Play interactive tour

Edit tour

Analysis Report https://www.kilpatrick-executive.com/xfile1/

Overview

General Information

Sample URL:	https://www.kilpatrick-executive.com/xfile1/
Analysis ID:	339279
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Phishing site detected (based on shot template match)

Yara detected HtmlPhish_10

Yara detected HtmlPhish_7

Phishing site detected (based on various OCR indicators)

HTML body contains low number of good links

HTML title does not match URL

Classification

Startup

System is w10x64

iexplore.exe (PID: 5220 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 988 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5220 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\xfile1[1].htm	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\xfile1[1].htm	JoeSecurity_HtmlPhish_7	Yara detected HtmlPhish_7	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Phishing:

Phishing site detected (based on shot template match)

Show sources

Source: https://www.kilpatrick-executive.com/xfile1/

Matcher: Template: office matched

Yara detected HtmlPhish_10

Show sources

Source: Yara match	File source: 927537.pages.csv, type: HTML
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\xfile1[1].htm, type: DROPPED

Yara detected HtmlPhish_7

Show sources

Source: Yara match	File source: 927537.pages.csv, type: HTML
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\xfile1[1].htm, type: DROPPED

Phishing site detected (based on various OCR indicators)

Show sources

Source: Screenshots

OCR Text: )- Adobe Document Cloud To read the document, please enter with the valid email credentials that this file was sent to. Sign in with Outlook Sign in with Office365 OO Sign in with Other Mail Select your email provider to view Document CopyRight 2020 Adobe.

Source: https://www.kilpatrick-executive.com/xfile1/	HTTP Parser: Number of links: 0
Source: https://www.kilpatrick-executive.com/xfile1/	HTTP Parser: Number of links: 0

Source: https://www.kilpatrick-executive.com/xfile1/	HTTP Parser: Title: Share Point Online does not match URL
Source: https://www.kilpatrick-executive.com/xfile1/	HTTP Parser: Title: Share Point Online does not match URL

Source: https://www.kilpatrick-executive.com/xfile1/	HTTP Parser: No <meta name="author".. found
Source: https://www.kilpatrick-executive.com/xfile1/	HTTP Parser: No <meta name="author".. found

Source: https://www.kilpatrick-executive.com/xfile1/	HTTP Parser: No <meta name="copyright".. found
Source: https://www.kilpatrick-executive.com/xfile1/	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: unknown	HTTPS traffic detected: 91.213.11.127:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.213.11.127:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.5:49733 version: TLS 1.2

Source: unknown

DNS traffic detected: queries for: www.kilpatrick-executive.com

Source: hover[1].css.3.dr	String found in binary or memory: http://ianlunn.co.uk/
Source: hover[1].css.3.dr	String found in binary or memory: http://ianlunn.github.io/Hover/)
Source: popper.min[1].js.3.dr	String found in binary or memory: http://opensource.org/licenses/MIT).
Source: xfile1[1].htm.3.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: xfile1[1].htm.3.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: xfile1[1].htm.3.dr	String found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
Source: xfile1[1].htm.3.dr	String found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
Source: xfile1[1].htm.3.dr	String found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
Source: free.min[1].css.3.dr	String found in binary or memory: https://fontawesome.com
Source: free.min[1].css.3.dr	String found in binary or memory: https://fontawesome.com/license/free
Source: xfile1[1].htm.3.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Yellowtail&display=swap
Source: css[1].css.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/yellowtail/v11/OZpGg_pnoDtINPfRIlLohlvHxw.woff)
Source: bootstrap.min[1].css.3.dr, bootstrap.min[1].js.3.dr	String found in binary or memory: https://getbootstrap.com)
Source: hover[1].css.3.dr	String found in binary or memory: https://github.com/IanLunn/Hover
Source: bootstrap.min[1].css.3.dr, bootstrap.min[1].js.3.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.3.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: 585b051251[1].js.3.dr	String found in binary or memory: https://ka-f.fontawesome.com
Source: 585b051251[1].js.3.dr	String found in binary or memory: https://kit.fontawesome.com
Source: xfile1[1].htm.3.dr	String found in binary or memory: https://kit.fontawesome.com/585b051251.js
Source: xfile1[1].htm.3.dr	String found in binary or memory: https://login.microsoftonline.com/common/login
Source: xfile1[1].htm.3.dr	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
Source: xfile1[1].htm.3.dr	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Source: imagestore.dat.3.dr	String found in binary or memory: https://www.kilpatrick-executive.com/favicon.ico
Source: ~DF88F6808F3CD3FE9E.TMP.1.dr	String found in binary or memory: https://www.kilpatrick-executive.com/xfile1/
Source: ~DF88F6808F3CD3FE9E.TMP.1.dr	String found in binary or memory: https://www.kilpatrick-executive.com/xfile1/$Share
Source: {9EC321F3-561A-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://www.kilpatrick-executive.com/xfile1/Root
Source: ~DF88F6808F3CD3FE9E.TMP.1.dr	String found in binary or memory: https://www.kilpatrick-executive.com/xfile1/z

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 91.213.11.127:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.213.11.127:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.5:49733 version: TLS 1.2

Source: classification engine

Classification label: mal68.phis.win@3/26@7/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9EC321F1-561A-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF242C40FDCA1BED89.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5220 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5220 CREDAT:17410 /prefetch:2

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://www.kilpatrick-executive.com/xfile1/	0%	Avira URL Cloud	safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
www.kilpatrick-executive.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://www.kilpatrick-executive.com/favicon.ico	0%	Avira URL Cloud	safe
http://ianlunn.github.io/Hover/)	0%	Avira URL Cloud	safe
https://www.kilpatrick-executive.com/xfile1/z	0%	Avira URL Cloud	safe
https://www.kilpatrick-executive.com/xfile1/$Share	0%	Avira URL Cloud	safe
https://getbootstrap.com)	0%	Avira URL Cloud	safe
http://ianlunn.co.uk/	0%	URL Reputation	safe
http://ianlunn.co.uk/	0%	URL Reputation	safe
http://ianlunn.co.uk/	0%	URL Reputation	safe
https://www.kilpatrick-executive.com/xfile1/Root	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdnjs.cloudflare.com	104.16.19.94	true	false		high
kilpatrick-executive.com	91.213.11.127	true	false		unknown
ka-f.fontawesome.com	unknown	unknown	false		high
code.jquery.com	unknown	unknown	false		high
www.kilpatrick-executive.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
kit.fontawesome.com	unknown	unknown	false		high
maxcdn.bootstrapcdn.com	unknown	unknown	false		high
favicon.ico	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.kilpatrick-executive.com/xfile1/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.kilpatrick-executive.com/favicon.ico	imagestore.dat.3.dr	false	Avira URL Cloud: safe	unknown
http://ianlunn.github.io/Hover/)	hover[1].css.3.dr	false	Avira URL Cloud: safe	unknown
https://www.kilpatrick-executive.com/xfile1/z	~DF88F6808F3CD3FE9E.TMP.1.dr	true	Avira URL Cloud: safe	unknown
https://ka-f.fontawesome.com	585b051251[1].js.3.dr	false		high
https://www.kilpatrick-executive.com/xfile1/	~DF88F6808F3CD3FE9E.TMP.1.dr	true		unknown
https://code.jquery.com/jquery-3.2.1.slim.min.js	xfile1[1].htm.3.dr	false		high
https://code.jquery.com/jquery-3.1.1.min.js	xfile1[1].htm.3.dr	false		high
https://code.jquery.com/jquery-3.3.1.js	xfile1[1].htm.3.dr	false		high
https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css	xfile1[1].htm.3.dr	false		high
https://www.kilpatrick-executive.com/xfile1/$Share	~DF88F6808F3CD3FE9E.TMP.1.dr	true	Avira URL Cloud: safe	unknown
https://fontawesome.com/license/free	free.min[1].css.3.dr	false		high
https://fontawesome.com	free.min[1].css.3.dr	false		high
https://kit.fontawesome.com	585b051251[1].js.3.dr	false		high
https://github.com/twbs/bootstrap/graphs/contributors)	bootstrap.min[1].js.3.dr	false		high
https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js	xfile1[1].htm.3.dr	false		high
https://login.microsoftonline.com/common/login	xfile1[1].htm.3.dr	false		high
https://getbootstrap.com)	bootstrap.min[1].css.3.dr, bootstrap.min[1].js.3.dr	false	Avira URL Cloud: safe	low
http://ianlunn.co.uk/	hover[1].css.3.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/twbs/bootstrap/blob/master/LICENSE)	bootstrap.min[1].css.3.dr, bootstrap.min[1].js.3.dr	false		high
https://www.kilpatrick-executive.com/xfile1/Root	{9EC321F3-561A-11EB-90E5-ECF4BB570DC9}.dat.1.dr	true	Avira URL Cloud: safe	unknown
https://github.com/IanLunn/Hover	hover[1].css.3.dr	false		high
http://opensource.org/licenses/MIT).	popper.min[1].js.3.dr	false		high
https://kit.fontawesome.com/585b051251.js	xfile1[1].htm.3.dr	false		high
https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js	xfile1[1].htm.3.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.213.11.127	unknown	Romania		49468	MAG-BROSS-ASRO	false
104.16.19.94	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339279
Start date:	13.01.2021
Start time:	19:42:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 40s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	browseurl.jbs
Sample URL:	https://www.kilpatrick-executive.com/xfile1/
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.phis.win@3/26@7/2
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): ielowutil.exe, backgroundTaskHost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.255.188.83, 13.64.90.137, 88.221.62.148, 209.197.3.24, 108.177.127.95, 209.197.3.15, 108.177.126.95, 104.18.22.52, 104.18.23.52, 172.64.203.28, 172.64.202.28, 23.210.248.85, 51.104.139.180 Excluded domains from analysis (whitelisted): kit.fontawesome.com.cdn.cloudflare.net, skypedataprdcolwus17.cloudapp.net, cds.s5x3j6q5.hwcdn.net, fonts.googleapis.com, fs.microsoft.com, arc.msn.com.nsatc.net, ka-f.fontawesome.com.cdn.cloudflare.net, ajax.googleapis.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, skypedataprdcoleus17.cloudapp.net, go.microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, cds.j3z9t3p6.hwcdn.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9EC321F1-561A-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	30296
Entropy (8bit):	1.8563419701617454
Encrypted:	false
SSDEEP:	96:r3Z+Zz2p9W/tjbfKihKMSpqLjQkxfhi06X:r3Z+Zz2p9W/t3fK9MTwKfhcX
MD5:	1587D17D1428C9CBC6A641BA3E0D2B11
SHA1:	9F7D6D837953EA013D470D086027CDA639343B6D
SHA-256:	63391DD4AFECFA3BF21166AED8DE02CDC002928DC3D754DC838F119E306E8E5B
SHA-512:	B524C4181F702BC4753E2B0A79F3AC151B7BA182137CA3EA85FBA1233EA070D025DBDEECC2973C04D67ADBA25C78FBAF32039BCDC8ECEA6D23066E5DD9F7568A
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9EC321F3-561A-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27496
Entropy (8bit):	1.784570982373976
Encrypted:	false
SSDEEP:	48:IwJGcprEGwpauG4pQCGrapbSKrGQpBuGHHpcYsTGUp87GzYpmg3YGop9qrHGKXpQ:rPZ8QO6EBSKFj92YkWBMIYToY30b8r
MD5:	7BEE8C8E0AB26FC8AC7E256D9E1749D4
SHA1:	F9308AA829D9731A2615CF28B90B7FA59ED2D581
SHA-256:	3B4D8F38D1CE6ED5028B8F09482E6096419DF134BECC0836845E00502CCE4A69
SHA-512:	0404E10282FF82F18A54F0F557219273859343D3C4A3944CD5945FE7CC2167D66EE989C8057316821EF1E33EBC6256CEEA58B4DDCFBB0632D4F11AD6640FB95B
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9EC321F4-561A-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5642575252968922
Encrypted:	false
SSDEEP:	48:IwxGcprYGwpatG4pQlGrapbSkrGQpKCFG7HpR3xsTGIpG:rHZAQP6VBSkFAC0Th4A
MD5:	D18473C632885A579E28B4266109ED67
SHA1:	319B6BB603DF7C2920D1E36ECC001E2907AA574B
SHA-256:	1ABA301965875CF2B4059A23703FB78C9B4ED271C31A27E9D471BD5F79C953BE
SHA-512:	B3F4760F5AF87714744A9AC750C109EAFBF86A1EEDD14760FB6ADAB91042F11E64B84E0E62ACBF94D85A0E12C98A14376B1361EC6EA5D35CD7F2353A73FF0783
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	modified
Size (bytes):	4253
Entropy (8bit):	7.914713738837055
Encrypted:	false
SSDEEP:	96:K3bdWfcmTY+aRF1pXWZL2+42HGhIUc8KeLEG:KgXTY+as02mOB8XLEG
MD5:	6C9A39FD55B691D9CCD3304C89DDF1B9
SHA1:	542F43FA139E065F53813280E1DD4B3CB6B24A60
SHA-256:	D5269AE9BBA51684CFE877133F94C4D0AB9FD642866999B453A9B37F2B98C87C
SHA-512:	D7242CC9E9023EAD9C16803BE3DEA474A150C05DA34CE26E16C70C9B91C73DD5A6B94E32E404F6C6CD40D08E1F09DF8645ED7DBC35C86F37B0AAB9C2BF80FC10
Malicious:	false
Reputation:	low
Preview:	0.h.t.t.p.s.:././.w.w.w...k.i.l.p.a.t.r.i.c.k.-.e.x.e.c.u.t.i.v.e...c.o.m./.f.a.v.i.c.o.n...i.c.o......PNG........IHDR...P...P............IDATx..].xU...[..V..).Kk...V.k..J]jKEl?...t...!.{.,...E........@....F.%.....B...N.y..w.....I{.o...;.s..3...WH......./.zBp.o,XW.......#Z.f...\|mvD..9..F........y..o....1^.743l.......v..#.c.E&.e..hU1.{..........._cZ..We.v.....f.w....(..6\|.Y.. I:x..-.&.......D........<.6.6.l....T..)...\|....#..$g...VN.......!'/6.w..B.h.}....EV.......k.7" f.}.G.~#..M..+....G....iB......]..?+......'.j.GB..P%......\........../..%...&.8E...".........44.J...1.........S...........d.j..]ni%._..9.{.O?.H..6T.\|A.GC..g...U.oDEt,?.0....~....q=.y.~.9.Z......c...v.._....$.0.2...F.9a.L..)..l...2...w...I..&....Vg......H.I..r......./....z.`..+...Z.^U.=..5aBpb..0< ../>.9.c....".I..0.3N,}}....\|]Fb...Q.......W.....OQ..y;.....\|.37..}.....(c.....X..`xX).;......<5S....>.9..G.:..=..0^.......l_<G......H....C.O......Hk{..{....]Nc..B.8..}%>..w....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\gmail[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 1280 x 1280, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	66743
Entropy (8bit):	7.712342056984168
Encrypted:	false
SSDEEP:	1536:FxqKcVqezl0vLoYxEuKoYk5LHjGkT3b1mQOEj0+R+EH:FsK2qezl0zoYxEuKo7CYrOb+Rb
MD5:	DCE2F2B0E50CB1DBB0246D152791CB46
SHA1:	D0A69C159304EDC08DB005163E7A0DAF5A1E98A6
SHA-256:	ACF087C1757F08B0CFD53D59066544D7EF0BFCC50999E77C5813739CD9DC1479
SHA-512:	91054B36EF1673B24E4FE3DC324CBE339F4E9EB72785A6A4C355C7B2A11A9A7C6E188FF9BF5B34FFDD2805D4BBED71EF6CA4975EE3E330FD8D8E383ED64B28EE
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.kilpatrick-executive.com/xfile1/images/gmail.png
Preview:	.PNG........IHDR.....................sBIT....\|.d.....pHYs............/....tEXtSoftware.www.inkscape.org..<... .IDATx...{x.u.....I.sS..9Q(..J.L&.$..V\|........#.."...Zw.eEQv.Q..U.A]9Vh..I8...H2)`....i.....).....f.y....L.pu...{n..........................................................................................................................................................................................................................................................................................................................................................................................................@Is..... mj=...X<65....U.l.b.t.U...mR...e..P.i.$.i2U..@N1.f...i.s...cf.../....2ev.`..%.\|.o...s..j..l.B....V&..s;b..Pfg......!...:..5....$.@...I0.=.lY.......a...B.4g... T.9Wif..R..o.R.t'.0...?G.9i...L...*..&..s.Vgnkhn...;p[.0.5.........$......P......^".HL.M...@.p..;04....9.&.(i....9.sK..=&.'$m........f..1..'...f2.Uww......PH....@..xq....k.2..l.Luf..s5..`.\|

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\jquery-3.1.1.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	86709
Entropy (8bit):	5.367391365596119
Encrypted:	false
SSDEEP:	1536:9NhEyjjTikEJO4edXXe9J578go6MWXqcVhrLyB4Lw13sh2bzrl1+iuH7U3gBORDT:jxcq0hrLZwpsYbmzORDU8Cu5
MD5:	E071ABDA8FE61194711CFC2AB99FE104
SHA1:	F647A6D37DC4CA055CED3CF64BBC1F490070ACBA
SHA-256:	85556761A8800D14CED8FCD41A6B8B26BF012D44A318866C0D81A62092EFD9BF
SHA-512:	53A2B560B20551672FBB0E6E72632D4FD1C7E2DD2ECF7337EBAAAB179CB8BE7C87E9D803CE7765706BC7FCBCF993C34587CD1237DE5A279AEA19911D69067B65
Malicious:	false
Reputation:	low
IE Cache URL:	https://code.jquery.com/jquery-3.1.1.min.js
Preview:	/! jQuery v3.1.1 \| (c) jQuery Foundation \| jquery.org/license /.!function(a,b){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){"use strict";var c=[],d=a.document,e=Object.getPrototypeOf,f=c.slice,g=c.concat,h=c.push,i=c.indexOf,j={},k=j.toString,l=j.hasOwnProperty,m=l.toString,n=m.call(Object),o={};function p(a,b){b=b\|\|d;var c=b.createElement("script");c.text=a,b.head.appendChild(c).parentNode.removeChild(c)}var q="3.1.1",r=function(a,b){return new r.fn.init(a,b)},s=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,t=/^-ms-/,u=/-([a-z])/g,v=function(a,b){return b.toUpperCase()};r.fn=r.prototype={jquery:q,constructor:r,length:0,toArray:function(){return f.call(this)},get:function(a){return null==a?f.call(this):a<0?this[a+this.length]:this[a]},pushStack:function(a){var b=r.merge(this.con

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\jquery-3.2.1.slim.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	69597
Entropy (8bit):	5.369216080582935
Encrypted:	false
SSDEEP:	1536:qNhEyjjTikEJO4edXXe9J578go6MWX2xkjVe4c4j2ll2Ac7pK3F71QDU8CuT:Exc2yjq4j2uYnQDU8CuT
MD5:	5F48FC77CAC90C4778FA24EC9C57F37D
SHA1:	9E89D1515BC4C371B86F4CB1002FD8E377C1829F
SHA-256:	9365920887B11B33A3DC4BA28A0F93951F200341263E3B9CEFD384798E4BE398
SHA-512:	CAB8C4AFA1D8E3A8B7856EE29AE92566D44CEEAD70C8D533F2C98A976D77D0E1D314719B5C6A473789D8C6B21EBB4B89A6B0EC2E1C9C618FB1437EBC77D3A269
Malicious:	false
Reputation:	low
IE Cache URL:	https://code.jquery.com/jquery-3.2.1.slim.min.js
Preview:	/! jQuery v3.2.1 -ajax,-ajax/jsonp,-ajax/load,-ajax/parseXML,-ajax/script,-ajax/var/location,-ajax/var/nonce,-ajax/var/rquery,-ajax/xhr,-manipulation/_evalUrl,-event/ajax,-effects,-effects/Tween,-effects/animatedSelector \| (c) JS Foundation and other contributors \| jquery.org/license /.!function(a,b){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){"use strict";var c=[],d=a.document,e=Object.getPrototypeOf,f=c.slice,g=c.concat,h=c.push,i=c.indexOf,j={},k=j.toString,l=j.hasOwnProperty,m=l.toString,n=m.call(Object),o={};function p(a,b){b=b\|\|d;var c=b.createElement("script");c.text=a,b.head.appendChild(c).parentNode.removeChild(c)}var q="3.2.1 -ajax,-ajax/jsonp,-ajax/load,-ajax/parseXML,-ajax/script,-ajax/var/location,-ajax/var/nonce,-ajax/var/rquery,-ajax/xhr,-manipulation/_e

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\other1[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 190 x 187, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	21882
Entropy (8bit):	4.268463452779894
Encrypted:	false
SSDEEP:	192:ESCkiDw7e9Mg/wio0EYm9FWyo2XdJfXoOZdEDfmiIJQdiRVi/WTanY:DBiDw7eAdq+FWyo2/fXoZbDIJ0ci/BnY
MD5:	6843A244E12FAB158AA189680B5E7049
SHA1:	0E1C691F87CC4FA35C88344974F2829C40176B70
SHA-256:	3A9B144D6482B78AFC4E0A940A1D3C22240F14FA535B808CF4DAB9635339569F
SHA-512:	145010C45B6B83EA4005EB367C0507959FF0817E482F19E9973504081ACAE1B7827CBD1172CEC7732B13F4E0CEC058271BD6700444FBCF61FB6A3C068A3744C4
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.kilpatrick-executive.com/xfile1/images/other1.png
Preview:	.PNG........IHDR..............$.... cHRM..z&..............u0...`..:....p..Q<....sRGB.........gAMA......a.....pHYs...............:.iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c067 79.157747, 2015/03/30-23:40:42 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmp:CreatorTool>Adobe Photoshop CC 2015 (Windows)</xmp:CreatorTool>. <xmp:CreateDate>2020-01-18T21:59:57+05:00</xmp:CreateDate>. <

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\popper.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	19188
Entropy (8bit):	5.212814407014048
Encrypted:	false
SSDEEP:	384:+CbuG4xGNoDic2UjKPafxwC5b/4xQviOJU7QzxzivDdE3pcGdjkd/9jt3B+Kb964:zb4xGmiJfaf7gxQvVU7eziv+cSjknZ3f
MD5:	70D3FDA195602FE8B75E0097EED74DDE
SHA1:	C3B977AA4B8DFB69D651E07015031D385DED964B
SHA-256:	A52F7AA54D7BCAAFA056EE0A050262DFC5694AE28DEE8B4CAC3429AF37FF0D66
SHA-512:	51AFFB5A8CFD2F93B473007F6987B19A0A1A0FB970DDD59EF45BD77A355D82ABBBD60468837A09823496411E797F05B1F962AE93C725ED4C00D514BA40269D14
Malicious:	false
Reputation:	low
IE Cache URL:	https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Preview:	/. Copyright (C) Federico Zivolo 2017. Distributed under the MIT License (license terms are at http://opensource.org/licenses/MIT).. /(function(e,t){'object'==typeof exports&&'undefined'!=typeof module?module.exports=t():'function'==typeof define&&define.amd?define(t):e.Popper=t()})(this,function(){'use strict';function e(e){return e&&'[object Function]'==={}.toString.call(e)}function t(e,t){if(1!==e.nodeType)return[];var o=getComputedStyle(e,null);return t?o[t]:o}function o(e){return'HTML'===e.nodeName?e:e.parentNode\|\|e.host}function n(e){if(!e)return document.body;switch(e.nodeName){case'HTML':case'BODY':return e.ownerDocument.body;case'#document':return e.body;}var i=t(e),r=i.overflow,p=i.overflowX,s=i.overflowY;return /(auto\|scroll)/.test(r+s+p)?e:n(o(e))}function r(e){var o=e&&e.offsetParent,i=o&&o.nodeName;return i&&'BODY'!==i&&'HTML'!==i?-1!==['TD','TABLE'].indexOf(o.nodeName)&&'static'===t(o,'position')?r(o):o:e?e.ownerDocument.documentElement:document.documentElement}functio

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\8[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	[TIFF image data, big-endian, direntries=12, height=709, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=1200], baseline, precision 8, 1200x646, frames 3
Category:	downloaded
Size (bytes):	161118
Entropy (8bit):	7.5594351594508185
Encrypted:	false
SSDEEP:	3072:WucfAcwuKGuN2q/gSsqnk4br5XUGpppLqfmazv7l04J:OMuKbYOF355XEuAv7lnJ
MD5:	F17B5B1163EFB6D2D47DE6BAE6D3A9CD
SHA1:	6D6964B34BC44C6D2B106ADE1AE675985B96D012
SHA-256:	7829F065E0E10C8466F3D57766E0719421B7B652F6A1082F21B98702F1B28A30
SHA-512:	7C0CBEF1D3CAE66A18C74544E593803C2EEC56817E762A385D54437BC7D597B2598886B0C0EDF72C6E934E9F146CEFC89392A492DB5425A1071E61CA1F156855
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.kilpatrick-executive.com/xfile1/images/8.jpg
Preview:	......Exif..MM.*.......................................................................................................(...........1.....".....2..........i.............$............'.......'.Adobe Photoshop CC 2015 (Windows).2020:01:21 13:41:42.............0221...................................................................r...........z.(.................................%.......H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................V...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.......q..KJG..x.."....]..TX...[^.m...R.......X.5..j?p.A.RI%0...MN.$..@.4

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\bootstrap.min[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	144877
Entropy (8bit):	5.049937202697915
Encrypted:	false
SSDEEP:	1536:GcoqwrUPyDHU7c7TcDEBi82NcuSELL4d/+oENM6HN26Q:VoPgPard2oENM6HN26Q
MD5:	450FC463B8B1A349DF717056FBB3E078
SHA1:	895125A4522A3B10EE7ADA06EE6503587CBF95C5
SHA-256:	2C0F3DCFE93D7E380C290FE4AB838ED8CADFF1596D62697F5444BE460D1F876D
SHA-512:	93BF1ED5F6D8B34F53413A86EFD4A925D578C97ABC757EA871F3F46F340745E4126C48219D2E8040713605B64A9ECF7AD986AA8102F5EA5ECF9228801D962F5D
Malicious:	false
Reputation:	low
IE Cache URL:	https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
Preview:	/!. Bootstrap v4.0.0 (https://getbootstrap.com). * Copyright 2011-2018 The Bootstrap Authors. * Copyright 2011-2018 Twitter, Inc.. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). /:root{--blue:#007bff;--indigo:#6610f2;--purple:#6f42c1;--pink:#e83e8c;--red:#dc3545;--orange:#fd7e14;--yellow:#ffc107;--green:#28a745;--teal:#20c997;--cyan:#17a2b8;--white:#fff;--gray:#6c757d;--gray-dark:#343a40;--primary:#007bff;--secondary:#6c757d;--success:#28a745;--info:#17a2b8;--warning:#ffc107;--danger:#dc3545;--light:#f8f9fa;--dark:#343a40;--breakpoint-xs:0;--breakpoint-sm:576px;--breakpoint-md:768px;--breakpoint-lg:992px;--breakpoint-xl:1200px;--font-family-sans-serif:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";--font-family-monospace:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace},::after,::before{box-sizing:border-box}html{font-family:sans

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\bootstrap.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	48944
Entropy (8bit):	5.272507874206726
Encrypted:	false
SSDEEP:	768:9VG5R15WbHVKZrycEHSYro34CrSLB6WU/6DqBf4l1B:9VIRuo53XiwWTvl1B
MD5:	14D449EB8876FA55E1EF3C2CC52B0C17
SHA1:	A9545831803B1359CFEED47E3B4D6BAE68E40E99
SHA-256:	E7ED36CEEE5450B4243BBC35188AFABDFB4280C7C57597001DE0ED167299B01B
SHA-512:	00D9069B9BD29AD0DAA0503F341D67549CCE28E888E1AFFD1A2A45B64A4C1BC460D81CFC4751857F991F2F4FB3D2572FD97FCA651BA0C2B0255530209B182F22
Malicious:	false
Reputation:	low
IE Cache URL:	https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Preview:	/!. Bootstrap v4.0.0 (https://getbootstrap.com). * Copyright 2011-2018 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors). * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). */.!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?e(exports,require("jquery"),require("popper.js")):"function"==typeof define&&define.amd?define(["exports","jquery","popper.js"],e):e(t.bootstrap={},t.jQuery,t.Popper)}(this,function(t,e,n){"use strict";function i(t,e){for(var n=0;n<e.length;n++){var i=e[n];i.enumerable=i.enumerable\|\|!1,i.configurable=!0,"value"in i&&(i.writable=!0),Object.defineProperty(t,i.key,i)}}function s(t,e,n){return e&&i(t.prototype,e),n&&i(t,n),t}function r(){return(r=Object.assign\|\|function(t){for(var e=1;e<arguments.length;e++){var n=arguments[e];for(var i in n)Object.prototype.hasOwnProperty.call(n,i)&&(t[i]=n[i])}return t}).apply(this,arguments)}e=e&&e.hasOwnProperty("default")?e.default:e,n=n&&n.hasOwnProp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\jquery.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	85578
Entropy (8bit):	5.366055229017455
Encrypted:	false
SSDEEP:	1536:EYE1JVoiB9JqZdXXe2pD3PgoIiulrUndZ6a4tfOR7WpfWBZ2BJda4w9W3qG9a986:v4J+OlfOhWppCW6G9a98Hr2
MD5:	2F6B11A7E914718E0290410E85366FE9
SHA1:	69BB69E25CA7D5EF0935317584E6153F3FD9A88C
SHA-256:	05B85D96F41FFF14D8F608DAD03AB71E2C1017C2DA0914D7C59291BAD7A54F8E
SHA-512:	0D40BCCAA59FEDECF7243D63B33C42592541D0330FEFC78EC81A4C6B9689922D5B211011CA4BE23AE22621CCE4C658F52A1552C92D7AC3615241EB640F8514DB
Malicious:	false
Reputation:	low
IE Cache URL:	https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Preview:	/! jQuery v2.2.4 \| (c) jQuery Foundation \| jquery.org/license /.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="2.2.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\xfile1[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	11777
Entropy (8bit):	4.8159515725639555
Encrypted:	false
SSDEEP:	192:K2FI5vEJKnYmrDfG4RywAOT+UY/t4IdtWPtY:1nmRnAKyt48tZ
MD5:	6D1D3C4FD92B63CC534BE0EDF3AF18DC
SHA1:	5F5442FEB5BE60239F185E969C45050A7DBADE2A
SHA-256:	65ADCB045AEFB4D0028A6AF36EC9D42BBD4DAE9AFF2CF85810BB4A6F44D4B25C
SHA-512:	2D42684CF0A44E262C958172C2446974A4AE9B8D17F7208A5FCB690964EE0D56FEB157B9AB6166B8F94FBDCBA027271C36B66784655E8FD96CE0B5522FE71AA2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_HtmlPhish_10, Description: Yara detected HtmlPhish_10, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\xfile1[1].htm, Author: Joe Security Rule: JoeSecurity_HtmlPhish_7, Description: Yara detected HtmlPhish_7, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\xfile1[1].htm, Author: Joe Security
Reputation:	low
IE Cache URL:	https://www.kilpatrick-executive.com/xfile1/
Preview:	...<!doctype html>..<html lang="en">..<head>.. <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>.. <script src="https://code.jquery.com/jquery-3.1.1.min.js">.. <script src="https://code.jquery.com/jquery-3.3.1.js" integrity="sha256-2Kok7MbOyxpgUVvAk/HJ2jigOSYS2auK4Pfzbm7uH60=" crossorigin="anonymous"></script>.. Required meta tags -->.. <meta charset="utf-8">.. <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">.... Bootstrap CSS -->.. <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">.. <link href="https://fonts.googleapis.com/css?family=Yellowtail&display=swap" rel="stylesheet">.. <script src="https://kit.fontawesome.com/585b051251.js" crossorigin="anonymous"></script>.. <title>Share Point Online</title>.. <link

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\css[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	211
Entropy (8bit):	5.026484232218891
Encrypted:	false
SSDEEP:	6:0IFFwKh+56ZRWHMqh7izlpdBEoKOEEJTONin:jFWmO6ZRoMqt6p3EondOY
MD5:	04F7435B2672FBE66984EA436E7087C6
SHA1:	44896875E69B297EB979CC0D3E8522D872656BA8
SHA-256:	F9088C15A062F0C7708C3864C5E261A2E4961DFEB0F150DF744FAEC2E3B74AD6
SHA-512:	9A1D01A7FAC3D6B205CFA37C05A93AFA9D903D4D35DCB16E31D3A31D19CD65B8DE5D66E626BC7F70D07841C779E20CD2C2DD6254824F96DE0E8E576E156F1C7D
Malicious:	false
Reputation:	low
IE Cache URL:	https://fonts.googleapis.com/css?family=Yellowtail&display=swap
Preview:	@font-face {. font-family: 'Yellowtail';. font-style: normal;. font-weight: 400;. font-display: swap;. src: url(https://fonts.gstatic.com/s/yellowtail/v11/OZpGg_pnoDtINPfRIlLohlvHxw.woff) format('woff');.}.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\free-v4-shims.min[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	26701
Entropy (8bit):	4.829785000026929
Encrypted:	false
SSDEEP:	192:bP6hT1bIl4w0QUmQ10PwKLaAu5CwWavpHo4O6wgLPbJVR8XD7mycP:Ohal4w0QK+PwK05eavpmgPPeXD7mycP
MD5:	2E4C3DA4EAE1C876A281D6CA5A7A5B4C
SHA1:	92AD084AAB53B7AA8C761CD66BDFB1F79B9CAED7
SHA-256:	CFFF9EA502195A7B96FE38DECA9188A59B758DEEECC2CD4E78AEA7D911E638C6
SHA-512:	F324F308649F47E3C25BF021C1776A4326750D04D9392B7F200331E806514B69E7579FB23D7B2107A3B30CB96926554C0DE13F45FD1397BDAE89938DD52A7EBF
Malicious:	false
Reputation:	low
IE Cache URL:	https://ka-f.fontawesome.com/releases/v5.15.1/css/free-v4-shims.min.css
Preview:	/!. Font Awesome Free 5.15.1 by @fontawesome - https://fontawesome.com. * License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License). */.fa.fa-glass:before{content:"\f000"}.fa.fa-meetup{font-family:"Font Awesome 5 Brands";font-weight:400}.fa.fa-star-o{font-family:"Font Awesome 5 Free";font-weight:400}.fa.fa-star-o:before{content:"\f005"}.fa.fa-close:before,.fa.fa-remove:before{content:"\f00d"}.fa.fa-gear:before{content:"\f013"}.fa.fa-trash-o{font-family:"Font Awesome 5 Free";font-weight:400}.fa.fa-trash-o:before{content:"\f2ed"}.fa.fa-file-o{font-family:"Font Awesome 5 Free";font-weight:400}.fa.fa-file-o:before{content:"\f15b"}.fa.fa-clock-o{font-family:"Font Awesome 5 Free";font-weight:400}.fa.fa-clock-o:before{content:"\f017"}.fa.fa-arrow-circle-o-down{font-family:"Font Awesome 5 Free";font-weight:400}.fa.fa-arrow-circle-o-down:before{content:"\f358"}.fa.fa-arrow-circle-o-up{font-family:"Font Awesome 5 Free";font-weight:400}.fa.fa-arro

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\free.min[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	60351
Entropy (8bit):	4.728636008010348
Encrypted:	false
SSDEEP:	768:OUh31IPiyXNq4YxBowbgJlkwF//zMQyYJYX9Bft6VSz8:OU0PxXE4YXJgndFTfy9lt5Q
MD5:	319D424BA89A84BBD230A3B5F7024193
SHA1:	1AE1807CDED8F2E41D2541BCCA8E0D7077FBA6F4
SHA-256:	4F02BD6F018D6F08C37C39F2D114101BEAC342C2C065046635E5ED0C42853590
SHA-512:	A68CAB17CCD1C4DDEAD9124B75CF0CF0C12C4E914902AECE79DCC4C42167B58B565467F20F72C48DFA85490F1895F89F074C85E825D548AD12410741A3302E54
Malicious:	false
Reputation:	low
IE Cache URL:	https://ka-f.fontawesome.com/releases/v5.15.1/css/free.min.css
Preview:	/!. Font Awesome Free 5.15.1 by @fontawesome - https://fontawesome.com. * License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License). */.fa,.fab,.fad,.fal,.far,.fas{-moz-osx-font-smoothing:grayscale;-webkit-font-smoothing:antialiased;display:inline-block;font-style:normal;font-variant:normal;text-rendering:auto;line-height:1}.fa-lg{font-size:1.33333em;line-height:.75em;vertical-align:-.0667em}.fa-xs{font-size:.75em}.fa-sm{font-size:.875em}.fa-1x{font-size:1em}.fa-2x{font-size:2em}.fa-3x{font-size:3em}.fa-4x{font-size:4em}.fa-5x{font-size:5em}.fa-6x{font-size:6em}.fa-7x{font-size:7em}.fa-8x{font-size:8em}.fa-9x{font-size:9em}.fa-10x{font-size:10em}.fa-fw{text-align:center;width:1.25em}.fa-ul{list-style-type:none;margin-left:2.5em;padding-left:0}.fa-ul>li{position:relative}.fa-li{left:-2em;position:absolute;text-align:center;width:2em;line-height:inherit}.fa-border{border:.08em solid #eee;border-radius:.1em;padding:.2em .25em .15em}.fa-pul

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\outlook1[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 26 x 26, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	771
Entropy (8bit):	7.682244426935498
Encrypted:	false
SSDEEP:	24:74yiH9yQmOntihdLl00qDeu1BcaDa0oljZG0:omOntO7v/uJDYG0
MD5:	C3FC46C5799C76F9107504028F39190F
SHA1:	519096AD3F03410CF9CE3C9B9FCCA6B439D97B23
SHA-256:	57898461712A639D119BDF88B7145919DCC8956C7A271D2E4A1084B29EAE6785
SHA-512:	DF4A0A2F78B2013035FB738BF405119B275D4CFEC31A23071EB9AF499D5F31FDC4BE22754CE791C975D7D417E908B5CAD16F962B0ADD3DFDCDE19844D74F6678
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.kilpatrick-executive.com/xfile1/images/outlook1.png
Preview:	.PNG........IHDR..............JL.....bKGD..............IDATH....k.A..k6.b.F1..H@...j@.aQ...(.. .. ........ .A..D...I......E......1...W...;;.Y.d.}].U5]..x"3?....!..A..y..+R2\...m.NX.=..p.0...d.^.3......J.Z.X.).....P\..x1.3.M.0....m.........F....?...n.......l.Fo)x._ R\|.s..a.T?...?.=.9.Y..u....z..\|.....Wz...h..<..P.. ...$.Y......k`/4.y/......L.C......."....U....7....G...'h.....1j1E..%t.....@..a.......b.ED-.Tn.<..o.D...o..(.{1l>........".4a.:k.I./.7t./.Q-'..>.. ......'3eb..d.@=4...C....A...;..N.X3.(.......,v...+...S...W..l...@,...j.).u<..@u..0...V&.b.yp.....0..o.?..V..B =.~&m"r(...6;EP.T.......h.m".[f.U)\|t..2.Q.....g.cP.W...D..[.O>..d;.yI.{/..#v.._..$.Q.......t\E..5i.q._.."/n...v.w..Uo ...#..S....^.....F..+._??.r.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\585b051251[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	10340
Entropy (8bit):	5.175690981945421
Encrypted:	false
SSDEEP:	192:B+H6KnRK9ZoshohD3mPho6Kq8hfZeU2xKIDXfbQjhWLYXyl8uH/yxPn:1xDohGE5/KQhoYXyl8uH/e
MD5:	3E8FF5DD178642AE0EB4F189643CCF4A
SHA1:	816F91715D145FEDAC019A1823C02BDCFBDC99A3
SHA-256:	D150D1150DB28459036EE4CEFEC9BE2400633431AED20F6786683A81991A1E80
SHA-512:	7CD3690B6E4317AC4AA950C7009C40E4EF4C160F217784506CA9553B2E8B1FB67B4F30E9345A29E6954F03E62387809598B86206B5E07013F644AD62B0772A63
Malicious:	false
Reputation:	low
IE Cache URL:	https://kit.fontawesome.com/585b051251.js
Preview:	window.FontAwesomeKitConfig = {"asyncLoading":{"enabled":true},"autoA11y":{"enabled":true},"baseUrl":"https://ka-f.fontawesome.com","baseUrlKit":"https://kit.fontawesome.com","detectConflictsUntil":null,"iconUploads":{},"id":132286382,"license":"free","method":"css","minify":{"enabled":true},"token":"585b051251","v4FontFaceShim":{"enabled":false},"v4shim":{"enabled":true},"version":"5.15.1"};.!function(t){"function"==typeof define&&define.amd?define("kit-loader",t):t()}((function(){"use strict";function t(e){return(t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(t){return typeof t}:function(t){return t&&"function"==typeof Symbol&&t.constructor===Symbol&&t!==Symbol.prototype?"symbol":typeof t})(e)}function e(t,e,n){return e in t?Object.defineProperty(t,e,{value:n,enumerable:!0,configurable:!0,writable:!0}):t[e]=n,t}function n(t,e){var n=Object.keys(t);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertySymbols(t);e&&(o=o.filter((function(e){return Object.g

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\adobe[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 400x400, frames 3
Category:	downloaded
Size (bytes):	30925
Entropy (8bit):	7.75667128400845
Encrypted:	false
SSDEEP:	768:nuowBuvTpjgz+wqrPZ2qh8fmyjlX6RqnxgYqwNL:nuPOpjgzPqrPZRYZGnYqYL
MD5:	BE5274AF7D8BD25B8148A190FF515399
SHA1:	B8D0850FD92EE935287E17988B89E53607808C8C
SHA-256:	26C62DBDF527B8DCBF378EA62F129CBBBA3B244730687909BA21ECD729C9D2E6
SHA-512:	64893C625BE72783088575E36EF26FF4573243F32601BDA754EDA72B7515063B5E4E4831697D16AC663529C910AE12CCD145BEC530F2A9BAE4D9324301C65667
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.kilpatrick-executive.com/xfile1/images/adobe.jpg
Preview:	......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..g........\|?....".+......_.......4...R...'..q..~...n.7...........QXJ<...=...^.V'@U..E..5....Uz........IE.PTe.}/p.y.......T.<...-T..\|...b.=.#IU..~....{O/...b..E..............X...G...?........\|......._....M..g.................T~g.......<.....T~g......3$.=._..IU.K..^.E...=.#U.._[X.R..=W...1..........QTr.\....*.7..?..6.9K..^.E.Ps.\...........%W..y...g)s[KX)<......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\hover[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	114697
Entropy (8bit):	4.9296726009523
Encrypted:	false
SSDEEP:	1536:67O7EesvXIPRX4PT8aZv8qoXIoqbTFaFeTxvyAZ+D7M71D:qXIPRX4PT3
MD5:	FAC4178C15E5A86139C662DAFC809501
SHA1:	EF1481841399156A880EC31B07DDA9CFAA1ACE39
SHA-256:	BB88454962767EB6F2DDB1AABAAF844D8A57DE7E8F848D7F6928F81B54998452
SHA-512:	0902219B6E236FBF9D8173D1D452C8733C1BF67B0EB906CC9866EA0C27C2D08F6DA556D01475E9B54E2C6CE797B230BFBD5F39055CE0C71EA4D3E36872C378D9
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.kilpatrick-executive.com/xfile1/css/hover.css
Preview:	/!. Hover.css (http://ianlunn.github.io/Hover/). * Version: 2.3.2. * Author: Ian Lunn @IanLunn. * Author URL: http://ianlunn.co.uk/. * Github: https://github.com/IanLunn/Hover.. * Hover.css Copyright Ian Lunn 2017. Generated with Sass.. /./ 2D TRANSITIONS /./ Grow /..hvr-grow {. display: inline-block;. vertical-align: middle;. -webkit-transform: perspective(1px) translateZ(0);. transform: perspective(1px) translateZ(0);. box-shadow: 0 0 1px rgba(0, 0, 0, 0);. -webkit-transition-duration: 0.3s;. transition-duration: 0.3s;. -webkit-transition-property: transform;. transition-property: transform;.}..hvr-grow:hover, .hvr-grow:focus, .hvr-grow:active {. -webkit-transform: scale(1.1);. transform: scale(1.1);.}../ Shrink */..hvr-shrink {. display: inline-block;. vertical-align: middle;. -webkit-transform: perspective(1px) translateZ(0);. transform: perspective(1px) translateZ(0);. box-shadow: 0 0 1px rgba(0, 0, 0, 0);. -webkit-transition-duration: 0.3s;. transition-

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\office3651[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 187 x 188, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	18025
Entropy (8bit):	3.011161251318808
Encrypted:	false
SSDEEP:	96:2S+WvkiqJq6Uq7NXrNG+GHhsc5yeFZV9D2Ydcx/NTV0K0VFDsCmm:2SJkiOq6Uq75shDs1kFP
MD5:	FE22440D79FFA34950F512EF4A718B2A
SHA1:	0E147E59544EE6580D3095353D4420849FA5EB8A
SHA-256:	A2F26B68A6C8810C1AEB4048C938F835A86BA83756A7A440F989B967E78F3BA8
SHA-512:	64218ECD4140DC05E50EB7BA4C9813794B8B5A4310C8308244205BA6ADA8EE7C2D1840121730A00800E41775241D8AFA02125A966064CD0EB2CC7D3E4605B81C
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.kilpatrick-executive.com/xfile1/images/office3651.png
Preview:	.PNG........IHDR............. .......pHYs...............<eiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c067 79.157747, 2015/03/30-23:40:42 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmp:CreatorTool>Adobe Photoshop CC 2015 (Windows)</xmp:CreatorTool>. <xmp:CreateDate>2020-01-18T21:49:38+05:00</xmp:CreateDate>. <xmp:MetadataDate>2020-01-21T14:30:14+05:00</xmp:MetadataDate>. <x

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\w-logo-blue-white-bg[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 80 x 80, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	4119
Entropy (8bit):	7.949120703870044
Encrypted:	false
SSDEEP:	96:h3bdWfcmTY+aRF1pXWZL2+42HGhIUc8KeLEd:hgXTY+as02mOB8XLEd
MD5:	000BF649CC8F6BF27CFB04D1BCDCD3C7
SHA1:	D73D2F6D74EC6CDCBAE07955592962E77D8AE814
SHA-256:	6BDB369337AC2496761C6F063BFFEA0AA6A91D4662279C399071A468251F51F0
SHA-512:	73D2EA5FFC572C1AE73F37F8F0FF25E945AFEE8E077B6EE42CE969E575CDC2D8444F90848EA1CB4D1C9EE4BD725AEE2B4576AFC25F17D7295A90E1CBFE6EDFD5
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.kilpatrick-executive.com/wp-includes/images/w-logo-blue-white-bg.png
Preview:	.PNG........IHDR...P...P............IDATx..].xU...[..V..).Kk...V.k..J]jKEl?...t...!.{.,...E........@....F.%.....B...N.y..w.....I{.o...;.s..3...WH......./.zBp.o,XW.......#Z.f...\|mvD..9..F........y..o....1^.743l.......v..#.c.E&.e..hU1.{..........._cZ..We.v.....f.w....(..6\|.Y.. I:x..-.&.......D........<.6.6.l....T..)...\|....#..$g...VN.......!'/6.w..B.h.}....EV.......k.7" f.}.G.~#..M..+....G....iB......]..?+......'.j.GB..P%......\........../..%...&.8E...".........44.J...1.........S...........d.j..]ni%._..9.{.O?.H..6T.\|A.GC..g...U.oDEt,?.0....~....q=.y.~.9.Z......c...v.._....$.0.2...F.9a.L..)..l...2...w...I..&....Vg......H.I..r......./....z.`..+...Z.^U.=..5aBpb..0< ../>.9.c....".I..0.3N,}}....\|]Fb...Q.......W.....OQ..y;.....\|.37..}.....(c.....X..`xX).;......<5S....>.9..G.:..=..0^.......l_<G......H....C.O......Hk{..{....]Nc..B.8..}%>..w....Z...).....\..>....c..2...&..0'.DZJ.'~{Y....I....?........fR.a......;.<..lRG..n.....Q......Nf.6.

C:\Users\user\AppData\Local\Temp\~DF242C40FDCA1BED89.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13029
Entropy (8bit):	0.482012193875821
Encrypted:	false
SSDEEP:	12:c9lCg5/9lCgeK9l26an9l26an9l8fRD9l8fRD9lTqClMdMMk:c9lLh9lLh9lIn9lIn9loD9loD9lWXk
MD5:	565EC035F0E61BE675B3F4A6AE9BA418
SHA1:	089DBC2946BCD1DA6FC45C2EC0014D4CCC5A2BA4
SHA-256:	072BC87C9A08977C347E1353A4E00E0CBF76EB855054CB512EBBE4B77B19FDBF
SHA-512:	3039C4F1ECF1755E268E73F3E1238BC25A114EE6CA40E0BFDCA59D553D9EA843451E387A351A09D2D67D557BD6E3A074062D6CCEE23A0172F169B9823444A8C5
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF88F6808F3CD3FE9E.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	35257
Entropy (8bit):	0.4783231202632443
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+xvdcgIgvqr0un+khuPnJa40b:kBqoxKAuvScS+xvdc/Y30b
MD5:	F71E6DE97D053DB5CBD41806972D7BAC
SHA1:	3C7AD17E999722F8ED5C93BE0FB72FAB35FE4BEC
SHA-256:	AFA8417CCEF10382E11DF73C3E0B2D26D629BEFB7BB7554A6EF327471B48F20C
SHA-512:	6A6373C8AEE33A87A576317CA259FD6B30EE522ED0361C0372808C4A5928BA4745C07DD7AFFF92B00F65D1407F5339977317763734D25B4EE072303C2709DAF4
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF951FE95ED34B02A2.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25441
Entropy (8bit):	0.5108984526898159
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laAhfAH/3WRmi:kBqoxxJhHWSVSEabyeRmoFX
MD5:	00B33C6D5349F30B418978B62209C668
SHA1:	B0F3FA82C46241408261422567C71C1DC3FFF529
SHA-256:	9ECDC194BC8454D68164D14C845D198D8EA83EB37F1A62195144BA7BCCA1C3A0
SHA-512:	CD6F96403960AC6FCCA42F47B851A55CCF2CB0B20AC1EA873C5B02DAE47FE2D0F92D857D4E18B178E677A80D281DC092FC5BDC0042062CD57F5929453B62E488
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 19:43:12.355377913 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.355827093 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.433928013 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.433965921 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.434077978 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.434175014 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.446712017 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.446763992 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.525072098 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.525156021 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.525441885 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.525598049 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.525654078 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.525676012 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.525711060 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.525738955 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.525743961 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.525800943 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.525835991 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.525862932 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.525918007 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.525923967 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.525998116 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.526005983 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.526138067 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.526313066 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.526441097 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.526834011 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.526926041 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.598400116 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.598453999 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.604192019 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.677308083 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.677419901 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.677514076 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.677581072 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.687056065 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.687108994 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.687135935 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.687144995 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.687184095 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.687212944 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.819631100 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.824596882 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.830905914 CET	49723	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.831787109 CET	49725	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.833563089 CET	49726	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.833971024 CET	49727	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.892817974 CET	49734	443	192.168.2.5	104.16.19.94
Jan 13, 2021 19:43:12.893055916 CET	49733	443	192.168.2.5	104.16.19.94
Jan 13, 2021 19:43:12.900446892 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.900499105 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.900537968 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.900557995 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.900577068 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.900578022 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.900607109 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.900615931 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.900629997 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.900655031 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.900669098 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.900686979 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.900712013 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.900724888 CET	443	49717	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.900738001 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.900773048 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.903662920 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.903718948 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.903757095 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.903759003 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.903774977 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.903805017 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.903806925 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.903851032 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.903855085 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.903891087 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.903896093 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.903929949 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.903935909 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.903970003 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.903976917 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.904007912 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.904019117 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.904047012 CET	443	49716	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.904053926 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.904094934 CET	49716	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.906935930 CET	49717	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.909878969 CET	443	49725	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.910007954 CET	49725	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.910490990 CET	49725	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.911092997 CET	443	49723	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.911180019 CET	49723	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.911770105 CET	443	49726	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.911854029 CET	49726	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.912205935 CET	443	49727	91.213.11.127	192.168.2.5
Jan 13, 2021 19:43:12.912307978 CET	49727	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.912406921 CET	49726	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.912904024 CET	49727	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.922267914 CET	49723	443	192.168.2.5	91.213.11.127
Jan 13, 2021 19:43:12.933049917 CET	443	49734	104.16.19.94	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 19:43:06.740293980 CET	62176	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:06.788408995 CET	53	62176	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:08.358556032 CET	59596	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:08.406471014 CET	53	59596	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:09.642328024 CET	65296	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:09.693361998 CET	53	65296	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:10.848532915 CET	63183	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:10.896622896 CET	53	63183	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:11.065758944 CET	60151	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:11.123467922 CET	53	60151	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:11.858239889 CET	56969	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:11.906539917 CET	53	56969	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:12.202828884 CET	55161	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:12.338184118 CET	53	55161	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:12.738286018 CET	54757	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:12.745347023 CET	49992	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:12.768667936 CET	60075	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:12.770126104 CET	55016	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:12.796232939 CET	53	49992	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:12.802995920 CET	53	54757	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:12.817490101 CET	64345	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:12.818032980 CET	53	55016	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:12.819442034 CET	53	60075	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:12.833231926 CET	57128	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:12.843009949 CET	54791	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:12.873867989 CET	53	64345	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:12.881076097 CET	53	57128	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:12.890882969 CET	53	54791	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:13.147521019 CET	50463	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:13.198302984 CET	53	50463	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:14.307348967 CET	50394	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:14.355519056 CET	53	50394	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:15.574412107 CET	58530	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:15.625402927 CET	53	58530	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:30.022555113 CET	53813	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:30.082000017 CET	53	53813	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:33.832396984 CET	63732	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:33.890527964 CET	53	63732	8.8.8.8	192.168.2.5
Jan 13, 2021 19:43:35.930325031 CET	57344	53	192.168.2.5	8.8.8.8
Jan 13, 2021 19:43:35.981056929 CET	53	57344	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2021 19:43:12.202828884 CET	192.168.2.5	8.8.8.8	0x7ae4	Standard query (0)	www.kilpatrick-executive.com	A (IP address)	IN (0x0001)
Jan 13, 2021 19:43:12.745347023 CET	192.168.2.5	8.8.8.8	0xc05	Standard query (0)	code.jquery.com	A (IP address)	IN (0x0001)
Jan 13, 2021 19:43:12.768667936 CET	192.168.2.5	8.8.8.8	0x79f9	Standard query (0)	maxcdn.bootstrapcdn.com	A (IP address)	IN (0x0001)
Jan 13, 2021 19:43:12.833231926 CET	192.168.2.5	8.8.8.8	0x4188	Standard query (0)	kit.fontawesome.com	A (IP address)	IN (0x0001)
Jan 13, 2021 19:43:12.843009949 CET	192.168.2.5	8.8.8.8	0xa7e1	Standard query (0)	cdnjs.cloudflare.com	A (IP address)	IN (0x0001)
Jan 13, 2021 19:43:13.147521019 CET	192.168.2.5	8.8.8.8	0x3f7	Standard query (0)	ka-f.fontawesome.com	A (IP address)	IN (0x0001)
Jan 13, 2021 19:43:30.022555113 CET	192.168.2.5	8.8.8.8	0xc4a1	Standard query (0)	favicon.ico	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 13, 2021 19:43:12.338184118 CET	8.8.8.8	192.168.2.5	0x7ae4	No error (0)	www.kilpatrick-executive.com	kilpatrick-executive.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 19:43:12.338184118 CET	8.8.8.8	192.168.2.5	0x7ae4	No error (0)	kilpatrick-executive.com		91.213.11.127	A (IP address)	IN (0x0001)
Jan 13, 2021 19:43:12.796232939 CET	8.8.8.8	192.168.2.5	0xc05	No error (0)	code.jquery.com	cds.s5x3j6q5.hwcdn.net		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 19:43:12.819442034 CET	8.8.8.8	192.168.2.5	0x79f9	No error (0)	maxcdn.bootstrapcdn.com	cds.j3z9t3p6.hwcdn.net		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 19:43:12.881076097 CET	8.8.8.8	192.168.2.5	0x4188	No error (0)	kit.fontawesome.com	kit.fontawesome.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 19:43:12.890882969 CET	8.8.8.8	192.168.2.5	0xa7e1	No error (0)	cdnjs.cloudflare.com		104.16.19.94	A (IP address)	IN (0x0001)
Jan 13, 2021 19:43:12.890882969 CET	8.8.8.8	192.168.2.5	0xa7e1	No error (0)	cdnjs.cloudflare.com		104.16.18.94	A (IP address)	IN (0x0001)
Jan 13, 2021 19:43:13.198302984 CET	8.8.8.8	192.168.2.5	0x3f7	No error (0)	ka-f.fontawesome.com	ka-f.fontawesome.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 19:43:30.082000017 CET	8.8.8.8	192.168.2.5	0xc4a1	Name error (3)	favicon.ico	none	none	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 13, 2021 19:43:12.526313066 CET	91.213.11.127	443	192.168.2.5	49717	CN=kilpatrick-executive.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Sun Dec 20 01:00:00 CET 2020 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004	Sun Mar 21 00:59:59 CET 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029
Jan 13, 2021 19:43:12.526834011 CET	91.213.11.127	443	192.168.2.5	49716	CN=kilpatrick-executive.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Sun Dec 20 01:00:00 CET 2020 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004	Sun Mar 21 00:59:59 CET 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029
Jan 13, 2021 19:43:12.980665922 CET	104.16.19.94	443	192.168.2.5	49734	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Wed Oct 21 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Thu Oct 21 01:59:59 CEST 2021 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 13, 2021 19:43:12.980665922 CET	104.16.19.94	443	192.168.2.5	49734	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Jan 13, 2021 19:43:12.983843088 CET	104.16.19.94	443	192.168.2.5	49733	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Wed Oct 21 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Thu Oct 21 01:59:59 CEST 2021 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 13, 2021 19:43:12.983843088 CET	104.16.19.94	443	192.168.2.5	49733	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 5220 Parent PID: 792

General

Start time:	19:43:10
Start date:	13/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff6f3da0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: iexplore.exe PID: 988 Parent PID: 5220

General

Start time:	19:43:11
Start date:	13/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5220 CREDAT:17410 /prefetch:2
Imagebase:	0x140000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://www.kilpatrick-executive.com/xfile1/

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Dropped Files

Sigma Overview

Signature Overview

Phishing:

Compliance:

Networking:

System Summary:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 5220 Parent PID: 792

General

Analysis Process: iexplore.exe PID: 988 Parent PID: 5220

General

Disassembly