Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

sakura

Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL>

initial sample

Details

Filetype:	Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL>
Entropy:	6.316907063837966
Filename:	sakura
Filesize:	17185992
MD5:	fe0e5087df79cf7e88dc8bf7704260d1
SHA1:	51cd0aa5a6a1dd5472454bd189f37dfd80923aa1
SHA256:	46dbe21f33fba137ed0c97c2216d493ecc54a49272b64eef381fb8e2bcd10eec
SHA512:	24cb1a0496e6c0f47984298f024d04ee3461d5345319d043f848d96a0f8d888981e468a6c63c5ab49cb8a2bf122294e3a57ae4093338b20d74c6b97251e32b33
SSDEEP:	98304:2VJPoV9cjQJf0bFMPEEGVwr6cxs8mrMujUoMwnBzRBw/LEidIDOqRLbioAsX4MKp:2VAcqf0hyD3ssC3MMzR+/YLf
Preview:	....................................H...__PAGEZERO..............................................................__TEXT..........................................................__text..........__TEXT....................H....................................

Signature Hits	Behavior Group	Mitre Attack
Likely queries the I/O Kit registry to detect VMs by querying the "IOPlatformExpertDevice" class	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Queries the unique Apple serial number of the machine	Language, Device and Operating System Detection
Contains symbols with suspicious names likely related to anti-analysis	Malware Analysis System Evasion
Contains symbols with suspicious names likely related to encryption	Cryptography
Contains symbols with suspicious names likely related to networking	Networking	Non-Application Layer Protocol Application Layer Protocol
Contains symbols with suspicious names likely related to well-known browsers	Data Obfuscation	Non-Application Layer Protocol Application Layer Protocol
Creates and/or modifies files and/or directories in common UNIX system configuration directories	Persistence and Installation Behavior
Executes commands using a shell command-line interpreter	Persistence and Installation Behavior	Scripting
Executes the "hostname" command used to retrieve the computers name	Persistence and Installation Behavior
Executes the "ioreg" command used to gather hardware information (I/O kit registry)	Language, Device and Operating System Detection
Executes the "uname" command used to read OS and architecture name	Stealing of Sensitive Information
Queries OS software version with shell command 'sw_vers'	Language, Device and Operating System Detection
Reads hardware related sysctl values	Language, Device and Operating System Detection	System Information Discovery
Reads process information of other processes	Language, Device and Operating System Detection	Process Discovery
Reads the systems OS release and/or type	Language, Device and Operating System Detection
Reads the systems hostname	Language, Device and Operating System Detection
Imports the IOKit framework library that provides device access capabilities (e.g. to register services, kexts)	Persistence and Installation Behavior
Imports the Security framework library that provides capabilities to protect information and control access to software (e.g. certificate, key, keychain, or secure transport handling	Persistence and Installation Behavior	Encrypted Channel
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Reads data from the local random generator	Persistence and Installation Behavior
Reads from file descriptors related to (network) sockets	Networking
URLs found in memory or binary data	Networking
Writes from file descriptors related to (network) sockets	Networking
Writes log files to disk	Persistence and Installation Behavior

/opt/sakura/data.db

data

dropped

Details

File:	/opt/sakura/data.db
Category:	dropped
Dump:	data.db.255.dr
ID:	dr_2
Target ID:	255
Process:	/Users/bernard/Desktop/sakura
Type:	data
Entropy:	7.9052021177539435
Encrypted:	false
Ssdeep:	48:xcgVXBhTGSC033MaMhQVbp3nEKC1D4MgczHtnpwGBCQq:SgRBcU3zeQVbGaMdhprCQq
Size:	2048
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

/opt/sakura/data.db-journal

data

dropped

Details

File:	/opt/sakura/data.db-journal
Category:	dropped
Dump:	data.db-journal.255.dr
ID:	dr_1
Target ID:	255
Process:	/Users/bernard/Desktop/sakura
Type:	data
Entropy:	4.942892517715865
Encrypted:	false
Ssdeep:	48:uU/VMNkTn+NDEmkhr7GkOELqm939BrWt+:uacbkhr7lqmx9f
Size:	2080
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

/opt/sakura/data.db-shm

data

dropped

Details

File:	/opt/sakura/data.db-shm
Category:	dropped
Dump:	data.db-shm.255.dr
ID:	dr_3
Target ID:	255
Process:	/Users/bernard/Desktop/sakura
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	8
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

/opt/sakura/data.db-wal

SQLite Write-Ahead Log, version 3007000

dropped

Details

File:	/opt/sakura/data.db-wal
Category:	dropped
Dump:	data.db-wal.255.dr
ID:	dr_4
Target ID:	255
Process:	/Users/bernard/Desktop/sakura
Type:	SQLite Write-Ahead Log, version 3007000
Entropy:	7.993041021658654
Encrypted:	true
Ssdeep:	12288:xkm2h6pwZSV2NOAp0pQXVZsBihCfkQ+lyHlykAEglJN8IZ:qm20pISgNOA+QlZsIhCc8lykAnlfZ
Size:	652936
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

/opt/sakura/logs/agent.log

Unicode text, UTF-8 text

dropped

Details

File:	/opt/sakura/logs/agent.log
Category:	dropped
Dump:	agent.log.255.dr
ID:	dr_0
Target ID:	255
Process:	/Users/bernard/Desktop/sakura
Type:	Unicode text, UTF-8 text
Entropy:	5.519633084703142
Encrypted:	false
Ssdeep:	24:p4X2JQSmw3uWSTSBGCFu4ve5ePve5ejve5eTve5eave5eG:pa2JQSmvXS8sdvPvjvTvavG
Size:	2373
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking
Writes log files to disk	Persistence and Installation Behavior

/private/etc/machine-id

ASCII text

dropped

Details

File:	/private/etc/machine-id
Category:	dropped
Dump:	machine-id.255.dr
ID:	dr_5
Target ID:	255
Process:	/Users/bernard/Desktop/sakura
Type:	ASCII text
Entropy:	3.7297250895022676
Encrypted:	false
Ssdeep:	3:XCVgAXtRmAdP:0tRVx
Size:	33
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32

/Users/bernard/Desktop/sakura

/usr/bin/sw_vers

sw_vers -productVersion

/Users/bernard/Desktop/sakura

/usr/sbin/ioreg

ioreg -rd1 -c IOPlatformExpertDevice

/Users/bernard/Desktop/sakura

/usr/bin/id

id -u

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl list | awk '/sshd\.|loginwindow\./ {print $1}'

/bin/bash

/bin/launchctl

/bin/launchctl list

/bin/bash

/usr/bin/awk

awk /sshd\.|loginwindow\./ {print $1}

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkgs

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.apple.pkg.TCCConfigData.16U1777

/Users/bernard/Desktop/sakura

/usr/bin/uname

uname -m

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.apple.pkg.IncompatibleAppList.10_14.16U1638

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.apple.pkg.EmbeddedOSFirmware

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.apple.pkg.XProtectPlistConfigData.16U4052

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.apple.pkg.GatekeeperConfigData.16U1809

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.apple.pkg.MRTConfigData.16U4054

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.apple.pkg.SecureBoot

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.apple.pkg.Core

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.adobe.acrobat.DC.reader.app.pkg.MUI

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.adobe.RdrServicesUpdater

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.oracle.jdk-11.0.3

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.microsoft.package.Fonts

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.microsoft.package.Microsoft_Excel.app

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.xamarin.mono-MDK.pkg

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.adobe.pkg.FlashPlayer

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.microsoft.package.Microsoft_Word.app

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.microsoft.OneDrive

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.microsoft.package.Frameworks

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.microsoft.package.Microsoft_OneNote.app

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.microsoft.package.Microsoft_Outlook.app

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.adobe.acrobat.DC.reader.browser.pkg.MUI

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.microsoft.package.Proofing_Tools

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.microsoft.package.Microsoft_AutoUpdate.app

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.adobe.armdc.app.pkg

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.adobe.acrobat.DC.reader.appsupport.pkg.MUI

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.microsoft.pkg.licensing

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info com.microsoft.package.Microsoft_PowerPoint.app

/Users/bernard/Desktop/sakura

/usr/sbin/pkgutil

/usr/sbin/pkgutil --pkg-info

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c launchctl list | awk '{if ($3 == 'org.sakura.agent') {print $1}}'

/bin/bash

/bin/launchctl

launchctl list

/bin/bash

/usr/bin/awk

awk {if ($3 == 'org.sakura.agent') {print $1}}

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c echo show com.apple.opendirectoryd.ActiveDirectory | /usr/sbin/scutil | awk -F ':' '/DomainNameDns/ {print $2}'

/bin/bash

/usr/sbin/scutil

/bin/bash

/usr/bin/awk

awk -F : /DomainNameDns/ {print $2}

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl list|awk '/^[0-9]+.*loginwindow\./ {print $1}'

/bin/bash

/bin/launchctl

/bin/launchctl list

/bin/bash

/usr/bin/awk

awk /^[0-9]+.*loginwindow\./ {print $1}

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl procinfo |awk '/session id/, /flags/ {print}'

/bin/bash

/bin/launchctl

/bin/launchctl procinfo

/bin/bash

/usr/bin/awk

awk /session id/, /flags/ {print}

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl list|awk '/^[0-9]+.*loginwindow\./ {print $1}'

/bin/bash

/bin/launchctl

/bin/launchctl list

/bin/bash

/usr/bin/awk

awk /^[0-9]+.*loginwindow\./ {print $1}

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl procinfo |awk '/session id/, /flags/ {print}'

/bin/bash

/bin/launchctl

/bin/launchctl procinfo

/bin/bash

/usr/bin/awk

awk /session id/, /flags/ {print}

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl list | awk '/sshd\.|loginwindow\./ {print $1}'

/bin/bash

/bin/launchctl

/bin/launchctl list

/bin/bash

/usr/bin/awk

awk /sshd\.|loginwindow\./ {print $1}

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c ioreg -rd1 -c IOPlatformExpertDevice| awk -F '=' '/product-name/ {print $2}' | sed -e 's|.*'$.*$'.*|\1|g'

/bin/bash

/usr/sbin/ioreg

ioreg -rd1 -c IOPlatformExpertDevice

/bin/bash

/usr/bin/awk

awk -F = /product-name/ {print $2}

/bin/bash

/usr/bin/sed

sed -e s|.*'$.*$'.*|\1|g

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c ioreg -rd1 -c IOPlatformExpertDevice| awk -F '=' '/IOPlatformSerialNumber/ {print $2}' | sed -e 's|.*'$.*$'.*|\1|g'

/bin/bash

/usr/sbin/ioreg

ioreg -rd1 -c IOPlatformExpertDevice

/bin/bash

/usr/bin/awk

awk -F = /IOPlatformSerialNumber/ {print $2}

/bin/bash

/usr/bin/sed

sed -e s|.*'$.*$'.*|\1|g

/Users/bernard/Desktop/sakura

/bin/hostname

hostname -f

/Users/bernard/Desktop/sakura

/bin/hostname

hostname -f

/Users/bernard/Desktop/sakura

/bin/hostname

hostname -f

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl list|awk '/^[0-9]+.*loginwindow\./ {print $1}'

/bin/bash

/bin/launchctl

/bin/launchctl list

/bin/bash

/usr/bin/awk

awk /^[0-9]+.*loginwindow\./ {print $1}

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl procinfo |awk '/session id/, /flags/ {print}'

/bin/bash

/bin/launchctl

/bin/launchctl procinfo

/bin/bash

/usr/bin/awk

awk /session id/, /flags/ {print}

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl list|awk '/^[0-9]+.*loginwindow\./ {print $1}'

/bin/bash

/bin/launchctl

/bin/launchctl list

/bin/bash

/usr/bin/awk

awk /^[0-9]+.*loginwindow\./ {print $1}

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl procinfo |awk '/session id/, /flags/ {print}'

/bin/bash

/bin/launchctl

/bin/launchctl procinfo

/bin/bash

/usr/bin/awk

awk /session id/, /flags/ {print}

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl list | awk '/sshd\.|loginwindow\./ {print $1}'

/bin/bash

/bin/launchctl

/bin/launchctl list

/bin/bash

/usr/bin/awk

awk /sshd\.|loginwindow\./ {print $1}

/Users/bernard/Desktop/sakura

/bin/hostname

hostname -f

/Users/bernard/Desktop/sakura

/bin/hostname

hostname -f

/Users/bernard/Desktop/sakura

/bin/hostname

hostname -f

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl list|awk '/^[0-9]+.*loginwindow\./ {print $1}'

/bin/bash

/bin/launchctl

/bin/launchctl list

/bin/bash

/usr/bin/awk

awk /^[0-9]+.*loginwindow\./ {print $1}

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl procinfo |awk '/session id/, /flags/ {print}'

/bin/bash

/bin/launchctl

/bin/launchctl procinfo

/bin/bash

/usr/bin/awk

awk /session id/, /flags/ {print}

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl list|awk '/^[0-9]+.*loginwindow\./ {print $1}'

/bin/bash

/bin/launchctl

/bin/launchctl list

/bin/bash

/usr/bin/awk

awk /^[0-9]+.*loginwindow\./ {print $1}

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl procinfo |awk '/session id/, /flags/ {print}'

/bin/bash

/bin/launchctl

/bin/launchctl procinfo

/bin/bash

/usr/bin/awk

awk /session id/, /flags/ {print}

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl list | awk '/sshd\.|loginwindow\./ {print $1}'

/bin/bash

/bin/launchctl

/bin/launchctl list

/bin/bash

/usr/bin/awk

awk /sshd\.|loginwindow\./ {print $1}

/Users/bernard/Desktop/sakura

/bin/hostname

hostname -f

/Users/bernard/Desktop/sakura

/bin/hostname

hostname -f

/Users/bernard/Desktop/sakura

/bin/hostname

hostname -f

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl list|awk '/^[0-9]+.*loginwindow\./ {print $1}'

/bin/bash

/bin/launchctl

/bin/launchctl list

/bin/bash

/usr/bin/awk

awk /^[0-9]+.*loginwindow\./ {print $1}

/Users/bernard/Desktop/sakura

/bin/bash

/bin/bash -c /bin/launchctl procinfo |awk '/session id/, /flags/ {print}'

/bin/bash

/bin/launchctl

/bin/launchctl procinfo

/bin/bash

/usr/bin/awk

awk /session id/, /flags/ {print}

/usr/libexec/xpcproxy

/usr/libexec/firmwarecheckers/eficheck/eficheck

/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon

There are 220 hidden processes, click here to show them.

URLs

Name

Malicious

http://127.0.0.1:4567/w/metricsn/usr/libexec/networkserviceproxy/usr/libexec/keyboardservicesd

unknown

http://127.0.0.1:4567/w/metricsn/usr/libexec/networkserviceproxy/usr/libexec/keyboardservicesd/usr/s

unknown

http://127.0.0.1:4567/w/metrics/usr/libexec/findmydeviced

unknown

http://127.0.0.1:4567/w/metricsror:

unknown

http://127.0.0.1:4567/w/metrics

unknown

http://127.0.0.1:4567/w/metrics/usr/libexec/networkserviceproxy/usr/libexec/keyboardservicesd/usr/sb

unknown

http://127.0.0.1:1323http://127.0.0.1:4567http://localhost:1323illegal

unknown

http://127.0.0.1:4567/w/metrics/softwar/hardwar/window-/antivir/trace/proc

unknown

http://hw.ncpuinstallinvalidlookup

unknown

Domains

Name

Malicious

appledownload.map.fastly.net

151.101.3.8

h3.apis.apple.map.fastly.net

151.101.3.6

Details

Name:	h3.apis.apple.map.fastly.net
IP:	151.101.3.6
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

151.101.3.8

appledownload.map.fastly.net

United States

Details

IP:	151.101.3.8
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	54113
ASN name:	FASTLYUS
Private:	false
Domain:	appledownload.map.fastly.net

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.126.113.20

unknown

United States

Details

IP:	104.126.113.20
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

151.101.3.6

h3.apis.apple.map.fastly.net

United States

Details

IP:	151.101.3.6
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	54113
ASN name:	FASTLYUS
Private:	false
Domain:	h3.apis.apple.map.fastly.net

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

151.101.67.6

unknown

United States

Details

IP:	151.101.67.6
TargetID:	-1
Country:	United States
Countrycode:	USA
ASN number:	54113
ASN name:	FASTLYUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

101741000

page read and write

10d4d7000

page read and write

109160000

page read and write

100fae000

page read and write

10082b000

page read and write

10d62b000

page execute read

10da78000

page read and write

104830000

page read and write

1010b2000

page read and write

109160000

page read and write

1092e0000

page read and write

105a69000

page readonly

103f41000

page readonly

c000800000

page read and write

10da73000

page read and write

10d6e3000

page readonly

c000000000

page read and write

100000000

page execute read

10d6aa000

page read and write

101791000

page read and write

109220000

page read and write

11d88c000

page read and write

101631000

page read and write

109000000

page read and write

109000000

page read and write

1092a0000

page read and write

10fc97000

page execute read

109000000

page read and write

101751000

page read and write

10d6aa000

page read and write

10b568000

page read and write

101731000

page read and write

10b55b000

page read and write

10d6e3000

page readonly

102406000

page read and write

104830000

page read and write

1013a0000

page read and write

1017d1000

page read and write

1143f8000

page read and write

104830000

page read and write

109160000

page read and write

10d6aa000

page read and write

10d6e3000

page readonly

106800000

page read and write

101300000

page read and write

1092e0000

page read and write

100fae000

page read and write

1017d1000

page read and write

c000000000

page read and write

109220000

page read and write

1017d1000

page read and write

1091a0000

page read and write

109220000

page read and write

101731000

page read and write

106800000

page read and write

103f40000

page read and write

1059b1000

page execute read

100000000

page execute read

1092a0000

page read and write

101791000

page read and write

100fae000

page read and write

100fef000

page readonly

10d43d000

page execute read

1143f3000

page read and write

1010a5000

page read and write

101741000

page read and write

c000400000

page read and write

100000000

page execute read

109160000

page read and write

111ba1000

page read and write

101791000

page read and write

101731000

page read and write

1017d1000

page read and write

1010b2000

page read and write

10d6af000

page read and write

c000000000

page read and write

c000400000

page read and write

101300000

page read and write

105a35000

page read and write

106800000

page read and write

1010b2000

page read and write

101741000

page read and write

10d6e3000

page readonly

10d6aa000

page read and write

10b550000

page read and write

1017e1000

page read and write

100000000

page execute read

102406000

page read and write

1010a5000

page read and write

100fef000

page readonly

1092a0000

page read and write

10fd27000

page readonly

101791000

page read and write

10b55e000

page readonly

1013a0000

page read and write

c000800000

page read and write

101791000

page read and write

10d62b000

page execute read

10d62b000

page execute read

100fef000

page readonly

109000000

page read and write

103f44000

page read and write

10d6af000

page read and write

1092a0000

page read and write

1010a5000

page read and write

10d6e3000

page readonly

1017e1000

page read and write

10d4bf000

page read and write

1092a0000

page read and write

101751000

page read and write

111ba6000

page read and write

10d6af000

page read and write

10d4ca000

page read and write

1013a0000

page read and write

c000400000

page read and write

101631000

page read and write

10d6af000

page read and write

1013a0000

page read and write

101420000

page read and write

106800000

page read and write

10d9f4000

page execute read

11d88c000

page read and write

102406000

page read and write

104830000

page read and write

1091a0000

page read and write

10fd19000

page read and write

101631000

page read and write

101741000

page read and write

1017d1000

page read and write

101751000

page read and write

101420000

page read and write

10b4ce000

page execute read

10082b000

page read and write

111bda000

page readonly

114374000

page execute read

100fae000

page read and write

1092e0000

page read and write

10082b000

page read and write

101631000

page read and write

101741000

page read and write

101300000

page read and write

101300000

page read and write

11442c000

page readonly

1010a5000

page read and write

10d62b000

page execute read

101300000

page read and write

c000800000

page read and write

1017e1000

page read and write

10d62b000

page execute read

1010a5000

page read and write

102406000

page read and write

10daac000

page readonly

10fd31000

page read and write

10d6af000

page read and write

1091a0000

page read and write

1091a0000

page read and write

109220000

page read and write

101731000

page read and write

c000000000

page read and write

109160000

page read and write

1010b2000

page read and write

103f3f000

page execute read

c000400000

page read and write

101631000

page read and write

c000000000

page read and write

10fd24000

page read and write

101300000

page read and write

101751000

page read and write

10082b000

page read and write

11d88c000

page read and write

100000000

page execute read

101791000

page read and write

10082b000

page read and write

111b22000

page execute read

104830000

page read and write

105a30000

page read and write

10d6aa000

page read and write

101751000

page read and write

101420000

page read and write

c000800000

page read and write

109000000

page read and write

10d6e3000

page readonly

10d4cd000

page readonly

106800000

page read and write

1013a0000

page read and write

101420000

page read and write

109000000

page read and write

101731000

page read and write

10082b000

page read and write

1017e1000

page read and write

100fae000

page read and write

102406000

page read and write

100fef000

page readonly

1010b2000

page read and write

11d88c000

page read and write

c000400000

page read and write

109220000

page read and write

100fef000

page readonly

101731000

page read and write

101741000

page read and write

101420000

page read and write

102406000

page read and write

11d88c000

page read and write

104830000

page read and write

100fef000

page readonly

1010a5000

page read and write

101420000

page read and write

1091a0000

page read and write

101631000

page read and write

10d62b000

page execute read

100fae000

page read and write

10d6aa000

page read and write

c000000000

page read and write

101751000

page read and write

11d88c000

page read and write

1010b2000

page read and write

1017e1000

page read and write

100000000

page execute read

1013a0000

page read and write

10d6af000

page read and write

There are 210 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
sakura

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportsakura

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
sakura