000
|
page read and write
|
|||
109220000
|
page read and write
|
|||
1017d1000
|
page read and write
|
|||
1091a0000
|
page read and write
|
|||
109220000
|
page read and write
|
|||
101731000
|
page read and write
|
|||
106800000
|
page read and write
|
|||
103f40000
|
page read and write
|
|||
1059b1000
|
page execute read
|
|||
100000000
|
page execute read
|
|||
1092a0000
|
page read and write
|
|||
101791000
|
page read and write
|
|||
100fae000
|
page read and write
|
|||
100fef000
|
page readonly
|
|||
10d43d000
|
page execute read
|
|||
1143f3000
|
page read and write
|
|||
1010a5000
|
page read and write
|
|||
101741000
|
page read and write
|
|||
c000400000
|
page read and write
|
|||
100000000
|
page execute read
|
|||
109160000
|
page read and write
|
|||
111ba1000
|
page read and write
|
|||
101791000
|
page read and write
|
|||
101731000
|
page read and write
|
|||
1017d1000
|
page read and write
|
|||
1010b2000
|
page read and write
|
|||
10d6af000
|
page read and write
|
|||
c000000000
|
page read and write
|
|||
c000400000
|
page read and write
|
|||
101300000
|
page read and write
|
|||
105a35000
|
page read and write
|
|||
106800000
|
page read and write
|
|||
1010b2000
|
page read and write
|
|||
101741000
|
page read and write
|
|||
10d6e3000
|
page readonly
|
|||
10d6aa000
|
page read and write
|
|||
10b550000
|
page read and write
|
|||
1017e1000
|
page read and write
|
|||
100000000
|
page execute read
|
|||
102406000
|
page read and write
|
|||
1010a5000
|
page read and write
|
|||
100fef000
|
page readonly
|
|||
1092a0000
|
page read and write
|
|||
10fd27000
|
page readonly
|
|||
101791000
|
page read and write
|
|||
10b55e000
|
page readonly
|
|||
1013a0000
|
page read and write
|
|||
c000800000
|
page read and write
|
|||
101791000
|
page read and write
|
|||
10d62b000
|
page execute read
|
|||
10d62b000
|
page execute read
|
|||
100fef000
|
page readonly
|
|||
109000000
|
page read and write
|
|||
103f44000
|
page read and write
|
|||
10d6af000
|
page read and write
|
|||
1092a0000
|
page read and write
|
|||
1010a5000
|
page read and write
|
|||
10d6e3000
|
page readonly
|
|||
1017e1000
|
page read and write
|
|||
10d4bf000
|
page read and write
|
|||
1092a0000
|
page read and write
|
|||
101751000
|
page read and write
|
|||
111ba6000
|
page read and write
|
|||
10d6af000
|
page read and write
|
|||
10d4ca000
|
page read and write
|
|||
1013a0000
|
page read and write
|
|||
c000400000
|
page read and write
|
|||
101631000
|
page read and write
|
|||
10d6af000
|
page read and write
|
|||
1013a0000
|
page read and write
|
|||
101420000
|
page read and write
|
|||
106800000
|
page read and write
|
|||
10d9f4000
|
page execute read
|
|||
11d88c000
|
page read and write
|
|||
102406000
|
page read and write
|
|||
104830000
|
page read and write
|
|||
1091a0000
|
page read and write
|
|||
10fd19000
|
page read and write
|
|||
101631000
|
page read and write
|
|||
101741000
|
page read and write
|
|||
1017d1000
|
page read and write
|
|||
101751000
|
page read and write
|
|||
101420000
|
page read and write
|
|||
10b4ce000
|
page execute read
|
|||
10082b000
|
page read and write
|
|||
111bda000
|
page readonly
|
|||
114374000
|
page execute read
|
|||
100fae000
|
page read and write
|
|||
1092e0000
|
page read and write
|
|||
10082b000
|
page read and write
|
|||
101631000
|
page read and write
|
|||
101741000
|
page read and write
|
|||
101300000
|
page read and write
|
|||
101300000
|
page read and write
|
|||
11442c000
|
page readonly
|
|||
1010a5000
|
page read and write
|
|||
10d62b000
|
page execute read
|
|||
101300000
|
page read and write
|
|||
c000800000
|
page read and write
|
|||
1017e1000
|
page read and write
|
|||
10d62b000
|
page execute read
|
|||
1010a5000
|
page read and write
|
|||
102406000
|
page read and write
|
|||
10daac000
|
page readonly
|
|||
10fd31000
|
page read and write
|
|||
10d6af000
|
page read and write
|
|||
1091a0000
|
page read and write
|
|||
1091a0000
|
page read and write
|
|||
109220000
|
page read and write
|
|||
101731000
|
page read and write
|
|||
c000000000
|
page read and write
|
|||
109160000
|
page read and write
|
|||
1010b2000
|
page read and write
|
|||
103f3f000
|
page execute read
|
|||
c000400000
|
page read and write
|
|||
101631000
|
page read and write
|
|||
c000000000
|
page read and write
|
|||
10fd24000
|
page read and write
|
|||
101300000
|
page read and write
|
|||
101751000
|
page read and write
|
|||
10082b000
|
page read and write
|
|||
11d88c000
|
page read and write
|
|||
100000000
|
page execute read
|
|||
101791000
|
page read and write
|
|||
10082b000
|
page read and write
|
|||
111b22000
|
page execute read
|
|||
104830000
|
page read and write
|
|||
105a30000
|
page read and write
|
|||
10d6aa000
|
page read and write
|
|||
101751000
|
page read and write
|
|||
101420000
|
page read and write
|
|||
c000800000
|
page read and write
|
|||
109000000
|
page read and write
|
|||
10d6e3000
|
page readonly
|
|||
10d4cd000
|
page readonly
|
|||
106800000
|
page read and write
|
|||
1013a0000
|
page read and write
|
|||
101420000
|
page read and write
|
|||
109000000
|
page read and write
|
|||
101731000
|
page read and write
|
|||
10082b000
|
page read and write
|
|||
1017e1000
|
page read and write
|
|||
100fae000
|
page read and write
|
|||
102406000
|
page read and write
|
|||
100fef000
|
page readonly
|
|||
1010b2000
|
page read and write
|
|||
11d88c000
|
page read and write
|
|||
c000400000
|
page read and write
|
|||
109220000
|
page read and write
|
|||
100fef000
|
page readonly
|
|||
101731000
|
page read and write
|
|||
101741000
|
page read and write
|
|||
101420000
|
page read and write
|
|||
102406000
|
page read and write
|
|||
11d88c000
|
page read and write
|
|||
104830000
|
page read and write
|
|||
100fef000
|
page readonly
|
|||
1010a5000
|
page read and write
|
|||
101420000
|
page read and write
|
|||
1091a0000
|
page read and write
|
|||
101631000
|
page read and write
|
|||
10d62b000
|
page execute read
|
|||
100fae000
|
page read and write
|
|||
10d6aa000
|
page read and write
|
|||
c000000000
|
page read and write
|
|||
101751000
|
page read and write
|
|||
11d88c000
|
page read and write
|
|||
1010b2000
|
page read and write
|
|||
1017e1000
|
page read and write
|
|||
100000000
|
page execute read
|
|||
1013a0000
|
page read and write
|
|||
10d6af000
|
page read and write
|
There are 210 hidden memdumps, click here to show them.