ae78f2e1183c94c4444bae6ed9911c45df9ff6b2e09f9c206d3d6c122fa9999c

Analysis

max time kernel
71s
max time network
146s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10/03/2023, 19:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment-Charge.html
Size

10KB
MD5

35da21c894d1f9079174ebdceff4ec87
SHA1

9fd596fabde3aea323adeb650c023682c2579104
SHA256

ae78f2e1183c94c4444bae6ed9911c45df9ff6b2e09f9c206d3d6c122fa9999c
SHA512

7bc67e665c440e58c545a457bdd1ca0866970c4e6336a117966146c8064e58354d4f7e8c943e3320d0e391125bafb68b0512683274fbf4f8e3f95b64d3cc4111
SSDEEP

192:3ZBLeZBLEFk1Zhg1khSZhf8XanWGF5s6ZNID6pLgO5QFy1kh2Doyd0r0LoZiiO0q:HLWLL1o1khSZJNW65siiDecO5QFy1khw

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca00000000020000000000106600000001000020000000d1ff3d35cf1f38d183348a160cd6ba1c0084ab97fe8604481cb8e2c557152c21000000000e8000000002000020000000ebc9a55b69a7f7145cda821409098c1308143f02cd8cc314784ad3883967acd7900000006fb496290649ed40f88ec633f8933ba4c5b5c10e7a1269506e244eabe78120866d7885fb59e391fe773fd6f0b7cd3247f144b1d3dede57b2f65a2279aedea94458342f7fec249f05bb68e5867f9b510fbbdf08000b191133e140ae7cbabf16ae8d1457dc3c7f70074ae21b3ba5a1893bf08670503b9322d1d0c1c11343f6e763d729aedaf2b9806e874a67798fd9bc8740000000719ad73cfbe529f1a03a073cc77709a2c942b1cb1b403a9d85c1e422a348499394d1507eaec713e19c9c1bbd12aef843d5480c58bb69967e769ead6886089aa3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca000000000200000000001066000000010000200000006ee883b0447e008439301c87d85628863f1621766695e3fb93bf01615eab58f1000000000e80000000020000200000008d9d1eccf9ec0510875c14c801b2dcb5688115fc2d41d77db406244840892e6220000000219189ebfbda38f674146f07597a777f8f0ed863f8f7d601eb216b0cdcd3043940000000535fd4d168546d8e37262fa535434f0ee968789c8af3f5761231a252a05a835a20cb8be8eb331ce04708e3481de94f1b8549f8b650a65ce82983e0bac8ca3831	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0ae19a68f53d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "385245402"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DB2A7581-BF82-11ED-A6B7-D6914D53598A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Zoom\ZoomFactor = "75000"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
308	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
308	iexplore.exe
308	iexplore.exe
984	IEXPLORE.EXE
984	IEXPLORE.EXE
984	IEXPLORE.EXE
984	IEXPLORE.EXE
984	IEXPLORE.EXE
984	IEXPLORE.EXE
984	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 984	308	iexplore.exe	28
PID 308 wrote to memory of 984	308	iexplore.exe	28
PID 308 wrote to memory of 984	308	iexplore.exe	28
PID 308 wrote to memory of 984	308	iexplore.exe	28

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Payment-Charge.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:308
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:308 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:984

Network

DNS

marathonpetroleum.na1.echosign.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

marathonpetroleum.na1.echosign.com

IN A

Response

marathonpetroleum.na1.echosign.com

IN A

52.71.63.231

marathonpetroleum.na1.echosign.com

IN A

52.71.63.230

marathonpetroleum.na1.echosign.com

IN A

52.71.63.232
GET

https://marathonpetroleum.na1.echosign.com/images/emailNextGen/email-powered-by-adobe-sign-logo.2@2x.png

IEXPLORE.EXE

Remote address:

52.71.63.231:443

Request

GET /images/emailNextGen/email-powered-by-adobe-sign-logo.2@2x.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: marathonpetroleum.na1.echosign.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 10 Mar 2023 19:33:50 GMT
Server: Apache
X-Robots-Tag: none
Accept-Ranges: bytes
ETag: W/"8281-1674509960000"
Last-Modified: Mon, 23 Jan 2023 21:39:20 GMT
Content-Length: 8281
Cache-Control: max-age=315360000
Expires: Mon, 07 Mar 2033 19:33:50 GMT
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Keep-Alive: timeout=15, max=200
Connection: Keep-Alive
Content-Type: image/png;charset=UTF-8
GET

https://marathonpetroleum.na1.echosign.com/images/emailNextGen/checkmarkCircle@2x.png

IEXPLORE.EXE

Remote address:

52.71.63.231:443

Request

GET /images/emailNextGen/checkmarkCircle@2x.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: marathonpetroleum.na1.echosign.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 10 Mar 2023 19:33:50 GMT
Server: Apache
X-Robots-Tag: none
Accept-Ranges: bytes
ETag: W/"1540-1674509960000"
Last-Modified: Mon, 23 Jan 2023 21:39:20 GMT
Content-Length: 1540
Cache-Control: max-age=315360000
Expires: Mon, 07 Mar 2033 19:33:50 GMT
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Keep-Alive: timeout=15, max=199
Connection: Keep-Alive
Content-Type: image/png;charset=UTF-8
GET

https://marathonpetroleum.na1.echosign.com/track/CBFCIBAA3AAABLblqZhACqWN81QWhTTIwdWxUxXr_N1exifUZ6ItDsf5D1fi7fO9edjYLRmnpGVyzgtIvrnI*/blank.gif

IEXPLORE.EXE

Remote address:

52.71.63.231:443

Request

GET /track/CBFCIBAA3AAABLblqZhACqWN81QWhTTIwdWxUxXr_N1exifUZ6ItDsf5D1fi7fO9edjYLRmnpGVyzgtIvrnI*/blank.gif HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: marathonpetroleum.na1.echosign.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 10 Mar 2023 19:33:50 GMT
Server: Apache
X-Robots-Tag: none
Accept-Ranges: bytes
ETag: W/"42-1674509960000"
Last-Modified: Mon, 23 Jan 2023 21:39:20 GMT
Content-Language: en-US
Content-Length: 42
Cache-Control: max-age=315360000
Expires: Mon, 07 Mar 2033 19:33:50 GMT
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Keep-Alive: timeout=15, max=198
Connection: Keep-Alive
Content-Type: image/gif;charset=UTF-8
DNS

protect-us.mimecast.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

protect-us.mimecast.com

IN A

Response

protect-us.mimecast.com

IN A

207.211.31.106

protect-us.mimecast.com

IN A

205.139.111.12

protect-us.mimecast.com

IN A

205.139.111.117

protect-us.mimecast.com

IN A

207.211.31.113

protect-us.mimecast.com

IN A

207.211.31.64

protect-us.mimecast.com

IN A

205.139.111.113
GET

https://protect-us.mimecast.com/s/edsFCwpZwGT0DRg9hV9viS?domain=gmhconstrutora.com.br/

IEXPLORE.EXE

Remote address:

207.211.31.106:443

Request

GET /s/edsFCwpZwGT0DRg9hV9viS?domain=gmhconstrutora.com.br/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: protect-us.mimecast.com
Connection: Keep-Alive

Response

HTTP/1.1 307 Temporary Redirect

Date: Fri, 10 Mar 2023 19:34:00 GMT
Content-Length: 0
Connection: keep-alive
Location: https://protect-us.mimecast.com/r/PMAmXLpQq7zYeWsSDH74ZnnHVUulSMEGzVaHmOCcgWwMST14fm-2vwOxB4mvy8Cwhc3Zxm_f2ANKrukm7lDlNFQvfH4Gn0fWdTX9nMGkVKzLj9J8xeq8k7x6bJspgC4zXvmkEMU6ajnGfe--bo_ft_rtjqXY5szOMpNsGnSvEJTOi4_2pwC7RCQbkjClPfYtMjexAsGGferhknLHEGcf9nAnB_mIp0LDUxzQO6IZYL4uZQF3-7fcGSqeRP3yCcV3oGnMV8cZ-TGjduGCQZsW2zLiGiGkIUving3Gvo37E77VG_gYgaZinqUTdC07dsD7TWDoMytUx5jVj_JHJ9kNKYkinGC8xml9Jr4agNzFq85I2kBso7eAlZxSW81n5glBIBvtzq_YLmcj_jytQCYnvN6BswZXWPWXa5PP1J6n-2nEKSUNUWwMn4TTaGiNzTzpAJ3cNBBBoBEhQ5coKqalvLfiLdsGyPxOWxYk_6z67iX6igXmqYy65DWmqXOyT85L_AMPU5iTRmshcVAz5pFrC2_R6313727r0IF75QqU06OWpFSLL6WedK7u9QK3nD7PpGAkyZlAb9_3A9ioBnnupT0Jihax9fgNIp65mQvWn_o1wI8VPMYP49hPQoYGWf9ifT96WdcQW3slb7vt0tJP7uCYBrCWVnjfAUYoaEUhQkMJi5lRRNBFuYQxv3uA243PGbz9WGIyzre9NaCpce2VzeLw0EkqKBM3Al4zyvpic9zblpypnJ2BGXlw_dlTE6wwyLUv0A6-LIrP0j6EKkn-D1wndHhTjAdAmLhuX8l29Qkfp3FjpbnhkUgD6g22GwX18hXz3_veaqW8B3vfPFKuzJVqnIk7LsVgaI61OhU_P6bpEPCzi00EmFAh5gEO03xUm7rPiyOdNS3lv_h3nqUnf4WtJiketdAoHxCjjlji-YUwZToxreZBGiJoCfbvznZGBM72ewFT-tqKqP_wvaIt1qFn7cYoYKji2B_O7Z_o9d7sECX0Q9WNnKceBYT9lmAluKfE22_nHfvnJ1xRQYcC7AhMQvW6RZqVFrX5VNg5uAtQ9lkNL1FH0mcmDc8B3mJHLb990nWy86MIjQldkW5vRHdo4FVtz4bHs2TRGdej93Zsg5s9jz8OXGaAbhhLQp-T3XG4e9--Cc3SZ1ICEHWfpQlkmfpdEicxJsVVPlcDmrorR1HtKyTyAUrjqswYTy49q6fyQO86_FKvki_aOI2hRVMpu7UrMgI7Q-odUSV8hdHucM8gTouRI9S63AA_7rMJMewdR8MaC72uB_nwmU6pvuDxpM_vMmIifezw9zpiJsQN0Z5TQnZP25HeJVbYqdsdt1y2AkK5uZuzJeMaTAr1bWnbCF9KQ4u_3gXTOsnIDVDWGVZola_SiqcPlkPI6ALQN0wobpy4s_npASrg-07TxZ83re5eWy9HHei3zwLlj4JyVotE4vSfg9Pq64n1-Qi-HdOrjD-VE37B15KxAg-Hg0HVshpq9DtRR8MEMq62x07Wa6OGRIbAhD69PhWsVYBnCsnCzAsz3K7_BVo-Vbl2jmPpYGlKgRAb03xbLHfvzLI0EgR4Nw1_05BgdgIMzj41QgpbS09vhtz1kzDCV_qrfh-3OusTxhaaZyG8-43M9Phe7x8SQ7zITumFRhM-qD7EFih8GS3mBdj1nhYYWLMv5tZp_hfc0AFkeUYtj46b6Rak-oP6ri7pG-tXB9K90tCkJgQSebmPkQ5FBD5Y1RSg7udeYXzJxT8gcOyJ4T9nqKsrxc6gSUwzkXoE2amdHL-MERXBcePHDOXE4wMqynjJ-rsrWhggm4GSpL37yECfIYVnOjwepl-ISZTtUWBwKKR9hdSDSjqkG9_wWk7EISBlcQ
Cache-control: no-store
Pragma: no-cache
X-Robots-Tag: noindex, nofollow
GET

https://protect-us.mimecast.com/r/PMAmXLpQq7zYeWsSDH74ZnnHVUulSMEGzVaHmOCcgWwMST14fm-2vwOxB4mvy8Cwhc3Zxm_f2ANKrukm7lDlNFQvfH4Gn0fWdTX9nMGkVKzLj9J8xeq8k7x6bJspgC4zXvmkEMU6ajnGfe--bo_ft_rtjqXY5szOMpNsGnSvEJTOi4_2pwC7RCQbkjClPfYtMjexAsGGferhknLHEGcf9nAnB_mIp0LDUxzQO6IZYL4uZQF3-7fcGSqeRP3yCcV3oGnMV8cZ-TGjduGCQZsW2zLiGiGkIUving3Gvo37E77VG_gYgaZinqUTdC07dsD7TWDoMytUx5jVj_JHJ9kNKYkinGC8xml9Jr4agNzFq85I2kBso7eAlZxSW81n5glBIBvtzq_YLmcj_jytQCYnvN6BswZXWPWXa5PP1J6n-2nEKSUNUWwMn4TTaGiNzTzpAJ3cNBBBoBEhQ5coKqalvLfiLdsGyPxOWxYk_6z67iX6igXmqYy65DWmqXOyT85L_AMPU5iTRmshcVAz5pFrC2_R6313727r0IF75QqU06OWpFSLL6WedK7u9QK3nD7PpGAkyZlAb9_3A9ioBnnupT0Jihax9fgNIp65mQvWn_o1wI8VPMYP49hPQoYGWf9ifT96WdcQW3slb7vt0tJP7uCYBrCWVnjfAUYoaEUhQkMJi5lRRNBFuYQxv3uA243PGbz9WGIyzre9NaCpce2VzeLw0EkqKBM3Al4zyvpic9zblpypnJ2BGXlw_dlTE6wwyLUv0A6-LIrP0j6EKkn-D1wndHhTjAdAmLhuX8l29Qkfp3FjpbnhkUgD6g22GwX18hXz3_veaqW8B3vfPFKuzJVqnIk7LsVgaI61OhU_P6bpEPCzi00EmFAh5gEO03xUm7rPiyOdNS3lv_h3nqUnf4WtJiketdAoHxCjjlji-YUwZToxreZBGiJoCfbvznZGBM72ewFT-tqKqP_wvaIt1qFn7cYoYKji2B_O7Z_o9d7sECX0Q9WNnKceBYT9lmAluKfE22_nHfvnJ1xRQYcC7AhMQvW6RZqVFrX5VNg5uAtQ9lkNL1FH0mcmDc8B3mJHLb990nWy86MIjQldkW5vRHdo4FVtz4bHs2TRGdej93Zsg5s9jz8OXGaAbhhLQp-T3XG4e9--Cc3SZ1ICEHWfpQlkmfpdEicxJsVVPlcDmrorR1HtKyTyAUrjqswYTy49q6fyQO86_FKvki_aOI2hRVMpu7UrMgI7Q-odUSV8hdHucM8gTouRI9S63AA_7rMJMewdR8MaC72uB_nwmU6pvuDxpM_vMmIifezw9zpiJsQN0Z5TQnZP25HeJVbYqdsdt1y2AkK5uZuzJeMaTAr1bWnbCF9KQ4u_3gXTOsnIDVDWGVZola_SiqcPlkPI6ALQN0wobpy4s_npASrg-07TxZ83re5eWy9HHei3zwLlj4JyVotE4vSfg9Pq64n1-Qi-HdOrjD-VE37B15KxAg-Hg0HVshpq9DtRR8MEMq62x07Wa6OGRIbAhD69PhWsVYBnCsnCzAsz3K7_BVo-Vbl2jmPpYGlKgRAb03xbLHfvzLI0EgR4Nw1_05BgdgIMzj41QgpbS09vhtz1kzDCV_qrfh-3OusTxhaaZyG8-43M9Phe7x8SQ7zITumFRhM-qD7EFih8GS3mBdj1nhYYWLMv5tZp_hfc0AFkeUYtj46b6Rak-oP6ri7pG-tXB9K90tCkJgQSebmPkQ5FBD5Y1RSg7udeYXzJxT8gcOyJ4T9nqKsrxc6gSUwzkXoE2amdHL-MERXBcePHDOXE4wMqynjJ-rsrWhggm4GSpL37yECfIYVnOjwepl-ISZTtUWBwKKR9hdSDSjqkG9_wWk7EISBlcQ

IEXPLORE.EXE

Remote address:

207.211.31.106:443

Request

GET /r/PMAmXLpQq7zYeWsSDH74ZnnHVUulSMEGzVaHmOCcgWwMST14fm-2vwOxB4mvy8Cwhc3Zxm_f2ANKrukm7lDlNFQvfH4Gn0fWdTX9nMGkVKzLj9J8xeq8k7x6bJspgC4zXvmkEMU6ajnGfe--bo_ft_rtjqXY5szOMpNsGnSvEJTOi4_2pwC7RCQbkjClPfYtMjexAsGGferhknLHEGcf9nAnB_mIp0LDUxzQO6IZYL4uZQF3-7fcGSqeRP3yCcV3oGnMV8cZ-TGjduGCQZsW2zLiGiGkIUving3Gvo37E77VG_gYgaZinqUTdC07dsD7TWDoMytUx5jVj_JHJ9kNKYkinGC8xml9Jr4agNzFq85I2kBso7eAlZxSW81n5glBIBvtzq_YLmcj_jytQCYnvN6BswZXWPWXa5PP1J6n-2nEKSUNUWwMn4TTaGiNzTzpAJ3cNBBBoBEhQ5coKqalvLfiLdsGyPxOWxYk_6z67iX6igXmqYy65DWmqXOyT85L_AMPU5iTRmshcVAz5pFrC2_R6313727r0IF75QqU06OWpFSLL6WedK7u9QK3nD7PpGAkyZlAb9_3A9ioBnnupT0Jihax9fgNIp65mQvWn_o1wI8VPMYP49hPQoYGWf9ifT96WdcQW3slb7vt0tJP7uCYBrCWVnjfAUYoaEUhQkMJi5lRRNBFuYQxv3uA243PGbz9WGIyzre9NaCpce2VzeLw0EkqKBM3Al4zyvpic9zblpypnJ2BGXlw_dlTE6wwyLUv0A6-LIrP0j6EKkn-D1wndHhTjAdAmLhuX8l29Qkfp3FjpbnhkUgD6g22GwX18hXz3_veaqW8B3vfPFKuzJVqnIk7LsVgaI61OhU_P6bpEPCzi00EmFAh5gEO03xUm7rPiyOdNS3lv_h3nqUnf4WtJiketdAoHxCjjlji-YUwZToxreZBGiJoCfbvznZGBM72ewFT-tqKqP_wvaIt1qFn7cYoYKji2B_O7Z_o9d7sECX0Q9WNnKceBYT9lmAluKfE22_nHfvnJ1xRQYcC7AhMQvW6RZqVFrX5VNg5uAtQ9lkNL1FH0mcmDc8B3mJHLb990nWy86MIjQldkW5vRHdo4FVtz4bHs2TRGdej93Zsg5s9jz8OXGaAbhhLQp-T3XG4e9--Cc3SZ1ICEHWfpQlkmfpdEicxJsVVPlcDmrorR1HtKyTyAUrjqswYTy49q6fyQO86_FKvki_aOI2hRVMpu7UrMgI7Q-odUSV8hdHucM8gTouRI9S63AA_7rMJMewdR8MaC72uB_nwmU6pvuDxpM_vMmIifezw9zpiJsQN0Z5TQnZP25HeJVbYqdsdt1y2AkK5uZuzJeMaTAr1bWnbCF9KQ4u_3gXTOsnIDVDWGVZola_SiqcPlkPI6ALQN0wobpy4s_npASrg-07TxZ83re5eWy9HHei3zwLlj4JyVotE4vSfg9Pq64n1-Qi-HdOrjD-VE37B15KxAg-Hg0HVshpq9DtRR8MEMq62x07Wa6OGRIbAhD69PhWsVYBnCsnCzAsz3K7_BVo-Vbl2jmPpYGlKgRAb03xbLHfvzLI0EgR4Nw1_05BgdgIMzj41QgpbS09vhtz1kzDCV_qrfh-3OusTxhaaZyG8-43M9Phe7x8SQ7zITumFRhM-qD7EFih8GS3mBdj1nhYYWLMv5tZp_hfc0AFkeUYtj46b6Rak-oP6ri7pG-tXB9K90tCkJgQSebmPkQ5FBD5Y1RSg7udeYXzJxT8gcOyJ4T9nqKsrxc6gSUwzkXoE2amdHL-MERXBcePHDOXE4wMqynjJ-rsrWhggm4GSpL37yECfIYVnOjwepl-ISZTtUWBwKKR9hdSDSjqkG9_wWk7EISBlcQ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: protect-us.mimecast.com
Connection: Keep-Alive

Response

HTTP/1.1 307 Temporary Redirect

Date: Fri, 10 Mar 2023 19:34:00 GMT
Content-Length: 0
Connection: keep-alive
Location: https://security-us.mimecast.com/ttpwp#/enrollment?key=f18935c6-b27f-4e55-aa56-47bdc40f886c
Cache-control: no-store
Pragma: no-cache
X-Robots-Tag: noindex, nofollow
DNS

security-us.mimecast.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

security-us.mimecast.com

IN A

Response

security-us.mimecast.com

IN A

205.139.110.113

security-us.mimecast.com

IN A

205.139.110.117

security-us.mimecast.com

IN A

207.211.31.119

security-us.mimecast.com

IN A

205.139.110.99

security-us.mimecast.com

IN A

207.211.31.14

security-us.mimecast.com

IN A

207.211.31.110
GET

https://security-us.mimecast.com/ttpwp/resources/polyfills-es5.b630748defa4cdcaf648.js

IEXPLORE.EXE

Remote address:

205.139.110.113:443

Request

GET /ttpwp/resources/polyfills-es5.b630748defa4cdcaf648.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://security-us.mimecast.com/ttpwp#/enrollment?key=f18935c6-b27f-4e55-aa56-47bdc40f886c
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: security-us.mimecast.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
Referrer-Policy: no-referrer
X-Robots-Tag: noindex, nofollow
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 07 Mar 2023 16:24:25 GMT
ETag: W/"2cc5b-186bce366a8"
Content-Type: application/javascript; charset=UTF-8
Vary: Accept-Encoding
Content-Encoding: gzip
Date: Fri, 10 Mar 2023 19:34:01 GMT
Connection: keep-alive
Transfer-Encoding: chunked
GET

https://security-us.mimecast.com/ttpwp/resources/mimecast-icons.fd97725823d43fd9cada.eot?25417273

IEXPLORE.EXE

Remote address:

205.139.110.113:443

Request

GET /ttpwp/resources/mimecast-icons.fd97725823d43fd9cada.eot?25417273 HTTP/1.1
Accept: */*
Referer: https://security-us.mimecast.com/ttpwp#/enrollment?key=f18935c6-b27f-4e55-aa56-47bdc40f886c
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Origin: https://security-us.mimecast.com
Accept-Encoding: gzip, deflate
Host: security-us.mimecast.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
Referrer-Policy: no-referrer
X-Robots-Tag: noindex, nofollow
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 07 Mar 2023 16:24:25 GMT
ETag: W/"13070-186bce366a8"
Content-Type: application/vnd.ms-fontobject
Vary: Accept-Encoding
Content-Encoding: gzip
Date: Fri, 10 Mar 2023 19:34:02 GMT
Connection: keep-alive
Transfer-Encoding: chunked
GET

https://security-us.mimecast.com/ttpwp

IEXPLORE.EXE

Remote address:

205.139.110.113:443

Request

GET /ttpwp HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: security-us.mimecast.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
Referrer-Policy: no-referrer
X-Robots-Tag: noindex, nofollow
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Type: text/html; charset=utf-8
ETag: W/"d77-Qco9+pwPG6+bY/Zu1pWG9T1r3vc"
Vary: Accept-Encoding
Content-Encoding: gzip
Date: Fri, 10 Mar 2023 19:34:00 GMT
Connection: keep-alive
Transfer-Encoding: chunked
GET

https://security-us.mimecast.com/ttpwp/resources/runtime.b630748defa4cdcaf648.js

IEXPLORE.EXE

Remote address:

205.139.110.113:443

Request

GET /ttpwp/resources/runtime.b630748defa4cdcaf648.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://security-us.mimecast.com/ttpwp#/enrollment?key=f18935c6-b27f-4e55-aa56-47bdc40f886c
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: security-us.mimecast.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
Referrer-Policy: no-referrer
X-Robots-Tag: noindex, nofollow
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 07 Mar 2023 16:24:25 GMT
ETag: W/"5d4-186bce366a8"
Content-Type: application/javascript; charset=UTF-8
Vary: Accept-Encoding
Content-Encoding: gzip
Date: Fri, 10 Mar 2023 19:34:01 GMT
Connection: keep-alive
Transfer-Encoding: chunked
GET

https://security-us.mimecast.com/ttpwp/resources/fa-solid-900.dcddb714e825d85920df.eot?

IEXPLORE.EXE

Remote address:

205.139.110.113:443

Request

GET /ttpwp/resources/fa-solid-900.dcddb714e825d85920df.eot? HTTP/1.1
Accept: */*
Referer: https://security-us.mimecast.com/ttpwp#/enrollment?key=f18935c6-b27f-4e55-aa56-47bdc40f886c
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Origin: https://security-us.mimecast.com
Accept-Encoding: gzip, deflate
Host: security-us.mimecast.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
Referrer-Policy: no-referrer
X-Robots-Tag: noindex, nofollow
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 07 Mar 2023 16:24:25 GMT
ETag: W/"5dc6e-186bce366a8"
Content-Type: application/vnd.ms-fontobject
Vary: Accept-Encoding
Content-Encoding: gzip
Date: Fri, 10 Mar 2023 19:34:02 GMT
Connection: keep-alive
Transfer-Encoding: chunked
GET

https://security-us.mimecast.com/ttpwp/resources/polyfills.b630748defa4cdcaf648.js

IEXPLORE.EXE

Remote address:

205.139.110.113:443

Request

GET /ttpwp/resources/polyfills.b630748defa4cdcaf648.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://security-us.mimecast.com/ttpwp#/enrollment?key=f18935c6-b27f-4e55-aa56-47bdc40f886c
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: security-us.mimecast.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
Referrer-Policy: no-referrer
X-Robots-Tag: noindex, nofollow
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 07 Mar 2023 16:24:25 GMT
ETag: W/"1743c-186bce366a8"
Content-Type: application/javascript; charset=UTF-8
Vary: Accept-Encoding
Content-Encoding: gzip
Date: Fri, 10 Mar 2023 19:34:01 GMT
Connection: keep-alive
Transfer-Encoding: chunked
GET

https://security-us.mimecast.com/ttpwp/resources/images/mimecast-logo.png

IEXPLORE.EXE

Remote address:

205.139.110.113:443

Request

GET /ttpwp/resources/images/mimecast-logo.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: https://security-us.mimecast.com/ttpwp#/enrollment?key=f18935c6-b27f-4e55-aa56-47bdc40f886c
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: security-us.mimecast.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
Referrer-Policy: no-referrer
X-Robots-Tag: noindex, nofollow
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 07 Mar 2023 16:24:25 GMT
ETag: W/"1084-186bce366a8"
Content-Type: image/png
Content-Length: 4228
Date: Fri, 10 Mar 2023 19:34:02 GMT
Connection: keep-alive
GET

https://security-us.mimecast.com/ttpwp/resources/fa-regular-400.1c9c47c2e74e9e4a5d07.eot?

IEXPLORE.EXE

Remote address:

205.139.110.113:443

Request

GET /ttpwp/resources/fa-regular-400.1c9c47c2e74e9e4a5d07.eot? HTTP/1.1
Accept: */*
Referer: https://security-us.mimecast.com/ttpwp#/enrollment?key=f18935c6-b27f-4e55-aa56-47bdc40f886c
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Origin: https://security-us.mimecast.com
Accept-Encoding: gzip, deflate
Host: security-us.mimecast.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
Referrer-Policy: no-referrer
X-Robots-Tag: noindex, nofollow
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 07 Mar 2023 16:24:25 GMT
ETag: W/"6debe-186bce366a8"
Content-Type: application/vnd.ms-fontobject
Vary: Accept-Encoding
Content-Encoding: gzip
Date: Fri, 10 Mar 2023 19:34:02 GMT
Connection: keep-alive
Transfer-Encoding: chunked
GET

https://security-us.mimecast.com/ttpwp/resources/styles.b630748defa4cdcaf648.js

IEXPLORE.EXE

Remote address:

205.139.110.113:443

Request

GET /ttpwp/resources/styles.b630748defa4cdcaf648.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://security-us.mimecast.com/ttpwp#/enrollment?key=f18935c6-b27f-4e55-aa56-47bdc40f886c
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: security-us.mimecast.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
Referrer-Policy: no-referrer
X-Robots-Tag: noindex, nofollow
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 07 Mar 2023 16:24:25 GMT
ETag: W/"6434f-186bce366a8"
Content-Type: application/javascript; charset=UTF-8
Vary: Accept-Encoding
Content-Encoding: gzip
Date: Fri, 10 Mar 2023 19:34:01 GMT
Connection: keep-alive
Transfer-Encoding: chunked
GET

https://security-us.mimecast.com/ttpwp/resources/languages/en.json

IEXPLORE.EXE

Remote address:

205.139.110.113:443

Request

GET /ttpwp/resources/languages/en.json HTTP/1.1
Referer: https://security-us.mimecast.com/ttpwp#/enrollment?key=f18935c6-b27f-4e55-aa56-47bdc40f886c
Content-Type: application/json
x-context-route: ttpwp
Accept: application/json, text/plain, */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: security-us.mimecast.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
Referrer-Policy: no-referrer
X-Robots-Tag: noindex, nofollow
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 07 Mar 2023 16:24:25 GMT
ETag: W/"405e-186bce366a8"
Content-Type: application/json; charset=UTF-8
Vary: Accept-Encoding
Content-Encoding: gzip
Date: Fri, 10 Mar 2023 19:34:02 GMT
Connection: keep-alive
Transfer-Encoding: chunked
GET

https://security-us.mimecast.com/ttpwp/resources/main.b630748defa4cdcaf648.js

IEXPLORE.EXE

Remote address:

205.139.110.113:443

Request

GET /ttpwp/resources/main.b630748defa4cdcaf648.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://security-us.mimecast.com/ttpwp#/enrollment?key=f18935c6-b27f-4e55-aa56-47bdc40f886c
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: security-us.mimecast.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
Referrer-Policy: no-referrer
X-Robots-Tag: noindex, nofollow
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 07 Mar 2023 16:24:25 GMT
ETag: W/"f61b5-186bce366a8"
Content-Type: application/javascript; charset=UTF-8
Vary: Accept-Encoding
Content-Encoding: gzip
Date: Fri, 10 Mar 2023 19:34:01 GMT
Connection: keep-alive
Transfer-Encoding: chunked
GET

https://security-us.mimecast.com/ttpwp/resources/images/favicon.ico

IEXPLORE.EXE

Remote address:

205.139.110.113:443

Request

GET /ttpwp/resources/images/favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: security-us.mimecast.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
Referrer-Policy: no-referrer
X-Robots-Tag: noindex, nofollow
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Tue, 07 Mar 2023 16:24:25 GMT
ETag: W/"47e-186bce366a8"
Content-Type: image/x-icon
Vary: Accept-Encoding
Content-Encoding: gzip
Date: Fri, 10 Mar 2023 19:34:02 GMT
Connection: keep-alive
Transfer-Encoding: chunked

52.71.63.231:443

marathonpetroleum.na1.echosign.com

tls

IEXPLORE.EXE

1.7kB
6.5kB
29
29
52.71.63.231:443

marathonpetroleum.na1.echosign.com

tls

IEXPLORE.EXE

1.7kB
6.5kB
29
29
52.71.63.231:443

https://marathonpetroleum.na1.echosign.com/track/CBFCIBAA3AAABLblqZhACqWN81QWhTTIwdWxUxXr_N1exifUZ6ItDsf5D1fi7fO9edjYLRmnpGVyzgtIvrnI*/blank.gif

tls, http

IEXPLORE.EXE

2.5kB
19.1kB
21
24

HTTP Request

GET https://marathonpetroleum.na1.echosign.com/images/emailNextGen/email-powered-by-adobe-sign-logo.2@2x.png

HTTP Response

200

HTTP Request

GET https://marathonpetroleum.na1.echosign.com/images/emailNextGen/checkmarkCircle@2x.png

HTTP Response

200

HTTP Request

GET https://marathonpetroleum.na1.echosign.com/track/CBFCIBAA3AAABLblqZhACqWN81QWhTTIwdWxUxXr_N1exifUZ6ItDsf5D1fi7fO9edjYLRmnpGVyzgtIvrnI*/blank.gif

HTTP Response

200
207.211.31.106:443

https://protect-us.mimecast.com/r/PMAmXLpQq7zYeWsSDH74ZnnHVUulSMEGzVaHmOCcgWwMST14fm-2vwOxB4mvy8Cwhc3Zxm_f2ANKrukm7lDlNFQvfH4Gn0fWdTX9nMGkVKzLj9J8xeq8k7x6bJspgC4zXvmkEMU6ajnGfe--bo_ft_rtjqXY5szOMpNsGnSvEJTOi4_2pwC7RCQbkjClPfYtMjexAsGGferhknLHEGcf9nAnB_mIp0LDUxzQO6IZYL4uZQF3-7fcGSqeRP3yCcV3oGnMV8cZ-TGjduGCQZsW2zLiGiGkIUving3Gvo37E77VG_gYgaZinqUTdC07dsD7TWDoMytUx5jVj_JHJ9kNKYkinGC8xml9Jr4agNzFq85I2kBso7eAlZxSW81n5glBIBvtzq_YLmcj_jytQCYnvN6BswZXWPWXa5PP1J6n-2nEKSUNUWwMn4TTaGiNzTzpAJ3cNBBBoBEhQ5coKqalvLfiLdsGyPxOWxYk_6z67iX6igXmqYy65DWmqXOyT85L_AMPU5iTRmshcVAz5pFrC2_R6313727r0IF75QqU06OWpFSLL6WedK7u9QK3nD7PpGAkyZlAb9_3A9ioBnnupT0Jihax9fgNIp65mQvWn_o1wI8VPMYP49hPQoYGWf9ifT96WdcQW3slb7vt0tJP7uCYBrCWVnjfAUYoaEUhQkMJi5lRRNBFuYQxv3uA243PGbz9WGIyzre9NaCpce2VzeLw0EkqKBM3Al4zyvpic9zblpypnJ2BGXlw_dlTE6wwyLUv0A6-LIrP0j6EKkn-D1wndHhTjAdAmLhuX8l29Qkfp3FjpbnhkUgD6g22GwX18hXz3_veaqW8B3vfPFKuzJVqnIk7LsVgaI61OhU_P6bpEPCzi00EmFAh5gEO03xUm7rPiyOdNS3lv_h3nqUnf4WtJiketdAoHxCjjlji-YUwZToxreZBGiJoCfbvznZGBM72ewFT-tqKqP_wvaIt1qFn7cYoYKji2B_O7Z_o9d7sECX0Q9WNnKceBYT9lmAluKfE22_nHfvnJ1xRQYcC7AhMQvW6RZqVFrX5VNg5uAtQ9lkNL1FH0mcmDc8B3mJHLb990nWy86MIjQldkW5vRHdo4FVtz4bHs2TRGdej93Zsg5s9jz8OXGaAbhhLQp-T3XG4e9--Cc3SZ1ICEHWfpQlkmfpdEicxJsVVPlcDmrorR1HtKyTyAUrjqswYTy49q6fyQO86_FKvki_aOI2hRVMpu7UrMgI7Q-odUSV8hdHucM8gTouRI9S63AA_7rMJMewdR8MaC72uB_nwmU6pvuDxpM_vMmIifezw9zpiJsQN0Z5TQnZP25HeJVbYqdsdt1y2AkK5uZuzJeMaTAr1bWnbCF9KQ4u_3gXTOsnIDVDWGVZola_SiqcPlkPI6ALQN0wobpy4s_npASrg-07TxZ83re5eWy9HHei3zwLlj4JyVotE4vSfg9Pq64n1-Qi-HdOrjD-VE37B15KxAg-Hg0HVshpq9DtRR8MEMq62x07Wa6OGRIbAhD69PhWsVYBnCsnCzAsz3K7_BVo-Vbl2jmPpYGlKgRAb03xbLHfvzLI0EgR4Nw1_05BgdgIMzj41QgpbS09vhtz1kzDCV_qrfh-3OusTxhaaZyG8-43M9Phe7x8SQ7zITumFRhM-qD7EFih8GS3mBdj1nhYYWLMv5tZp_hfc0AFkeUYtj46b6Rak-oP6ri7pG-tXB9K90tCkJgQSebmPkQ5FBD5Y1RSg7udeYXzJxT8gcOyJ4T9nqKsrxc6gSUwzkXoE2amdHL-MERXBcePHDOXE4wMqynjJ-rsrWhggm4GSpL37yECfIYVnOjwepl-ISZTtUWBwKKR9hdSDSjqkG9_wWk7EISBlcQ

tls, http

IEXPLORE.EXE

5.7kB
7.0kB
15
16

HTTP Request

GET https://protect-us.mimecast.com/s/edsFCwpZwGT0DRg9hV9viS?domain=gmhconstrutora.com.br/

HTTP Response

307

HTTP Request

GET https://protect-us.mimecast.com/r/PMAmXLpQq7zYeWsSDH74ZnnHVUulSMEGzVaHmOCcgWwMST14fm-2vwOxB4mvy8Cwhc3Zxm_f2ANKrukm7lDlNFQvfH4Gn0fWdTX9nMGkVKzLj9J8xeq8k7x6bJspgC4zXvmkEMU6ajnGfe--bo_ft_rtjqXY5szOMpNsGnSvEJTOi4_2pwC7RCQbkjClPfYtMjexAsGGferhknLHEGcf9nAnB_mIp0LDUxzQO6IZYL4uZQF3-7fcGSqeRP3yCcV3oGnMV8cZ-TGjduGCQZsW2zLiGiGkIUving3Gvo37E77VG_gYgaZinqUTdC07dsD7TWDoMytUx5jVj_JHJ9kNKYkinGC8xml9Jr4agNzFq85I2kBso7eAlZxSW81n5glBIBvtzq_YLmcj_jytQCYnvN6BswZXWPWXa5PP1J6n-2nEKSUNUWwMn4TTaGiNzTzpAJ3cNBBBoBEhQ5coKqalvLfiLdsGyPxOWxYk_6z67iX6igXmqYy65DWmqXOyT85L_AMPU5iTRmshcVAz5pFrC2_R6313727r0IF75QqU06OWpFSLL6WedK7u9QK3nD7PpGAkyZlAb9_3A9ioBnnupT0Jihax9fgNIp65mQvWn_o1wI8VPMYP49hPQoYGWf9ifT96WdcQW3slb7vt0tJP7uCYBrCWVnjfAUYoaEUhQkMJi5lRRNBFuYQxv3uA243PGbz9WGIyzre9NaCpce2VzeLw0EkqKBM3Al4zyvpic9zblpypnJ2BGXlw_dlTE6wwyLUv0A6-LIrP0j6EKkn-D1wndHhTjAdAmLhuX8l29Qkfp3FjpbnhkUgD6g22GwX18hXz3_veaqW8B3vfPFKuzJVqnIk7LsVgaI61OhU_P6bpEPCzi00EmFAh5gEO03xUm7rPiyOdNS3lv_h3nqUnf4WtJiketdAoHxCjjlji-YUwZToxreZBGiJoCfbvznZGBM72ewFT-tqKqP_wvaIt1qFn7cYoYKji2B_O7Z_o9d7sECX0Q9WNnKceBYT9lmAluKfE22_nHfvnJ1xRQYcC7AhMQvW6RZqVFrX5VNg5uAtQ9lkNL1FH0mcmDc8B3mJHLb990nWy86MIjQldkW5vRHdo4FVtz4bHs2TRGdej93Zsg5s9jz8OXGaAbhhLQp-T3XG4e9--Cc3SZ1ICEHWfpQlkmfpdEicxJsVVPlcDmrorR1HtKyTyAUrjqswYTy49q6fyQO86_FKvki_aOI2hRVMpu7UrMgI7Q-odUSV8hdHucM8gTouRI9S63AA_7rMJMewdR8MaC72uB_nwmU6pvuDxpM_vMmIifezw9zpiJsQN0Z5TQnZP25HeJVbYqdsdt1y2AkK5uZuzJeMaTAr1bWnbCF9KQ4u_3gXTOsnIDVDWGVZola_SiqcPlkPI6ALQN0wobpy4s_npASrg-07TxZ83re5eWy9HHei3zwLlj4JyVotE4vSfg9Pq64n1-Qi-HdOrjD-VE37B15KxAg-Hg0HVshpq9DtRR8MEMq62x07Wa6OGRIbAhD69PhWsVYBnCsnCzAsz3K7_BVo-Vbl2jmPpYGlKgRAb03xbLHfvzLI0EgR4Nw1_05BgdgIMzj41QgpbS09vhtz1kzDCV_qrfh-3OusTxhaaZyG8-43M9Phe7x8SQ7zITumFRhM-qD7EFih8GS3mBdj1nhYYWLMv5tZp_hfc0AFkeUYtj46b6Rak-oP6ri7pG-tXB9K90tCkJgQSebmPkQ5FBD5Y1RSg7udeYXzJxT8gcOyJ4T9nqKsrxc6gSUwzkXoE2amdHL-MERXBcePHDOXE4wMqynjJ-rsrWhggm4GSpL37yECfIYVnOjwepl-ISZTtUWBwKKR9hdSDSjqkG9_wWk7EISBlcQ

HTTP Response

307
207.211.31.106:443

protect-us.mimecast.com

tls

IEXPLORE.EXE

738 B
4.0kB
9
9
205.139.110.113:443

https://security-us.mimecast.com/ttpwp/resources/mimecast-icons.fd97725823d43fd9cada.eot?25417273

tls, http

IEXPLORE.EXE

4.1kB
119.1kB
61
92

HTTP Request

GET https://security-us.mimecast.com/ttpwp/resources/polyfills-es5.b630748defa4cdcaf648.js

HTTP Response

200

HTTP Request

GET https://security-us.mimecast.com/ttpwp/resources/mimecast-icons.fd97725823d43fd9cada.eot?25417273

HTTP Response

200
205.139.110.113:443

https://security-us.mimecast.com/ttpwp/resources/fa-solid-900.dcddb714e825d85920df.eot?

tls, http

IEXPLORE.EXE

5.8kB
204.2kB
91
152

HTTP Request

GET https://security-us.mimecast.com/ttpwp

HTTP Response

200

HTTP Request

GET https://security-us.mimecast.com/ttpwp/resources/runtime.b630748defa4cdcaf648.js

HTTP Response

200

HTTP Request

GET https://security-us.mimecast.com/ttpwp/resources/fa-solid-900.dcddb714e825d85920df.eot?

HTTP Response

200
205.139.110.113:443

https://security-us.mimecast.com/ttpwp/resources/fa-regular-400.1c9c47c2e74e9e4a5d07.eot?

tls, http

IEXPLORE.EXE

7.6kB
280.9kB
127
208

HTTP Request

GET https://security-us.mimecast.com/ttpwp/resources/polyfills.b630748defa4cdcaf648.js

HTTP Response

200

HTTP Request

GET https://security-us.mimecast.com/ttpwp/resources/images/mimecast-logo.png

HTTP Response

200

HTTP Request

GET https://security-us.mimecast.com/ttpwp/resources/fa-regular-400.1c9c47c2e74e9e4a5d07.eot?

HTTP Response

200
205.139.110.113:443

https://security-us.mimecast.com/ttpwp/resources/languages/en.json

tls, http

IEXPLORE.EXE

3.4kB
72.4kB
46
59

HTTP Request

GET https://security-us.mimecast.com/ttpwp/resources/styles.b630748defa4cdcaf648.js

HTTP Response

200

HTTP Request

GET https://security-us.mimecast.com/ttpwp/resources/languages/en.json

HTTP Response

200
205.139.110.113:443

https://security-us.mimecast.com/ttpwp/resources/images/favicon.ico

tls, http

IEXPLORE.EXE

6.5kB
274.3kB
117
202

HTTP Request

GET https://security-us.mimecast.com/ttpwp/resources/main.b630748defa4cdcaf648.js

HTTP Response

200

HTTP Request

GET https://security-us.mimecast.com/ttpwp/resources/images/favicon.ico

HTTP Response

200
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

707 B
7.6kB
8
11

8.8.8.8:53

marathonpetroleum.na1.echosign.com

dns

IEXPLORE.EXE

80 B
128 B
1
1

DNS Request

marathonpetroleum.na1.echosign.com

DNS Response

52.71.63.231

52.71.63.230

52.71.63.232
8.8.8.8:53

protect-us.mimecast.com

dns

IEXPLORE.EXE

69 B
165 B
1
1

DNS Request

protect-us.mimecast.com

DNS Response

207.211.31.106

205.139.111.12

205.139.111.117

207.211.31.113

207.211.31.64

205.139.111.113
8.8.8.8:53

security-us.mimecast.com

dns

IEXPLORE.EXE

70 B
166 B
1
1

DNS Request

security-us.mimecast.com

DNS Response

205.139.110.113

205.139.110.117

207.211.31.119

205.139.110.99

207.211.31.14

207.211.31.110

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ada223a455bc26c79424037e6323a13

SHA1
c699c8d36446929fc48edf61e1ebd1736bc30056

SHA256
896500d8769b6b038aad54fba906dbd7570a34ffd91cb9592fa233beebe93bfc

SHA512
db78927582a7b05c873063f144e8e368dc3cef7dbd17fc7c43a481a22cd1c5dc3d5cff4f18ce5a5411c24ad6f76a78a1e38d4a8e5a5851ece83a16c180666a98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0d742067bad7f4323263b761c4163a0

SHA1
f2063287d7043a56cdc7ec2f953fa0bbcad2dc5a

SHA256
d0a917be60b3c6fab506b622d4ba98233d1ba6a06d48e01e403cdced93a23094

SHA512
89e5fae5c5bf167847b922af20e4989c7888bf2eaaca38e2bf42d66b15167b6f7764a7486764558a20f5a0e7c7180374078fb92ae9053ab507b8896a3b339e37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4f74d33230432e855edb674fdeae17b

SHA1
910adbcd01dcc701412f1a086b02cd859ed50846

SHA256
312d8bce6dcd53b4b75b86fdc63fc1dca06fc9c84ef8721d74b7b4b656712095

SHA512
dff7373d9b85f1c8d1d17f906a935a077c2a73b635e65c4fb217a9cb7eb91f75da1250caaa78927e096389d2cc21b04affeef7e82fc72c8f249b1fcd4d6465d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab8b929c3355768de5a91014aace3eb6

SHA1
c0b39a84292c407791c444ee97ecdb1ae16a8d3f

SHA256
e251995d338a31159ff04f488231c0588b3ac46052a2bdad3dbaca53fc05c9e0

SHA512
173adc3af2970b6e2032d4ad6e1c9072390a8c67f2f2ea364292b708c960280145213f69bf771e235dfdfd5bc275a4b9b908505ca8e8a42ad3a3eb4d40588e5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3e1be0252a4abe9820e0f50ff6c0b18

SHA1
6615342779432019a48f34f82bb9246821a1fa98

SHA256
757c9c49b4fc66a9cb0b463c7106a247831db3ec041a2f83aa083ad24b4d7fe2

SHA512
a07b6d2c7c1795de257f0e09827925bfceeb781cf24ae4cab0fb6391ae69779fe4a5c10068bf7bc1ce8b93b7040d2d6b435bcb871b72f90cb341e7d3cca8b9ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\07asiie\imagestore.dat

Filesize
5KB

MD5
d8f5cf2f463cd2dd41ab5278bb3077b6

SHA1
bc3a5274f138fd36a4783cb546a4116058c360c2

SHA256
cb6b6e475eceda5a67f5275fa526a3d77b2384ed94427295ed466bf6c5b0acf0

SHA512
20df612ec96e8a97a08bb19ace36d386ad3579422e29418a31a1b2c2636ea9c86de6bf6fcbdc8ae348a7c88f65a018517bced864772dc074afc4facd43cc48b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T210ZMR0\favicon[2].ico

Filesize
1KB

MD5
44385673eef386ec121603cd302fd05f

SHA1
c15a6d61054ffb16d8df4da943b545349fc82631

SHA256
069e8a1e31aba074cc28bc9d6d54c67495bd42a02115dc232be7c8d9f83e40a8

SHA512
e80c43be006b5eeb66f98192b177163e92b75a5cd0aaa880ade24a67db7a1f29a0cb958b158244db47386cdc775dd025e0fc1f97e3d7adcddb76d347f3073da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab39E7.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar39E9.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3B76.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YJM74KE1.txt

Filesize
606B

MD5
61a1222b5f116b3d33421d943bbd876c

SHA1
8ea8cb6527196af361e60230a7e27526b715444d

SHA256
2b5d5a227ea672a165a3c781342da5612e924cc0900eff3b8ae61ed07ef61a3c

SHA512
8e5b8c714a32ca30e86a45d28b1cf2230227779ce76f7f40dac4e717b4585111c9b0efbd7e61d58305f90fa28dfd63450158a3e4ace11ee31e1b47d1007eef3a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.