throbber
Case 3:17-cv-05659-WHA Document 129-8 Filed 06/28/18 Page 1 of 3
`Case 3:17-cv-05659-WHA Document 129-8 Filed 06/28/18 Page 1 of 3
`
`
`
`
`
`EXHIBIT 6
`EXHIBIT 6
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 129-8 Filed 06/28/18 Page 2 of 3
`5/25/2018 Case 3:17-cv-05659-WHA9Docubatanthd2ReBor Pitet] 06/28/18 Page 2 of 3
`
`
`
`Static File Info
`
`File type: PE32 executable (GUI) Intel 80386, for MS Windows
`File
`name:
`vm_trickssample
`File size: 196608
`MDS:—6b16c4526a013e744b3d9 1cd7a09 1¢36
`SHAI:
`610¢916e1f3c5c9faebdd53 9d9ff2d82a807ele2
`SHA256: f7e1cb9f307794648443497824a72af7c22a6fd77ad67698affc5979 1 72750a2
`SHAS12: 2ece4f9afee77f8bdd9e6b37c95e5e5 1632d8628d8946b7e52£15 18ca6397b757£89e2e2 Ib 153cb8c85eb854afca34cc87 lef7f07a0c2ee 194a6965c833d5274
`
`Static PE Info
`
`Entrypoint:
`Entrypoint Section:
`Imagebase:
`Subsystem:
`Image File Characteristics:
`DLL Characteristics:
`Time Stamp:
`TLS Callbacks:
`Resources
`
`General
`
`0x41611¢
`text
`0x400000
`windows gui
`32BITMACHINE, EXECUTABLEIMAGE
`TERMINALSERVERAWARE
`0x81C4B2F8 [Tue Dec 28 12:22:16 2038 UTC]
`
`Size Type Language Country
`RVA
`Name
`RT_RCDATA 0x1906c¢ 0x12600 data
`imports
`DLL
`NtUnmapViewOfSection
`ntdil.dil
`WS2_32.dIl WSAConnect, WSASocketA
`WININETdll=InternetGetConnectedState
`
`Import
`
`KERNEL32dll HeapAlloc, CloseHandle, HeapFree, WriteFile, CreateFileA, SetFilePointer, GetProcessHeap, ExitProcess, GetCommandLineA,
`~~
`GetStartupInfoA, GetModuleHandleA, DeleteFileA
`USER32.dI1_—wvsprintfA
`Sections
`
`Entropy
`NameVirtual Address Virtual Size Raw Size
`text
`0x1000
`0x18000
`0x18000 7.15986996647
`aIstc
`0x19000
`0x1266c
`0x12800 7.85865882135
`
`Teloc 0x2c000 0x5400=.2.21179947180x5600
`
`
`String Analysis
`
`URLs
`
`String value
`
`http://grub.org)
`http://help.naver.com/delete_main.asp)
`http://mahaajanin/dd/
`http://mahaajan.in/dd/diwar.php
`http://sp.ask.com/docs/about/tech_crawling. html)
`http://www.ba.be)
`http:/Awww.changedetection.com/bot. html
`http:/Awww.cnet.com/)
`http:/Avww.google.com/bot.html)
`http://www.net-promoter.com/)
`http:/Awww.netnose.com)
`http:/Avww.powerset.com)
`http:/Awww.searchhippo.com/;
`http:/Awww.wisenutbot.com)
`
`Social media names
`
`Source
`vm_trickssample.exe, svchst.exe
`vm_tricks_sample.exe, svchst.exe
`svchst.exe, vm_trickssample,
`svchst.exe.dr
`vm_tricks_sample.exe, svchst.exe
`vm_tricks_sample.exe, svchst.exe
`vm_trickssample.exe, svchst.exe
`vm_tricks_sample.exe, svchst.exe
`vm_trickssample.exe, svchst.exe
`svchst.exe
`vm_trickssample.exe, svchst.exe
`vm_trickssample.exe, svchst.exe
`vm_trickssample.exe, svchst.exe
`vm_trickssample.exe, svchst.exe
`vm_tricks_sample.exe, svchst.exe
`
`Source
`String value
`Mozilla/4.0 (compatible, Yahoo Japan; for robot study; kasugiya) equals www.yahoo.com (Yahoo) vm_tricks_sample.exe, svchst.exe
`VM Artifacts
`
`https:/Awww.joesecurity. org/reports/report-6b16c4526a01 3e744b3d91cd7a091c361.html
`
`3/68
`
`FINJAN-JN 304957
`
`

`

`Case 3:17-cv-05659-WHA Document 129-8 Filed 06/28/18 Page 3 of 3
`5/25/2018 Case 3:17-cv-05659-WHA9Docubetanthd2ReBor Ptet] 06/28/18 Page 3 of 3
`
`unknown
`Commandline:
`
`Imagebase:
`File size:
`MDS hash:
`Show windows behavior
`
`0x4.00000
`196608 bytes
`6B16C4526A013E744B3D91CD7A091C36
`
`File Activities
`
`FileOpened
`File Created
`File Deleted
`File Written
`
`DirectoryQueried
`
`Section Activities
`
`
`
`
`
`Section loaded by Windows
`Show windows behavior
`
`Registry Activities
`
`Key Value Modified
`KeyValueQueried
`Showwindowsbehavior
`
`Mutex Activities
`
`Showwindowsbehavior
`
`Process Activities
`
`i
`Pr
`
`Process Queried
`his
`i
`
`VIOE
`
`Thread Activities
`
`
`
`Thread Created
`Thread Context Set
`
`Thread Execution Resumed
`Thread Delayed
`Show windows behavior
`
`MemoryActivities
`
`Memory Written
`Memory Allocated
`MemoryUsageStatistics
`Show windows behavior
`
`System Activities
`
`
`System Information Queried
`his
`Un
`VIOE
`
`Timing Activities
`
`Chronological Activities
`
`
`Analysis Process: svchst.exe PID: 1356 Parent PID: 1084
`
`General
`Start time:
`Start date:
`Path:
`
`09:46:20
`24/01/2012
`CAWINDOWS\svchst.exe
`
`Wow64 process (32bit): false
`Commandline:
`CAWINDOWS\svchst.exe
`
`Imagebase:
`File size:
`MDS hash:
`
`0x4.00000
`196608 bytes
`6B16C4526A013E744B3D91CD7A091C36
`
`https:/Awww.joesecurity. org/reports/report-6b16c4526a01 3e744b3d91cd7a091c361.html
`
`9/68
`
`FINJAN-JN 304963
`
`

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket