Edit tour
Windows
Analysis Report
Message.eml
Overview
General Information
| Sample name: | Message.eml |
| Analysis ID: | 1635241 |
| MD5: | ef92f628bfd2197b2a10917a2ca823ee |
| SHA1: | f95993968ebfaba73a70fb935dcdc05c9aad8b15 |
| SHA256: | 3ec1e95b349f7b279b126a67df98b8e27cc83a442b5080e01c10e5adf7decd8a |
| Infos: |  |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
AI detected landing page (webpage, office document or email)
AI detected suspicious elements in Email content
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Suspicious Office Outbound Connections
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Classification
- System is w10x64_ra
OUTLOOK.EXE (PID: 6912 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\OUTLO OK.EXE" /e ml "C:\Use rs\user\De sktop\Mess age.eml" MD5: 91A5292942864110ED734005B7E005C0) 
ai.exe (PID: 7048 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \root\vfs\ ProgramFil esCommonX6 4\Microsof t Shared\O ffice16\ai .exe" "898 0DDC0-DEA9 -4551-B134 -59AF5E46D 54F" "3D3E BDEA-B1E5- 4F1A-A118- D2C3CEE98E 9C" "6912" "C:\Progr am Files ( x86)\Micro soft Offic e\Root\Off ice16\OUTL OOK.EXE" " WordCombin edFloatieL reOnline.o nnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
- cleanup
⊘No yara matches
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: X__Junior (Nextron Systems): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Phishing |   |
|---|
| Source: | Joe Sandbox AI: | ||
| Source: | Joe Sandbox AI: | ||
| Source: | Joe Sandbox AI: | ||
| Source: | Classification: | ||
| Source: | Suricata IDS: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Classification label: | ||
| Source: | File created: | ||
| Source: | File created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Key value queried: | ||
| Source: | Window found: | ||
| Source: | Window detected: | ||
| Source: | Key opened: | ||
| Source: | Key value created or modified: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information queried: | ||
| Source: | Queries volume information: | ||
| Source: | Key value queried: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 21 Browser Extensions | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Process Discovery | Remote Services | Data from Local System | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Modify Registry | LSASS Memory | 12 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| bg.microsoft.map.fastly.net | 199.232.210.172 | true | false | high | |
| s-0005.dual-s-msedge.net | 52.123.128.14 | true | false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 40.79.197.34 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
| 2.22.242.90 | unknown | European Union | 20940 | AKAMAI-ASN1EU | false | |
| 199.232.210.172 | bg.microsoft.map.fastly.net | United States | 54113 | FASTLYUS | false | |
| 52.123.128.14 | s-0005.dual-s-msedge.net | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
| 52.109.76.243 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1635241 |
| Start date and time: | 2025-03-11 14:23:45 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 14 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | stream |
| Analysis stop reason: | Timeout |
| Sample name: | Message.eml |
| Detection: | MAL |
| Classification: | mal48.winEML@3/3@0/47 |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.109.76.243
- Excluded domains from analysis (whitelisted): roaming.officeapps.live.com, ecs.office.com, dual-s-0005-office.config.skype.com, osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com, ecs.office.trafficmanager.net, prod.roaming1.live.com.akadns.net, eur.roaming1.live.com.akadns.net, neu-azsc-000.roaming.officeapps.live.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryAttributesFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250311T0924160689-6912.etl
Download File
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | modified |
| Size (bytes): | 114688 |
| Entropy (8bit): | 4.596181888185424 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | 0D0EBDDDBB2AFC9E22BD5E30D6BF2A45 |
| SHA1: | 0188500316D2B0EA6349A534408DFE61B4B01454 |
| SHA-256: | AFC64F7331230ED7159E96CF359185A40C6DF86BF79A2EC652551363DEA61F38 |
| SHA-512: | FFDF266993B7D15C95CAA6F4F761EF286E091E07EB4C542DE136C935D5C0C92EF6CD5669FE8818D95E66E3D55F7C45A014E138E9CF6DBEC6E731C1DB787CE5F2 |
| Malicious: | false |
| Reputation: | unknown |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 271360 |
| Entropy (8bit): | 3.079777823592949 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | B1C541D1BAB39B5173CBE3B56971DF8A |
| SHA1: | 992889536EA0378308EB6A7A9A49B8FE1170C385 |
| SHA-256: | 44A9DE5A3BF72B16D565461FA1E6567B3DC3C64474F0AA581493B8B88FFA06B0 |
| SHA-512: | EE50E8E40215B8C1C24E0B43D10054706728A5E336D1AB5FDD7E80D47A7688A6E0D45D163987B46086AE0588D930DB7D343DD5CA2583020868579202AABA0915 |
| Malicious: | true |
| Reputation: | unknown |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 131072 |
| Entropy (8bit): | 3.8368185421491456 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | 41F5B1111669E24674FD4CD3EF2071C2 |
| SHA1: | CF8393765AC2B5FA786AC97398219DAE3F29BC25 |
| SHA-256: | 38DFEAA06DE99499E16892CA93D870DDDC9AF0F7B04736072B2967D4FFE4E45D |
| SHA-512: | 4BAFFD503CCBCC1509685BA08A1BE036A5347FBAA1A61EAA348A5628465D3E9775488602D508257FA5EAB3996F0AAA2B9452EDD19E991C8400023146E1274D79 |
| Malicious: | true |
| Reputation: | unknown |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.085658312077801 |
| TrID: |
|
| File name: | Message.eml |
| File size: | 26'782 bytes |
| MD5: | ef92f628bfd2197b2a10917a2ca823ee |
| SHA1: | f95993968ebfaba73a70fb935dcdc05c9aad8b15 |
| SHA256: | 3ec1e95b349f7b279b126a67df98b8e27cc83a442b5080e01c10e5adf7decd8a |
| SHA512: | 781e63d429b5a2497e6726b473c47b71662590db7439a5783504fc63749437ecf31ca7d36d0819f8ab7c03542c02b218d3ac83ad39d34c65e7fbed73f11aa919 |
| SSDEEP: | 384:1AFnr14VGOTYEo7y0/syree9N3RZaRMgWpdqwthT+05rSrTA:1AFnrIGOTYE4FnaRMFTWA |
| TLSH: | 4BC24B101B535D27E7A51099B4127E08B2A27942907B58E4BC5F317F47CF4BE3F2AA8E |
| File Content Preview: | ..."Received: from ZR1P278MB1151.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:59::14).. by GVAP278MB0645.CHEP278.PROD.OUTLOOK.COM with HTTPS; Tue, 11 Mar 2025.. 11:00:03 +0000..ARC-Seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=fail;.. b=A36o |
| Subject: | Reminder: Christophe MATHIEU shared "Updated Report [ActiveID:FY2025]" with you |
| From: | DocSend <no-reply@docsend.com> |
| To: | egrob@1875.ch |
| Cc: | |
| BCC: | |
| Date: | Tue, 11 Mar 2025 10:59:52 +0000 |
| Communications: |
|
| Attachments: |
| Key | Value |
|---|---|
| "Received | from ZR1P278MB1151.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:59::14) by GVAP278MB0645.CHEP278.PROD.OUTLOOK.COM with HTTPS; Tue, 11 Mar 2025 11:00:03 +0000 |
| ARC-Seal | i=1; a=rsa-sha256; cv=none; d=1875.ch; s=default; t=1741690801; b= gUujWLmGr50y6SxVuWUAszART2HCAmvKup6sl8yLqnAqAef0xmWf+oFV3FNZdFFU FZtRPD0clqPCSsKeZI4QRhp4dLker3iKp4TT0bCf/KyG6vt+chBTZhrT1SNK3bTt mN+9GxR0omN2BkexU03/o+sFBp4zK9dGkALuAgj7Gllwrz+rPCBKANojIQ4PGcF8 TBtfi3up63hFaD3IybJ41+7zY4APWlK27vI/U82uGImHDm0UZeKAsaLbjVZqgEEt PCtwHkyQNYl+zZMTSp3/Ts6nNqZY+m39zCvLc7z/KlPSSZgLVG4FO+bmzOHYEoFS jY4SZ5AEolN9im5PLh0Vvw== |
| ARC-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=1875.ch; h=content-transfer-encoding:subject:from:to:content-language :user-agent:mime-version:date:message-id; s=default; bh=TwAz3Ohm c7RdtRsSUWgJ2m0c4Oi2fM8fnI2w6WsGhIM=; b=nui5CHAEUW2+tEuD7n24qrxi COVkQR68TmAWOtJRMNeyxEt6VJAuKEp7gfN/qhWFkvajeNo5JYzbJO5ms7vKDS1x pAQKbSlkkf/aTrhbbBXmBrqo504n1Ge1uA4gA4rxhZzGkc/IsFf5fK1Ftqid15/L IXiZqw+V+GtOdfMsuql4DCxGU5C38KHA1BZK7Af+zbb82Yrd9P40/On7M15sg3c2 Mrggs611FVmALlMXvjbbRYTyIttDmxNNOv3MkcuXZkJplKY/3NIO92TvfpPNXhE4 3m3uJhIQ1LYBnY0CAqATr27e+1gBz1qA5ab4PRRG63Si7Epg4XWHkifToHvAPw== |
| ARC-Authentication-Results | i=1; 1875ntwsep01.1875.ch; dkim=pass header.d=docsend.com header.i=no-reply@docsend.com header.s=20190205231828pm; spf=fail smtp.mailfrom=pm-bounces.docsend.com |
| Received | by mta216a-ord.mtasv.net id hq0bqg3864or for <egrob@1875.ch>; Tue, 11 Mar 2025 06:59:52 -0400 (envelope-from <pm_bounces@pm-bounces.docsend.com>) |
| Authentication-Results | spf=fail (sender IP is 40.93.85.30) smtp.mailfrom=pm-bounces.docsend.com; dkim=pass (signature was verified) header.d=pm.mtasv.net;dkim=pass (signature was verified) header.d=docsend.com;dmarc=pass action=none header.from=docsend.com;compauth=pass reason=100 |
| Received-SPF | Pass (protection.outlook.com: domain of pm-bounces.docsend.com designates 104.245.209.216 as permitted sender) receiver=protection.outlook.com; client-ip=104.245.209.216; helo=mta216a-ord.mtasv.net; pr=C |
| Authentication-Results-Original | spf=pass (sender IP is 104.245.209.216) smtp.mailfrom=pm-bounces.docsend.com; dkim=pass (signature was verified) header.d=pm.mtasv.net;dkim=pass (signature was verified) header.d=docsend.com;dmarc=pass action=none header.from=docsend.com;compauth=pass reason=100 |
| DKIM-Signature | v=1; a=rsa-sha256; d=docsend.com; s=20190205231828pm; c=relaxed/relaxed; i=no-reply@docsend.com; t=1741690792; x=1741863592; h=date:date:from:from:message-id:reply-to:reply-to:sender:subject:subject:to: to:cc:in-reply-to:feedback-id:mime-version:content-type; bh=TwAz3Ohmc7RdtRsSUWgJ2m0c4Oi2fM8fnI2w6WsGhIM=; b=Ky9UFar033JOWTjzFC9G9Z97U0Knt3y9GeCviBw/QfakynkTUylLkuVqX2lKAl+WKKxu9EiIOrg tqtZfr/Lyv7fZqX49SyMJQ50jIwjGymJz9om6nUhjn5WL3u5xzznHoQCfmVwZg6H9sDAwQsoGuSbu HCleNOhsv8eFC0Av6k0= |
| X-PM-IP | 104.245.209.216 |
| X-IADB-IP | 104.245.209.216 |
| X-IADB-IP-REVERSE | 216.209.245.104 |
| From | DocSend <no-reply@docsend.com> |
| Date | Tue, 11 Mar 2025 10:59:52 +0000 |
| Subject | Reminder: Christophe MATHIEU shared "Updated Report [ActiveID:FY2025]" with you |
| Reply-To | christophe.mathieu@atdoomco.net |
| To | egrob@1875.ch |
| Message-Id | <d57fc8a6-615e-4a12-b804-b9cf4268e1ef@docsend.com> |
| In-Reply-To | <$ed861cba-91b3-453b-a99b-b76c30c7e142@docsend.com> |
| reference | <5963543b-8cc8-4dca-8447-169f249b2abf@docsend.com> |
| headers | {:Name=>"x-cid", :Value=>2056016409} |
| Feedback-ID | s4701651-bm90aWZpY2F0aW9uX19idW5kbGVfZ3JvdXBfbGlua19pbnZpdGVfcmVtaW5kZXJfbWFpbGVyLnNlbmRfaW52aXRlX3JlbWluZGVy:s4701651:a165695:postmark |
| X-Complaints-To | abuse@postmarkapp.com |
| X-PM-Message-Id | e0d17fb6-45cc-4b2a-8fdb-95ed6ae261ce |
| X-PM-Tag | notification__bundle_group_link_invite_reminder_mailer.send_invite_reminder |
| X-PM-RCPT | |bTB8MTY1Njk1fDQ3MDE2NTF8ZWdyb2JAMTg3NS5jaA==| |
| X-PM-Message-Options | v1;1.5xaKUCWinRGrkvo7qB3KQw.Di1ifsUGkT-Oai4eclEsF-NcJ-ijDPIHrxdDtSG9U2q3tZUtIeMn9R1VDKWsIGWcKgR9DGgJ_t68EQ93h9EE7I5ptVZzjXCZ1YQAcXRFLZh4Scz3Atpc4U4XsfD4iQkSmfY3-OLzxxzSLSKHYvtxaYC8luENLXoz0dzaco7rocKDtrAn-qE4CfEzuwoMuCpz0dtvDXqggE8Bd82LoLzik9bpLkY5titMyUE1xiq8gGvdTGAmvP1O4lxK8qaKHsxyxZDrI7UYUQhPD9Qg1SiY-xpJSbJLUL9ClROkJhB83fKa8SD-9_-QSO_LBjZ9ngWOLZ9CGmcyw6-6u3u6L-VoaA |
| X-PM-MTA-Pool | transactional-2 |
| Content-Type | multipart/alternative; boundary="mk3-cfbdb5600c7644509dcf9e43998ec653"; charset="UTF-8" |
| X-EOPAttributedMessage | 1 |
| X-EOPTenantAttributedMessage | 2d47ce49-7c14-4e1c-8ed2-e66cceeb737b:1 |
| X-MS-TrafficTypeDiagnostic | ZR2PEPF0000012D:EE_|ZR1P278MB1139:EE_|ZRH2EPF0000014F:EE_|ZR1P278MB1151:EE_|GVAP278MB0645:EE_ |
| X-MS-Office365-Filtering-Correlation-Id | 86ecb436-cddf-4816-c73a-08dd608bdf42 |
| X-MS-Exchange-AtpMessageProperties | SA|SL |
| X-Microsoft-Antispam-Untrusted | BCL:4;ARA:13230040|1032899013|5062899012|2092899012|3072899012|69100299015|12012899012|4123199012|5073199012|5063199012|42003499006|3092899012|7053199007|13003099007|4076899003|2066899003|8096899003|43540500003; |
| X-Microsoft-Antispam-Message-Info-Original | 6aSG+uMUgFU2RZu6n4Xoc6g7faA1KPyQbm2qZKdDTvMWwXccdMBlfUnBkHOnBRuvJ5WaujSogM62IeJmTvZsxaHGnaJjR5FmDWnT5Dsx6sr0lH7rzng947YAG/Mp44TmLecO1eUTTzzf5lw1+4gvBdkzIcAx3OADg2VJIeJrtS7RzrAEHJbVNE4LM90ALA5w7kHe9H+WbZDf/AZDFeuSobaIz2fO3hIS9Wscs117DuM3BSFVv3gKQUiiwFielLJQ5m8HWNd/0gaz8pcClAnN9AWbF/qzvACNqTuPVk6eRfYemdzaMysRNF3h31bAqIWPvH2OiPVjK7v7UDiBIryI7/+UfFv5VaAe7xk4Zp6bLywwt+6Z6wUlYVtIdZ6SHBh8S2cRZrNnvlkPaJAsxOZGVww4VtaJsHF5uJUJgy1m5vyX7eVShTxUuJxdULD6A+lnjTcjsCMi2NbtIXBOhtH6iuA++qusZ3cDMKCdB/95uE2hsIqDOGTvPFMT1+1hgQVPolF1Vr5/VBECLQDoyfO85mxFrU8velFSwsxmSnbV4l3IIzfgT86cPdjFRczSPGYXzc3u/u7BrHZqzvQE4+sckF9kUc+24LSYaJ71u9+t3uTnYU3kRTnRqSiCcIoz3puKEXyY21bW5Upeok6w5NE8QsA2L3QZc0JZtCAKJuzWF7f44n1BqpXY3a7AWZGByRbtCX2AO1msLvHB7BI3sXi20plOjj8mtUzZcNb4r1qXpVTVA5+CLD/nsMFjkn6cKDNBrwyulV3caBdJPpZtQ+Zqybu991/TF0eSWlTsjFoQV4p5LhivegKHD3l/HmvhQYNYl13ujXmbeBaFkUULfh8rB7Vnbv4QLkAVBZ/ep3KLyHUA6HMk3WZBiY/pICligklWCECJG+/j6mp/HqUo0NLyPButwXNy2wYa/mKn6ifZkDL6jfDIlwhgvfE8pR6H2NcAFnBoSGx4mTbslKV+oF2uPXDMHCA/yFfmS9bvmfKu5NxzsV9vOHVo1dyMKIc26nBomcFTuVViRIkh6Zq6rBJHHpoHG2OxdwCr1wL1EoRD6T8OcwEewNcQO4XA7+Y5SDZqesA9vd7UnWcdegU9l1AdONChUwRAnz5OT/OFtn7GFrzjkLkSqCgayX+gipv/pQbw3UcMvIV7Q3hasOMXDAnUwUe7pRzwFVJlLEzFQEjHwyr5HaKY9eU759KqkLpDEujWmbVxKNl4NXacW2pyHM3rTTYPCXGC7y50WBSNYIT3N/27ZNd6tx6QF7vaKiVP3r83jAfuddjVNJEIWjOu1rq6gwZfZhg+yHyX173kUD00kRHrq3pCKH7uWZn8dKqLEF2kHWeK/4hbVmilKKjTJ8iVcsuBrL9jHDNjMUZmkjdYuQe1L2dolCLIGbpRxiSNqkhYEA2qw6+corxKaLIwOzoYNwA18FpdNnp65LqhQSbfFnIkBKWs3+EiCWr8wvV55/1FozNbR7kGq3uPQ1mrDDgQ54080Hz4i3ZE2/ua6JN14hx1zyP/Fagp5N6G4hAT9Pdw/9X3/84npKLH3MjKKZ/wWQbsSFKA/wIBgXA9CLjeoff8eJb6NfhKy7YoTI4GxJHfhZ88bhyGryA2IYuYy98QOD3TNUcUK81D+sVCGMrgAG3wgjK21hNnOAA3NIC9bh5DbJlwMjm9L6HD4WlcCPQPdqfnkgIwtFC8RePH50IHTfvlFVcnwk3SCotXXA4gIrJjVW075I7N7g2VdLMWUOCpMlcFxGwplGjfQtnw6F4xMEFF9EoqQQ84dYq7nOXENs7HAkz43wbYQYUv4PQAyZmRju7H6OOXG87g33BHXXy+6qqFTMxgHqFY2AqmWpBAfQnfXY5RmLw+erLhGN4Luy2V5InHejMcEpdxLNFKjIl0JxETg+eUvSGut0XaqHXbPb7DJ/LFZ42/tEpM/ENhLL4zOILdg9UWrnmtQ0yjZqgr/dMt6K7rnSoMQDs3Rhlo+/ZDBocOkBkv9q+X8xYAOa13Vy9VKyZRnKhtBUUpon69Mq2H2DMh/VxGT4sTCo4sHFRSjOJujsJnOpCdy0lBpkn6+72L2Ba6H9dKbJmcawFWb9s= |
| X-Forefront-Antispam-Report-Untrusted | CIP:104.245.209.216;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mta216a-ord.mtasv.net;PTR:mta216a-ord.mtasv.net;CAT:NONE;SFS:(13230040)(1032899013)(5062899012)(2092899012)(3072899012)(69100299015)(12012899012)(4123199012)(5073199012)(5063199012)(42003499006)(3092899012)(7053199007)(13003099007)(4076899003)(2066899003)(8096899003)(43540500003);DIR:INB; |
| X-MS-Exchange-Transport-CrossTenantHeadersStamped | ZR1P278MB1151 |
| X-OrganizationHeadersPreserved | ZR1P278MB1139.CHEP278.PROD.OUTLOOK.COM |
| X-SM-incoming | yes |
| Return-Path | pm_bounces@pm-bounces.docsend.com |
| X-MS-Exchange-Organization-ExpirationStartTime | 11 Mar 2025 11:00:01.8894 (UTC) |
| X-MS-Exchange-Organization-ExpirationStartTimeReason | OriginalSubmit |
| X-MS-Exchange-Organization-ExpirationInterval | 1:00:00:00.0000000 |
| X-MS-Exchange-Organization-ExpirationIntervalReason | OriginalSubmit |
| X-MS-Exchange-Organization-Network-Message-Id | 86ecb436-cddf-4816-c73a-08dd608bdf42 |
| X-MS-Exchange-Organization-MessageDirectionality | Incoming |
| X-MS-Exchange-SkipListedInternetSender | ip=[40.93.85.30];domain=ZRZP278CU001.outbound.protection.outlook.com |
| X-MS-Exchange-ExternalOriginalInternetSender | ip=[40.93.85.30];domain=ZRZP278CU001.outbound.protection.outlook.com |
| X-CrossPremisesHeadersFiltered | ZRH2EPF0000014F.CHEP278.PROD.OUTLOOK.COM |
| X-MS-Exchange-Transport-CrossTenantHeadersStripped | ZRH2EPF0000014F.CHEP278.PROD.OUTLOOK.COM |
| X-MS-PublicTrafficType | |
| X-MS-Exchange-Organization-AuthSource | ZRH2EPF0000014F.CHEP278.PROD.OUTLOOK.COM |
| X-MS-Exchange-Organization-AuthAs | Anonymous |
| X-MS-Office365-Filtering-Correlation-Id-Prvs | 5ae0deca-d3c9-44d8-3835-08dd608bdaad |
| X-MS-Exchange-Organization-SCL | 1 |
| X-Microsoft-Antispam | BCL:4;ARA:13230040|12012899012|5062899012|35042699022|3092899012|42003499006|82310400026|2092899012|3072899012|34020700016|5073199012|2040899013|4123199012|69100299015|5063199012|1032899013|8096899003|2066899003|4076899003|13003099007|7053199007|43540500003; |
| X-Forefront-Antispam-Report | CIP:51.107.1.154;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:ZRZP278CU001.outbound.protection.outlook.com;PTR:mail-switzerlandnorthazlp17011030.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(12012899012)(5062899012)(35042699022)(3092899012)(42003499006)(82310400026)(2092899012)(3072899012)(34020700016)(5073199012)(2040899013)(4123199012)(69100299015)(5063199012)(1032899013)(8096899003)(2066899003)(4076899003)(13003099007)(7053199007)(43540500003);DIR:INB; |
| X-MS-Exchange-CrossTenant-OriginalArrivalTime | 11 Mar 2025 11:00:01.8269 (UTC) |
| X-MS-Exchange-CrossTenant-Network-Message-Id | 86ecb436-cddf-4816-c73a-08dd608bdf42 |
| X-MS-Exchange-CrossTenant-Id | 2d47ce49-7c14-4e1c-8ed2-e66cceeb737b |
| X-MS-Exchange-CrossTenant-AuthSource | ZRH2EPF0000014F.CHEP278.PROD.OUTLOOK.COM |
| X-MS-Exchange-CrossTenant-AuthAs | Anonymous |
| X-MS-Exchange-CrossTenant-FromEntityHeader | Internet |
| X-MS-Exchange-Transport-EndToEndLatency | 00:00:01.8351889 |
| X-MS-Exchange-Processed-By-BccFoldering | 15.20.8511.025 |
| X-Microsoft-Antispam-Mailbox-Delivery | ucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(4710137)(4713020)(470014026)(4714040)(920097)(930097)(140003); |
| X-Microsoft-Antispam-Message-Info | 15lJ4uqTD5E9vnQ2Ab47a3VHh3zy5D5Ox3pDyKysX8Yo2QwSKx+XbtcI7ZvDqzAe8GzylesPpSHoVMduVpg4EprCqJjS08Bn8c5V+DKnz5t/4GnfpvtWAMAg8ybmtllGUb8OBQUIveKDeJ7d+4nOWw+//ccZ5haKBJkKCdk9Inm7O/EhMWO8PbwLo8KSORBNuZBSJiChGl8PD5qI/iEqiB6KX77VPAMnBSyvgVBaEjcnzyfIJSe5NEg6naA1sThkZbYPe7WkmAhHoqpa/f8FfaAfrwX5OHBFhc04ow81DHkybGRxnQBiMVuq+IxuN/stp77SowKEZGD2Q5FDKrzm2sPYOQun4ek4Fed3K7eQLZoV/AFYrg39AR03RS5hGGEg5rcITnvG68IdClVh1lR5F0NUasvtBXqooAV8JtBhuwPbE3HHAfI/mefybvI3DhQ464UfsSPHAsyv7WTurKIfjSZYgzcjjLa5XeS4aJKPV/8tAKAiuiVOLNPBf1GeYn+7X8d7W0tsGTuON4VjeQWZyChEEiXxRk20WGwjqG/ICkuurz9Cq+nyi3Rp58wGzezYxutldM7T9Vw7/UO4vEIbHQTfPI5wlPdMA3+tYrB3uGDE9l7ikOz/xw0P3/Uyw9uEghXKrhUU3DF5DkVGgBFIarem0R/ZkJmBOd+XA3f2bdcZRrZ9eNxKRqPbtWQ+eMMI6dKI19Ai4lGMHQY13kxVAXMQNqEYiV6aAkc9GNfX4taJOVCVJcYkmjmurNmESaaKgwerLH8XGcv99xnnyQq3uCOTS6DzNaJdAdCkezVPpxaafUEUoOVVRMPRlptYA0GzKh0zO6J4CdBYbvquEKq4KF74ma3UsyB64HTP8kMZAQVE2FPbdIZpNjk7zbA3cUu84QxZg03DkaRj0PGDXj6zFwBUHbaXR/VsHwdNwJ2S/84DsVDfSNSW//j/+ONCpy1upgoFzNdmWBB8sKuj57mtH7v3Gdm103pdFCtU9xI0AoBURz8Pa5Kyn7CpSPrJFhH1cCJtibC8IFoo2GbwAzMxqcYyjqcRVF8uFL5PsWFBffg9SpppYmQf9VD95rURtXOip+5vV78/ha2drML1KELFEkPIQ4LofzzjmXCD2EyJdzS9m2QKL0hP/sIkY6KZYS9sTraWYMowPQl0aIwDrzLTmLEYKTjHYbhKXz33TlLiNLITi4Xiy2ZuI1XeQNzDPY4s1u2vKtfrc/A+wiYQa1Tcts9B9AVfRyRBrCQ7XtQA6B2wjqHuIlZjuJu1VeBX36lZwbRgPSZJvBzJmIPd+psLanwkj/zTrYW0/N01cQrqA19BHq9U8JEdYjDM4sd3q9+p1XVxjy7PliR8Ig4HHgh82iJVr0BgTAF6Z81BGumOOnyUgg/NWFl1QGElsjHcoZ6UPq7580sZhNlozgrcubb2g/O1TC+5j1RATMD0Hb9Ab/u8VmnAfMs3PqWwrIfE1lIy/E78ntURNXuNBClxM3Jtxjm0gti+VQ57BJogV0jMN0JR84YVz/rXcBpbCUQVuhNmbPxoje+cIczigDdKlHj/rK47kHmqiRx7+G0YyI0rZTjQS9juv5wez3OuOdc6jd+4QFdIhN44pi5XjBGhKtTbazRXSTOCml2l2yi0d02YBJJCuy/0fxzjJt7On9aXJ18ZYZ8XqVCGMusyVmNRbU7jlnfiyMs43aJffiD3O2VsUk/HMvV/VDk1LqZK9EK3g8pknBijaHwvjBw/CfB3swvsvmSKw81k3YKVz2JEtVFVnytkM06vqezyh5Hve3TRdIshBSkJpM0lrKvTSCjzJIS3P/dRbl3Pb+0e3a+7CK+bAjnYTHPVQvdfqPEhCZgNqhUqt8M+6OqkwOeiKbnd3FtCCd+IytKRzxyep5sCIx2smtIJXQ9oUt43yKUnBQ/UNVFu7+FK46aqKctmiqOqsPR/h/0nE0hwrEaiujJONIeKFv1VERBcSo3QElwIbF6/3otLszJfxUJ2BMFsOrBKIK4TByNYKUTvlN+TFuG16uHHmHYzMZ2zIOFV3yfjkj+BMGG+ZiqqSjsAq07cwWVB76xUHnHSUqWLJgNh2y7qm7BmSl8w7qPlJK6fkFGG8SvA7fgrVdhthud07KPTRyS4GWGzMQ== |
| MIME-Version | 1.0 |
 | |
| Icon Hash: | 46070c0a8e0c67d6 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node