`Case 3:17-cv-05659-WHA Document 129-20 Filed 06/28/18 Page 1 of 2
`
`
`
`
`
`
`EXHIBIT 18
`EXHIBIT 18
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Joe Sandbox Desktop - Analysis Report 34362
`Page 2 of 5
`Case 3:17-cv-05659-WHA Document 129-20 Filed 06/28/18 Page 2 of 2
`Case 3:17-cv-05659-WHA Document 129-20 Filed 06/28/18 Page 2 of 2
`
`PE sections with suspicious entropy found
`
`Contains functionality to enumerate/ list files inside a directory
`
`Spreading:
`
`System Summary:
`
`Createsfiles inside the user directory
`
`Contains functionality for execution timing, often used to detect debuggers
`Found dropped PE file which has not been started or loaded
`
`Virtual Machine Detection:
`
`Contains functionality to enumerate/ list files inside a directory
`Queries a list of all running processes
`Contains capabilities to detect virtual machines
`
`Screenshot
`
`Startup
`
`=
`
`system is xp
`
`Show sources
`
`Show sources
`
`Show sources
`
`Show sources
`Show sources
`
`Show sources
`Show sources
`Show sources
`
`* cc9fab2465a279b9424da3a09df7c8d5_undefined.exe (PID: 1840 MDS: CC9FAB2465A279B9424DA3AN9DF7C8D5)
`
`= cleanup
`
`Created / dropped Files
`
`File Path
`
`Hashes
`
`C:\Documents
`and Settings\All
`Users\svchost.exe
`
`* MDS: CC9FAB2465A279B9424DA3A09DF7C8D5
`+ SHA: DEOFCA6F868D48CCF6B558030 1D73A44EBE07669
`+ SHA-256: 45C0598E3DB3B7A0A 194BF6DE78C8454BCA2B5895A 1BCS| 1665D0E22243397E4
`+ SHA-512:
`FDC478B37449AD98609FE3 1 1A86053AC107D LC76BE6F2062386FOBED2696FFF38675C80773693AAC846E 138D29238BD01F79D0D 189AF
`
`Contacted Domains
`
`No contacted domains info
`
`Contacted IPs
`
`Nocontacted IP infos
`
`Static File Info
`
`File type:
`File name:
`File size:
`MDS:
`SHAL:
`SHA256:
`SHAS12:
`
`Users\admin\Desktop\3 43 62\sample/cc9fab2465a279b9424da3a09df7c8d5_undefined.exe; PE32 executable for MS Windows (GUDIntel 80386 32-bit
`cc9fab2465a279b9424da3a09df7c8d5_undefined.exe
`17920
`ce9fab2465a279b9424da3a09df7c8d5
`de0fca6f868d48ccf6b558030 1d73a44ebe07669
`45c0598e3db3b7a0a 194bf6de78c8454bca2b5895a lbe5 1 1665d0¢022243397e4
`fdce478b37449ad98609fe3 | 1a86053ac 107d Lc76be6f2062386f0bed2696f1£38675c80773693aac846e138d29238bd0 Lf79d0d 189aed66720fa | aba9fd07b29
`
`Static PE Info
`
`Entrypoint:
`Entrypoint Section:
`Imagebase:
`Subsystem:
`
`General
`
`0x40 Ib0e
`text
`0x400000
`windows gui
`
`https://www.joesecurity.org/reports/report-cc9fab2465a279b9424da3a09df7c8d5.html
`
`6/26/2018
`FINJAN-JN 358722
`
`