Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Acct# 427094 _ Plateautel Payment_ XEPOOFUCKD.eml

Overview

General Information

Sample name:Acct# 427094 _ Plateautel Payment_ XEPOOFUCKD.eml
Analysis ID:1635292
MD5:b3ab7c88df0380987cacc182c9fd281f
SHA1:4d4610631fe8a0dab7186729ce47ac83d3efdddb
SHA256:cdd3fb04f6af1c5b6e721f597b3701f0fa79eec52e6e4c5bd34b0aa80396d66b
Infos:

Detection

Invisible JS, Tycoon2FA
Score:68
Range:0 - 100
Confidence:100%

Signatures

Yara detected Invisible JS
Yara detected Obfuscation Via HangulCharacter
Yara detected Tycoon 2FA PaaS
AI detected suspicious elements in Email content
Creates files inside the system directory
Deletes files inside the Windows folder
HTML page contains hidden javascript code
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Outlook Security Settings Updated - Registry
Sigma detected: Suspicious Office Outbound Connections
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 2036 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Acct# 427094 _ Plateautel Payment_ XEPOOFUCKD.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 1120 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "91947CD7-18ED-4373-9AC0-76341F5DD575" "FEF7AA1D-6AFF-4F3A-8D03-3E281AE40B0A" "2036" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • chrome.exe (PID: 4784 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\E040JFDE\DOC09039200209239_ExcelSheet_PaymentAdviceKLTBRASMNG.SVG MD5: E81F54E6C1129887AEA47E7D092680BF)
      • chrome.exe (PID: 1104 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2084,i,9354776553243603214,16541752267754126164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2132 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Yara Signatures

HTML

SourceRuleDescriptionAuthorStrings
0.1.pages.csvJoeSecurity_Tycoon2FA_1Yara detected Tycoon 2FA PaaSJoe Security
    0.0.pages.csvJoeSecurity_Tycoon2FA_1Yara detected Tycoon 2FA PaaSJoe Security
      0.1.pages.csvJoeSecurity_HangulCharacterYara detected Obfuscation Via HangulCharacterJoe Security
        0.1.pages.csvJoeSecurity_InvisibleJSYara detected Invisible JSJoe Security
          0.0.pages.csvJoeSecurity_HangulCharacterYara detected Obfuscation Via HangulCharacterJoe Security
            Click to see the 4 entries

            Sigma Signatures

            Sigma detected: Office Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 2036, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
            Sigma detected: Outlook Security Settings Updated - Registry
            Source: Registry Key setAuthor: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\E040JFDE\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 2036, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder
            Sigma detected: Suspicious Office Outbound Connections
            Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.17, DestinationIsIpv6: false, DestinationPort: 49701, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, Initiated: true, ProcessId: 2036, Protocol: tcp, SourceIp: 52.123.129.14, SourceIsIpv6: false, SourcePort: 443

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            Phishing

            barindex
            Yara detected Invisible JS
            Source: Yara matchFile source: 0.1.pages.csv, type: HTML
            Source: Yara matchFile source: 0.0.pages.csv, type: HTML
            Source: Yara matchFile source: 0.2.pages.csv, type: HTML
            Yara detected Obfuscation Via HangulCharacter
            Source: Yara matchFile source: 0.1.pages.csv, type: HTML
            Source: Yara matchFile source: 0.0.pages.csv, type: HTML
            Source: Yara matchFile source: 0.2.pages.csv, type: HTML
            Yara detected Tycoon 2FA PaaS
            Source: Yara matchFile source: 0.1.pages.csv, type: HTML
            Source: Yara matchFile source: 0.0.pages.csv, type: HTML
            Source: Yara matchFile source: 0.2.pages.csv, type: HTML
            AI detected suspicious elements in Email content
            Source: EmailJoe Sandbox AI: Detected potential phishing email: Suspicious sender domain 'btusados.com' does not match the claimed company Plateautel. Subject line contains random characters 'XEPOOFUCKD' indicating potential malicious intent. Attachment has suspicious naming pattern and unusual file extension (.SVG) for a payment document
            Source: https://x68.egexgysh.ru/jyvIY/#launaw@plateautel.comHTTP Parser: Base64 decoded: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Office 365 Documentation</title> <style> body { font-family: Arial, sans-serif...
            Source: EmailClassification: Invoice Scam
            Source: https://x68.egexgysh.ru/jyvIY/#launaw@plateautel.comHTTP Parser: No favicon
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.17:49701 -> 52.123.129.14:443
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
            Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
            Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
            Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
            Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.67
            Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.67
            Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /jquery-3.6.0.min.js HTTP/1.1Host: code.jquery.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://x68.egexgysh.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /turnstile/v0/api.js?onload=onloadTurnstileCallback HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://x68.egexgysh.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /ajax/libs/crypto-js/4.1.1/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://x68.egexgysh.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /turnstile/v0/g/f3b948d8acb8/api.js HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://x68.egexgysh.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /favicon.png HTTP/1.1Host: developers.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://x68.egexgysh.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /favicon.png HTTP/1.1Host: developers.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=wRVCmiKM5UooM.XYPfEsdNXL9fmWcT5zAN5OQ0_Gr8c-1741702315-1.0.1.1-B.SDpHAA_fIzo73Z.hD6U2Imcsamb3Wxty5Zx658cNgpCBdLJB1SvR3TJyL133L6M3SxUi2PqovY13aWvLd2.5WEHT1a6t991ltVdo7yVmQ
            Source: global trafficHTTP traffic detected: GET /gando$wlpzc HTTP/1.1Host: sakzsp.hjxjov.ruConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Origin: https://x68.egexgysh.ruSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://x68.egexgysh.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficDNS traffic detected: DNS query: x68.egexgysh.ru
            Source: global trafficDNS traffic detected: DNS query: www.google.com
            Source: global trafficDNS traffic detected: DNS query: code.jquery.com
            Source: global trafficDNS traffic detected: DNS query: challenges.cloudflare.com
            Source: global trafficDNS traffic detected: DNS query: cdnjs.cloudflare.com
            Source: global trafficDNS traffic detected: DNS query: developers.cloudflare.com
            Source: global trafficDNS traffic detected: DNS query: sakzsp.hjxjov.ru
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: cloudflareDate: Tue, 11 Mar 2025 14:12:04 GMTContent-Type: text/htmlContent-Length: 553Connection: closeCF-RAY: 91eba5080d21bcf2-ATL
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir4784_1179448676
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir4784_1179448676
            Source: classification engineClassification label: mal68.phis.winEML@23/10@16/146
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250311T1011200379-2036.etl
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.ini
            Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Acct# 427094 _ Plateautel Payment_ XEPOOFUCKD.eml"
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "91947CD7-18ED-4373-9AC0-76341F5DD575" "FEF7AA1D-6AFF-4F3A-8D03-3E281AE40B0A" "2036" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "91947CD7-18ED-4373-9AC0-76341F5DD575" "FEF7AA1D-6AFF-4F3A-8D03-3E281AE40B0A" "2036" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\E040JFDE\DOC09039200209239_ExcelSheet_PaymentAdviceKLTBRASMNG.SVG
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2084,i,9354776553243603214,16541752267754126164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2132 /prefetch:3
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\E040JFDE\DOC09039200209239_ExcelSheet_PaymentAdviceKLTBRASMNG.SVG
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2084,i,9354776553243603214,16541752267754126164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2132 /prefetch:3
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} DeviceTicket
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation11
            Browser Extensions            		1
            Process Injection            		11
            Masquerading            		OS Credential Dumping1
            Process Discovery            		Remote ServicesData from Local System1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Modify Registry            		LSASS Memory1
            File and Directory Discovery            		Remote Desktop ProtocolData from Removable Media3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Process Injection            		Security Account Manager12
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared Drive3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            File Deletion            		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://sakzsp.hjxjov.ru/gando$wlpzc0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            code.jquery.com
            		151.101.66.137
            		truefalse
              		high
              developers.cloudflare.com
              		104.16.2.189
              		truefalse
                		high
                cdnjs.cloudflare.com
                		104.17.24.14
                		truefalse
                  		high
                  challenges.cloudflare.com
                  		104.18.94.41
                  		truefalse
                    		high
                    sakzsp.hjxjov.ru
                    		188.114.97.3
                    		truefalse
                      		unknown
                      www.google.com
                      		142.250.184.228
                      		truefalse
                        		high
                        s-0005.dual-s-msedge.net
                        		52.123.129.14
                        		truefalse
                          		high
                          x68.egexgysh.ru
                          		104.21.65.198
                          		truefalse
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://sakzsp.hjxjov.ru/gando$wlpzcfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://code.jquery.com/jquery-3.6.0.min.jsfalse
                              		high
                              https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.jsfalse
                                		high
                                https://challenges.cloudflare.com/turnstile/v0/api.js?onload=onloadTurnstileCallbackfalse
                                  		high
                                  https://developers.cloudflare.com/favicon.pngfalse
                                    		high
                                    https://challenges.cloudflare.com/turnstile/v0/g/f3b948d8acb8/api.jsfalse
                                      		high
                                      https://x68.egexgysh.ru/jyvIY/#launaw@plateautel.comfalse
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        2.22.242.121
                                        		unknownEuropean Union
                                        		20940AKAMAI-ASN1EUfalse
                                        104.17.24.14
                                        		cdnjs.cloudflare.comUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        142.250.185.206
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse
                                        1.1.1.1
                                        		unknownAustralia
                                        		13335CLOUDFLARENETUSfalse
                                        108.177.15.84
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse
                                        104.18.94.41
                                        		challenges.cloudflare.comUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        52.109.89.119
                                        		unknownUnited States
                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                        52.123.129.14
                                        		s-0005.dual-s-msedge.netUnited States
                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                        104.21.65.198
                                        		x68.egexgysh.ruUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        52.109.68.129
                                        		unknownUnited States
                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                        20.189.173.15
                                        		unknownUnited States
                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                        188.114.97.3
                                        		sakzsp.hjxjov.ruEuropean Union
                                        		13335CLOUDFLARENETUSfalse
                                        151.101.66.137
                                        		code.jquery.comUnited States
                                        		54113FASTLYUSfalse
                                        104.16.6.189
                                        		unknownUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        142.250.184.227
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse
                                        142.250.184.228
                                        		www.google.comUnited States
                                        		15169GOOGLEUSfalse
                                        52.109.76.240
                                        		unknownUnited States
                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                        104.16.2.189
                                        		developers.cloudflare.comUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        142.250.186.99
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse
                                        172.217.16.142
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse

                                        Private

                                        IP
                                        192.168.2.17
                                        192.168.2.23
                                        192.168.2.14

                                        General Information

                                        Joe Sandbox version:42.0.0 Malachite
                                        Analysis ID:1635292
                                        Start date and time:2025-03-11 15:10:49 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:17
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • EGA enabled
                                        Analysis Mode:stream
                                        Analysis stop reason:Timeout
                                        Sample name:Acct# 427094 _ Plateautel Payment_ XEPOOFUCKD.eml
                                        Detection:MAL
                                        Classification:mal68.phis.winEML@23/10@16/146
                                        Cookbook Comments:
                                        • Found application associated with file extension: .eml

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 52.109.76.240, 52.109.68.129, 2.22.242.121, 2.22.242.130, 2.22.242.97, 2.22.242.104, 2.22.242.112, 2.22.242.90, 2.22.242.98
                                        • Excluded domains from analysis (whitelisted): ecs.office.com, omex.cdn.office.net, prod.configsvc1.live.com.akadns.net, osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com, prod.roaming1.live.com.akadns.net, eur.roaming1.live.com.akadns.net, roaming.officeapps.live.com, neu-azsc-config.officeapps.live.com, dual-s-0005-office.config.skype.com, config.officeapps.live.com, frc-azsc-000.roaming.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, a1864.dscd.akamai.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtOpenFile calls found.
                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                        • Report size getting too big, too many NtSetValueKey calls found.
                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                        • VT rate limit hit for: x68.egexgysh.ru

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250311T1011200379-2036.etl

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                        File Type:data
                                        Category:modified
                                        Size (bytes):106496
                                        Entropy (8bit):4.525305739750539
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:13F9E85995EEF807E8BFFF99B7F6070F
                                        SHA1:031E61A5DC630EAB38983FBA23727D2702E01881
                                        SHA-256:B0564FC7FBC55A9E1931687F591A16B1BC0999C858B37D83B4C2D8D6AEAFD26B
                                        SHA-512:0BACBFF734D07CE8272FC92A19F42F76107055CF4DAFCE957D8F3B9F3D15B6C1F4AA1CF5469159F4C3339BC923A7B4CC7660EC4C6CE4A272ABC571064C3F8D1F
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:............................................................................b...T........e.v....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................`...4............e.v............v.2._.O.U.T.L.O.O.K.:.7.f.4.:.2.e.4.5.3.0.6.a.7.4.c.c.4.c.5.2.b.6.8.0.6.c.1.9.2.c.4.6.5.3.f.e...C.:.\.U.s.e.r.s.\.t.o.r.r.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.3.1.1.T.1.0.1.1.2.0.0.3.7.9.-.2.0.3.6...e.t.l.............P.P.T........e.v....................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\~DF0E222627E8CF2AAC.TMP

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):49152
                                        Entropy (8bit):1.1880096534608788
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:C8424BAEF94DC953DA9DEE14306F9B4F
                                        SHA1:E6AAF4782845F8BEBB2EC1356B774E1647C6C6E4
                                        SHA-256:05A3A41A62E1337209D584DC467CB32911A02FAE6007077629B87C14D430662B
                                        SHA-512:E1FF34F634C0CD4285A42DF4F9ECEBA091E616037666334E39D4D5794B06563A3DB6C9B2065E3A729EC2532A66FF98E3D01613BACD35D4BDE5B7CAE8EC4BBB3A
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\~DF8F82F508A8DF28F3.TMP

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):16384
                                        Entropy (8bit):0.9113788463168018
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:ADF2D857DD0C62FE2E920AC80B78A9FD
                                        SHA1:3ABFD8C32DB0FBF84CAF8B332FF81D2D016A44D8
                                        SHA-256:C5DC3E05AE985E53716509BFC6BB51AED623B3B92DAE68260C41F4B590484385
                                        SHA-512:BDE91F40B95FCF1A57B591CD6DC1D55FD301AE992802A01FC89A8D6B8184EFA13B99BCF1EF36B9E0C77544FF632EDE3232115B6795649739A1C12E6E61193A1D
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                        File Type:Microsoft Outlook email folder (>=2003)
                                        Category:dropped
                                        Size (bytes):271360
                                        Entropy (8bit):3.1402036331423466
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:34062807399FF92961A795AC59B9906F
                                        SHA1:C29157B47E5D421ADE178C1096E84ADE3EA8E7AD
                                        SHA-256:B475BEEE2DC6E220ABC2238F18FE5999E50B0BEFB088CD7248C99B151B6DFEA2
                                        SHA-512:CD963E6F1A62DE34E595BACE100AA1C7002729CA7B666DC1819E42DAFBE0D53D35CA5644A48069D7E0EE13529AE0E308F49BF43437344C88E69B5C23AF0E0220
                                        Malicious:true
                                        Reputation:unknown
                                        Preview:!BDN...3SM......\...............Q.......b................@...........@...@...................................@...........................................................................$.......D.......N..............@...............O...........................................................................................................................................................................................................................................................................................T.........)...>.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):131072
                                        Entropy (8bit):4.043145313092689
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:C3C5CA61D37A6BC14E4F98CB8BF62BA8
                                        SHA1:AAF8074E5872E96F7CE9DBF31316C3ACAB24F80D
                                        SHA-256:9202BE24F9B7948B56114F01087A0C5BE36635A00E5A9B31D9BABCA5511B2283
                                        SHA-512:0891ABB47A6CBC2E62F3B06166A5C8E109DFD8025236A8A9569076EF6496D488C1C6F29C52F7F6E7FDAD8F22D4688FF85BB3AF4FA58C8C53420DAD02C560ACA6
                                        Malicious:true
                                        Reputation:unknown
                                        Preview:...z0...q............\Rv.........B............#...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................QG....Q........7.5C...r............\Rv......................#.!BDN...3SM......\...............Q.......b................@...........@...@...................................@...........................................................................$.......D.......N..............@...............O...............................................................................................................................................................

                                        Chrome Cache Entry: 62

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:ASCII text, with very long lines (48316), with no line terminators
                                        Category:downloaded
                                        Size (bytes):48316
                                        Entropy (8bit):5.6346993394709
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:2CA03AD87885AB983541092B87ADB299
                                        SHA1:1A17F60BF776A8C468A185C1E8E985C41A50DC27
                                        SHA-256:8E3B0117F4DF4BE452C0B6AF5B8F0A0ACF9D4ADE23D08D55D7E312AF22077762
                                        SHA-512:13C412BD66747822C6938926DE1C52B0D98659B2ED48249471EC0340F416645EA9114F06953F1AE5F177DB03A5D62F1FB5D321B2C4EB17F3A1C865B0A274DC5C
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js
                                        Preview:!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var n,o,s,a,h,t,e,l,r,i,c,f,d,u,p,S,x,b,A,H,z,_,v,g,y,B,w,k,m,C,D,E,R,M,F,P,W,O,I,U=U||function(h){var i;if("undefined"!=typeof window&&window.crypto&&(i=window.crypto),"undefined"!=typeof self&&self.crypto&&(i=self.crypto),!(i=!(i=!(i="undefined"!=typeof globalThis&&globalThis.crypto?globalThis.crypto:i)&&"undefined"!=typeof window&&window.msCrypto?window.msCrypto:i)&&"undefined"!=typeof global&&global.crypto?global.crypto:i)&&"function"==typeof require)try{i=require("crypto")}catch(t){}var r=Object.create||function(t){return e.prototype=t,t=new e,e.prototype=null,t};function e(){}var t={},n=t.lib={},o=n.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init||(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();

                                        Chrome Cache Entry: 63

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:ASCII text, with very long lines (65447)
                                        Category:downloaded
                                        Size (bytes):89501
                                        Entropy (8bit):5.289893677458563
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:8FB8FEE4FCC3CC86FF6C724154C49C42
                                        SHA1:B82D238D4E31FDF618BAE8AC11A6C812C03DD0D4
                                        SHA-256:FF1523FB7389539C84C65ABA19260648793BB4F5E29329D2EE8804BC37A3FE6E
                                        SHA-512:F3DE1813A4160F9239F4781938645E1589B876759CD50B7936DBD849A35C38FFAED53F6A61DBDD8A1CF43CF4A28AA9FFFBFDDEEC9A3811A1BB4EE6DF58652B31
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://code.jquery.com/jquery-3.6.0.min.js
                                        Preview:/*! jQuery v3.6.0 | (c) OpenJS Foundation and other contributors | jquery.org/license */.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}funct

                                        Chrome Cache Entry: 64

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):937
                                        Entropy (8bit):7.737931820487441
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:FC3B7BBE7970F47579127561139060E2
                                        SHA1:3F7C5783FE1F4404CB16304A5A274778EA3ABD25
                                        SHA-256:85E6223AFDBD5BADF2C79BCFBAA6FE686ACAA781ECA52C196647FFABB3BE2FFE
                                        SHA-512:49FA22DE92BEBEDE28BB72F7C7902C01D59E56723811629E40C8A887E34FD0B392A9DF169A238BDD8E46D984E76312D75B2644B8611C66A71A559C1B6834DE6C
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:.PNG........IHDR... ... .....szz.....pHYs...........~....[IDATX..KHTQ..g...&....!pY-.q.-B.H....Q`HY.wL.L....D....M.hS.H.w..wF..y|..s.9..2.6s..w.....}.9........m.{"."q.Q..x.ZO..h.U.y.3.].^.M. .0...D7L...D....w...a$}/u..)n....@......8.V.y6..X..U.QgA.\.Q.F..~.>..'......g.=.2..VW..\....`1d......q..........6...Y...L.g9....l.-...z.t.CE|...d5...b..H?....4...+.J.....9.E..-. ..R$.D.S....7...b..i..\q.?0..9....,d&...mw.L..&N.FpM"...;.......O[db/...-....Q<..WDhN.nu....%...m......A.S.._.>w...0.u..TJ...)......u..(=.!.."zTE0....J....ki#..n0..^.._"..D.....u..p.*=.&d..1....8...f.kR.3G6.t....Vcl.o=~/.$./...I.....$............(]...9.,...i....e... ..........._....@.h./......./U2Nd..........U..|...{.(...y....`.|....z\..z.@.o5...-...O.T.TL).5...y.m.......zZ........:..B..i..w...?!...m-xi.....;...e.0.A...W.}..E...u......h0O./...U..jA..., ..{.(......._=.w#.~..<..g.Vz....o@.e...........2.....T....IEND.B`.

                                        Chrome Cache Entry: 65

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:ASCII text, with very long lines (48238)
                                        Category:downloaded
                                        Size (bytes):48239
                                        Entropy (8bit):5.343270713163753
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:184E29DE57C67BC329C650F294847C16
                                        SHA1:961208535893142386BA3EFE1444B4F8A90282C3
                                        SHA-256:DD03BA1DD6D73643A8ED55F4CEBC059D673046975D106D26D245326178C2EB9D
                                        SHA-512:AF3D62053148D139837CA895457BEEF7620AA52614B9A08FD0D5BEF8163F4C3B9E8D7B2A74D29079DB3DACC51D98AE4A5DC19C788928E5A854D7803EBB9DED9C
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://challenges.cloudflare.com/turnstile/v0/g/f3b948d8acb8/api.js
                                        Preview:"use strict";(function(){function Ht(e,t,a,o,c,l,v){try{var h=e[l](v),s=h.value}catch(p){a(p);return}h.done?t(s):Promise.resolve(s).then(o,c)}function qt(e){return function(){var t=this,a=arguments;return new Promise(function(o,c){var l=e.apply(t,a);function v(s){Ht(l,o,c,v,h,"next",s)}function h(s){Ht(l,o,c,v,h,"throw",s)}v(void 0)})}}function V(e,t){return t!=null&&typeof Symbol!="undefined"&&t[Symbol.hasInstance]?!!t[Symbol.hasInstance](e):V(e,t)}function De(e,t,a){return t in e?Object.defineProperty(e,t,{value:a,enumerable:!0,configurable:!0,writable:!0}):e[t]=a,e}function Ve(e){for(var t=1;t<arguments.length;t++){var a=arguments[t]!=null?arguments[t]:{},o=Object.keys(a);typeof Object.getOwnPropertySymbols=="function"&&(o=o.concat(Object.getOwnPropertySymbols(a).filter(function(c){return Object.getOwnPropertyDescriptor(a,c).enumerable}))),o.forEach(function(c){De(e,c,a[c])})}return e}function Ir(e,t){var a=Object.keys(e);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertyS

                                        Chrome Cache Entry: 66

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:Zstandard compressed data (v0.8+), Dictionary ID: None
                                        Category:downloaded
                                        Size (bytes):21178
                                        Entropy (8bit):7.980023348653577
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:26E60E75C63D2267E5312964A5218097
                                        SHA1:31627879AD9D3745B42B6BB643574675EE6D7279
                                        SHA-256:657D1AC1D3F8B8DC0D4B9FBE01462D1754594F6528065267C6190E4F6DCD7C2D
                                        SHA-512:8ADED5A3F74470AF4CE5C52F3CD9336A8335CC0CBBD2C43FAECDCD14FC934375A6C0EE6E58EE50D04EBCE1E2D1B4D3743CCBE4E3F85E4C893BA288BC5244EED0
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://x68.egexgysh.ru/jyvIY/
                                        Preview:(./..X..V<.$.lz...fZ..,"'V.A.*..a.......k....a.........}..:....W...q.W..W....}.D.!#.F.".?.3|.....m.....q.v]Hc.... ...$PM.<..F9..~r..@<.&.W~v.......q.....Q.....Gf.O}........X..........|...t......}&.A..oF}...T.....;...I..AE...*....fn....p.1.....}...N.sf..e...@...>..W.+...,^.'.>.c+3?[.E.g1.h.......ya.w.'..U...N...l....|.."^.,[R4.S.n.dG...J.6p..~..(.g..;.y4mN.F+...x.1...k.l.....R..[..E..%.....E....b._..k.P>...X......yt....L...R..r.3..8p.#.*....U...q.G.R........r.-U..&.R.m(..q."2..f......0...C...@.#l0|.{..).|.......R..6K..7>..w4...%...N.G.D[...N..m....E...g...(..e.4...A.5M.5Mhpp0...:..D.k....\...I..]Pd=*.pDfO.)3...2...@.:.R...N.,.D[..."...y.".r......Z..LM.0..)...]q..L.....UrQ\0...;.....5e..-......z.5...,.."...P..w.}.>..F..k.i;.Z.$..H.H......S...).....8..........2....V.4...A0....O..[..x._.......;.........K.?....fG..t..{...s..A..R9......X.......G...g../=|.]...].jd.n|..g,SV.<.O=hg.....75|zG..-........g.....u.0v.=.............O=..ll......\c..

                                        Static File Info

                                        General

                                        File type:RFC 822 mail, ASCII text, with very long lines (398), with CRLF line terminators
                                        Entropy (8bit):6.121728196720577
                                        TrID:
                                        • E-Mail message (Var. 5) (54515/1) 100.00%
                                        File name:Acct# 427094 _ Plateautel Payment_ XEPOOFUCKD.eml
                                        File size:33'594 bytes
                                        MD5:b3ab7c88df0380987cacc182c9fd281f
                                        SHA1:4d4610631fe8a0dab7186729ce47ac83d3efdddb
                                        SHA256:cdd3fb04f6af1c5b6e721f597b3701f0fa79eec52e6e4c5bd34b0aa80396d66b
                                        SHA512:e4eae94d6845bfea3ae549369f2d03d34fa53c39d65356c90d856ea97983c0bf593700787e7ddd661915f05188ac1cd57363f392e6ca831c69fc33efc911f2b3
                                        SSDEEP:768:34iHkTXayaI2FPxDTZxTLRga1O3qvw+O/nN:34/TXbGFHxTlO6vw+O/nN
                                        TLSH:29E26C568C11102DEEA06A4E1C3D7F2732103A4B69F7F0C12C7FD5B6219767E5EA264E
                                        File Content Preview:Received: from DS7PR15MB5373.namprd15.prod.outlook.com (2603:10b6:8:74::11) by.. PH7PR15MB5307.namprd15.prod.outlook.com with HTTPS; Tue, 11 Mar 2025 14:04:31.. +0000..Received: from CH0PR04CA0101.namprd04.prod.outlook.com (2603:10b6:610:75::16).. by DS7P

                                        Static Mail

                                        General

                                        Subject:Acct# 427094 : Plateautel Payment: XEPOOFUCKD
                                        From:noreply@btusados.com
                                        To:launaw@plateautel.com
                                        Cc:
                                        BCC:
                                        Date:Tue, 11 Mar 2025 14:04:03 +0000
                                        Communications:
                                        • You don't often get email from noreply@btusados.com. Learn why this is important CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Plateautel Remittance March 11, 2025 68840 Amount Due: $0.00 Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable You don't often get email from noreply@btusados.com. Learn why this is important CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Plateautel Remittance March 11, 2025 68840 Amount Due: $0.00 Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable You don't often get email from noreply@btusados.com. Learn why this is important You don't often get email from noreply@btusados.com. Learn why this is important You don't often get email from noreply@btusados.com. Learn why this is important You don't often get email from noreply@btusados.com. Learn why this is important You don't often get email from noreply@btusados.com. Learn why this is important Learn why this is important https://aka.ms/LearnAboutSenderIdentification CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Plateautel Remittance March 11, 2025 68840 Amount Due: $0.00 Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. CAUTION: Plateautel Remittance March 11, 2025 68840 Amount Due: $0.00 Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Plateautel Remittance March 11, 2025 68840 Amount Due: $0.00 Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Plateautel Remittance March 11, 2025 68840 Amount Due: $0.00 Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Plateautel Remittance March 11, 2025 68840 Amount Due: $0.00 Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Plateautel Remittance March 11, 2025 68840 Amount Due: $0.00 Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Plateautel Remittance March 11, 2025 68840 Amount Due: $0.00 Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Plateautel Remittance March 11, 2025 68840 Amount Due: $0.00 Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Plateautel Remittance March 11, 2025 68840 Amount Due: $0.00 Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Plateautel Remittance March 11, 2025 68840 Amount Due: $0.00 Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Plateautel Plateautel Plateautel Plateautel Plateautel Plateautel Plateautel Plateautel Plateautel Remittance March 11, 2025 68840 Amount Due: $0.00 Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Remittance March 11, 2025 68840 Amount Due: $0.00 Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Remittance March 11, 2025 68840 Amount Due: $0.00 Remittance March 11, 2025 68840 Amount Due: $0.00 Remittance March 11, 2025 68840 Amount Due: $0.00 Remittance March 11, 2025 68840 Amount Due: $0.00 Remittance March 11, 2025 68840 Amount Due: $0.00 Remittance March 11, 2025 68840 Amount Due: $0.00 Remittance March 11, 2025 68840 Amount Due: $0.00 Remittance March 11, 2025 68840 Amount Due: $0.00 Remittance March 11, 2025 68840 Amount Due: $0.00 Remittance March 11, 2025 68840 Remittance March 11, 2025 68840 Remittance Remittance March 11, 2025 March 11, 2025 68840 68840 Amount Due: $0.00 Amount Due: $0.00 Amount Due: $0.00 Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable Dear Launaw, Your confirmation for Payment #68840 is attached for your reference. You can find all the details of your payment in the attached document. We truly appreciate your business and look forward to serving you again soon. Best regards, Accounts Payable
                                        Attachments:
                                        • DOC09039200209239_ExcelSheet_PaymentAdviceKLTBRASMNG.SVG

                                        Headers

                                        Key Value
                                        Receivedfrom a27-21.smtp-out.us-west-2.amazonses.com (54.240.27.21) by CY4PEPF0000FCC2.mail.protection.outlook.com (10.167.242.104) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8534.20 via Frontend Transport; Tue, 11 Mar 2025 14:04:04 +0000
                                        Authentication-Resultsspf=fail (sender IP is 44.216.154.56) smtp.mailfrom=us-west-2.amazonses.com; dkim=pass (signature was verified) header.d=wgi1yzfd99klnfg1hwja.c.us1.defend.egress.com;dkim=fail (body hash did not verify) header.d=btusados.com;dkim=fail (body hash did not verify) header.d=amazonses.com;dmarc=none action=none header.from=btusados.com;
                                        Received-SPFPass (protection.outlook.com: domain of us-west-2.amazonses.com designates 54.240.27.21 as permitted sender) receiver=protection.outlook.com; client-ip=54.240.27.21; helo=a27-21.smtp-out.us-west-2.amazonses.com; pr=C
                                        ARC-Seali=1; a=rsa-sha256; cv=none; d=wgi1yzfd99klnfg1hwja.c.us1.defend.egress.com; s=17792456; t=1741701859; b=ar99hi50qSLW2A017NDrJGCLduQdGGsbbvzETa0E+uSf8wt+74IrSISAhzzmieiZ6nwpv3o0bnS GpUCJbbrX49dP3R7jsW3jP8jKzda/gkZPhsYvt5gR+gAafvLBioZ3ZNok89burUQAMTj+dKR+6rvJ tTWksTmiUPTgPuGIhHOkmjQrsMSl0eAQKrOVZ9RTXVCsyZun2v53NSLK3i61DlNXqtD44EKzNrU72 JSJW7Iz5d8s7/ykICmREK9MGlNx8e2iitUqM+D7rdUks9PbcZW90EfhWkS8k7U7GG7RgS4xbp8iro 2xx/uDKLjFpPQCxjishOaE1K+Gm/etQ4CoyQ==
                                        ARC-Message-Signaturei=1; a=rsa-sha256; d=wgi1yzfd99klnfg1hwja.c.us1.defend.egress.com; s=17792456; c=relaxed/relaxed; t=1741701859; h=from; bh=srWAjB6i38uXf6SpzVlhKcqEhN2rkPW8L4QlOc9KTKo=; b=fy4h/Q1RsbdM5+lD0/JYk4xWDd7MqfsKP2z//Vb2w9vR+m8pT07TpBjpWCy2WaXGYXa8AymTxeD WiRoxg1pAuDLVZ12IQ6yV3qC/PEO2Gv8a+hN/DxftL8zvtO13YzDld42OhswVfbwWhhuSAkUHuIM/ t1OuZ6BCkx1RSaNodmnkW2RtTOqYDD5ZrJOtiKx/YBbn0HlmqYJYisHo+do8O/3hu4EhLw4DT/Xxa rrf2GxRntI0f4cg6sc3ZTKIqDDqh99azC2Pp/WSPyXKLw3n36tH4+9xmrVRA/XXqwoqoGLwpMXyKi LdM/8TpxUP7f34Si0dmiH8oV0jtzKmmebvGQ==
                                        ARC-Authentication-Resultsi=1; wgi1yzfd99klnfg1hwja.c.us1.defend.egress.com; spf=pass (sender IP is 54.240.27.21) smtp.mailfrom=us-west-2.amazonses.com; dkim=pass (signature was verified) header.d=btusados.com; dkim=pass (signature was verified) header.d=amazonses.com; dmarc=bestguesspass action="none" header.from=btusados.com; compauth=pass reason="109"
                                        DKIM-Signaturev=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=7v7vs6w47njt4pimodk5mmttbegzsi6n; d=amazonses.com; t=1741701843; h=Content-Type:MIME-Version:Subject:From:To:Reply-To:Message-ID:Date:Feedback-ID; bh=GezvNfXI5CCG0hnavuEP9UIr8uuMzBYQlUW2lAtMX9I=; b=QZ3s0KC9XbpCGcyx43b0dwUxjEGFpjXmwkQGlKluUZv0kaIdSiLuh8eH1GBZb0Id Ee8kyAi/z4N00XhqSJ2cJpwa0LlPwYJnG3rdRukB5Dr2WGQTT5TlwCdIJ8QzssZu14b QjktSx0czkB6/HiSvBSku9s/Rflj1+4sn+ZxQe1E=
                                        Authentication-Results-Originalspf=pass (sender IP is 54.240.27.21) smtp.mailfrom=us-west-2.amazonses.com; dkim=pass (signature was verified) header.d=btusados.com;dkim=pass (signature was verified) header.d=amazonses.com;dmarc=bestguesspass action=none header.from=btusados.com;compauth=pass reason=109
                                        Content-Typemultipart/mixed; boundary="===============7936637162623118947=="
                                        SubjectAcct# 427094 : Plateautel Payment: XEPOOFUCKD
                                        Fromnoreply@btusados.com
                                        Tolaunaw@plateautel.com
                                        Reply-Tonoreply@thefirstfinancialtrusts.com
                                        Message-ID<010101958585099f-199c702f-abd7-4685-971f-2292f554eda8-000000@us-west-2.amazonses.com>
                                        DateTue, 11 Mar 2025 14:04:03 +0000
                                        Feedback-ID::1.us-west-2.FBqtifYNERTci0618lQbmTdIIxPtKC4ijk/eel8BRss=:AmazonSES
                                        X-SES-Outgoing2025.03.11-54.240.27.21
                                        Return-Path010101958585099f-199c702f-abd7-4685-971f-2292f554eda8-000000@us-west-2.amazonses.com
                                        X-EOPAttributedMessage1
                                        X-MS-TrafficTypeDiagnosticCY4PEPF0000FCC2:EE_|BL1PPFA4F352875:EE_|CH2PEPF00000140:EE_|DS7PR15MB5373:EE_|PH7PR15MB5307:EE_
                                        X-MS-Office365-Filtering-Correlation-Id232833e0-6ee0-4881-d45d-08dd60a59e8e
                                        X-Egress-Defend-Directioninbound
                                        X-Egress-Defend-Domainplateautel.com
                                        X-Microsoft-Antispam-UntrustedBCL:0;ARA:13230040|3072899012|69100299015|2092899012|32142699015|12012899012|5062899012|5073199012|3092899012|4053099003|3613699012|4076899003|8096899003|43540500003;
                                        X-Microsoft-Antispam-Message-Info-OriginalY8sZwRRkhRpyLkTuQShNqW2G4ludl5oWJtwv2/mAmpePtaeeILsE5Vyl2phw3NJPIg54dLgYCm7x4zcMGGc6r+KM428KwlixAiflYF44xkSOnKR/1aVNI+fZbcJIWayp7QTwp1CQk81L4Dr317gCPPl7bl5UHvI7FOpBfWUUuOvgDdk8/XNfeZTG+xZl5WdlZi2IW/0wsn8wRdSYXLXyV/O1OiYcNm7yPY07Xw6nA0GS+BBl5WoFvmrGcPO0mDQ98jFfJc2Nzl3fyqTAYcDLGYIqXS6ISzSrUCWBP+mPpoCNRyfRA7JQO+svyAxG6XGkvteRjPrjl5kvXbP3bjqpXYhRy3y/beHuXClc0pkJbEeSL6zcnHVQG6LSBmJKv+V2mXChJWWELy7Y+DkgfEvVA6ymSQaqkXV4lXYieGCnQieMfbHFa2VZku/gDgAPJeOfMYxWMr7HUXddIvAvnrWY8Lge9/nqcaiec8l+j1Eu94kztTM+SRwEsUFynexkyY50WBonB+OlaSB0UQDlCXONBqmXLaKuSs3r8knar/aormox2be71vmAB1QwOgDqV5w4lIrEpQKLuR7XTN+FDStfNjZVqLdPgp80GbeLYjC7ATvSKIGMk7FeICVXDi9YyI/bVh0dhLpUg4/iWTeDxPScYykj0B6QnhRRVe4+EWa1ThdQR5bbYS18/UFrmtq1b+oAnCm0qkM/NZ0ZRQWp59yQmtbWJrHNf/sVDG15SawH+Uf8jptHWXw3vzEXMyu2ChH3uj5di8vtJx61tm2paHgVoTQl9LXQWwRg+0OPP2g7wl98YbLBLGXE0Ek+IDb4tTPxq0paLhG9bOF9M0RUOyizQRTkW0HQ04tGC9mgiOgek3QfYaRzLI5hrC6PDFAbeGxbVoecZ4wmdCJY5dno+qXIL5pPXj3i4phPqQ7Jva11k85cl4Kh7WT3ZfEl+5FJTb9JFZxbBKcfwxr0sMCW6qAIifMsmw/O8C5My6e8W/TLmSDXv0vpCNoJ2LebzEsczFRlVwZljYE4SOvWSdPmmoAs9OLmikLJpSk6PMTaeVWizpT/vxTJy9mr55cvdpcua5Q7FNcqX1FIoqcynyNpg0H40i/EiWpBu6M12V9PSTMW1svZhxDl5YTBLeb0rb7I/jl5zLLL4295VIKYl/s/u1NPJfflvXxpD6Q8KG2Pf2/oB7smNdjXrUquj4IYkaDTdKLxU7QLPn0fSFfCCHhY+JokHaUoyKmGLflGI6+aYjtGWgDudETQReUqaPYxz8CMbfblbIVts0Rb4cyyjpRYeEIyQ8wpDUyxX5trSgd04f7PnNHEgBBDAW5kQ12LKOquZ6NS7kzSuvEyjioetfX8I3hOIxxHi6h5la/dgHkQZ7Un67l4/BGEEZFsEIkvNw/+8cPKpY6kHy1etmUQgtk+LCHRXdc+w3hbvj2bd+1Hhlz1dPghDdNTBB+3RWMKKdaSU955nQgDb+lWQdS2HYzOP3sIWdAslD0v6PmPcXZ09rjsp6+mCWzwRE7shbfNX5oj4w3LX5pmSFHQBFXxZGAiNisfbIvLD8Gze4I6Kp2tQLt5M2nK5FO0yjCUe3iVgAr8Qx35DlDRsl0QDR37gfF/RiZDGLVCJ+IdrRNZulc2xfKlXNGTiZKk0auaAo3AxCMQpdI9X8N1nutILeYErpv68IWF/UwvpchG4a/P2B0jU+ojKihW7pr3Yf5C+DNB2dxlM9ADkpPw1ZMRdbPByy1rkssMf9BGwB4B5G3g1J1a6UcKgDG0i5HXGEktxnBFLLdYeiyJTu33Srg8rKrN3q/lTjUb8W5eFbwiDFVcLG0zcgNxHuXTvuyEojYmPHt8kZtnaBKyAg3AxuuD9NOk8XqDZ9x621kTJQrcBRR+K7j/7CQj5sHQlthslU4I4UqVRJzKBkrgi9plKm3XBU09TjqJWYxUIncukqbwohqDqt+R9Tr0pNNcXIiSVkrx6mcJ6EVJemlIRx/++eoxKxuDKz51f9XQ0oILD6dmWMDQ/MIeRoAdFX0nO73DO3VpB1P66TuGxatnGXXSZWketK7GMAta5Iy8AGxq5c0WH8ioKM7818IsR399wUxxg6MjbtGPigUtFBjKscRrG8tNFDigq2VpKARPMp1zqzpv/dBaK9RVyJZTTqWIqUqivo3+xC/bUCNQ5AqI
                                        X-Forefront-Antispam-Report-UntrustedCIP:54.240.27.21;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:a27-21.smtp-out.us-west-2.amazonses.com;PTR:a27-21.smtp-out.us-west-2.amazonses.com;CAT:NONE;SFTY:9.25;SFS:(13230040)(3072899012)(69100299015)(2092899012)(32142699015)(12012899012)(5062899012)(5073199012)(3092899012)(4053099003)(3613699012)(4076899003)(8096899003)(43540500003);DIR:INB;SFTY:9.25;
                                        X-MS-Exchange-Transport-CrossTenantHeadersStampedDS7PR15MB5373
                                        X-OrganizationHeadersPreservedBL1PPFA4F352875.namprd15.prod.outlook.com
                                        X-Ajax-SCL1
                                        X-Egress-Defend-SCL1
                                        X-Egress-Defend-CrId67d042e32669e3325920785c
                                        References<538a259f-932c-4107-93f0-ec43b7bc9541@wgi1yzfd99klnfg1hwja.c.us1.defend.egress.com>
                                        X-Processed-By-Ajaxtrue
                                        X-Processed-By-Egress-Defendtrue
                                        X-Sentry-Times-Processed-Count1
                                        X-MS-Exchange-Organization-ExpirationStartTime11 Mar 2025 14:04:20.2509 (UTC)
                                        X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
                                        X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
                                        X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
                                        X-MS-Exchange-Organization-Network-Message-Id232833e0-6ee0-4881-d45d-08dd60a59e8e
                                        X-MS-Exchange-Organization-MessageDirectionalityOriginating
                                        X-MS-Exchange-Organization-SCL-1
                                        X-CrossPremisesHeadersPromotedCH2PEPF00000140.namprd02.prod.outlook.com
                                        X-CrossPremisesHeadersFilteredCH2PEPF00000140.namprd02.prod.outlook.com
                                        X-MS-Exchange-Transport-CrossTenantHeadersStrippedCH2PEPF00000140.namprd02.prod.outlook.com
                                        X-MS-PublicTrafficTypeEmail
                                        X-MS-Exchange-Organization-AuthSourceCY4PEPF0000FCC2.namprd03.prod.outlook.com
                                        X-MS-Exchange-Organization-AuthAsAnonymous
                                        X-OriginatorOrgwgi1yzfd99klnfg1hwja.c.us1.defend.egress.com
                                        X-MS-Office365-Filtering-Correlation-Id-Prvs49be82b5-83d3-400e-4e0c-08dd60a594fc
                                        X-Microsoft-AntispamBCL:0;ARA:13230040|35042699022|32142699015|5062899012|82310400026|12012899012|69100299015|5073199012|3072899012|2092899012|3092899012|4076899003|3613699012|8096899003|4053099003|43540500003;
                                        X-Forefront-Antispam-ReportCIP:44.216.154.56;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKN;H:smtp.us1.defend.egress.com;PTR:smtp.us1.defend.egress.com;CAT:NONE;SFS:(13230040)(35042699022)(32142699015)(5062899012)(82310400026)(12012899012)(69100299015)(5073199012)(3072899012)(2092899012)(3092899012)(4076899003)(3613699012)(8096899003)(4053099003)(43540500003);DIR:INB;
                                        X-MS-Exchange-CrossTenant-OriginalArrivalTime11 Mar 2025 14:04:20.0946 (UTC)
                                        X-MS-Exchange-CrossTenant-Network-Message-Id232833e0-6ee0-4881-d45d-08dd60a59e8e
                                        X-MS-Exchange-CrossTenant-Idc66eaad3-4231-4d3b-873b-e9d98588a49e
                                        X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIpTenantId=c66eaad3-4231-4d3b-873b-e9d98588a49e;Ip=[44.216.154.56];Helo=[smtp.us1.defend.egress.com]
                                        X-MS-Exchange-CrossTenant-AuthSourceCY4PEPF0000FCC2.namprd03.prod.outlook.com
                                        X-MS-Exchange-CrossTenant-AuthAsAnonymous
                                        X-MS-Exchange-CrossTenant-FromEntityHeaderHybridOnPrem
                                        X-MS-Exchange-Transport-EndToEndLatency00:00:11.6635022
                                        X-MS-Exchange-Processed-By-BccFoldering15.20.8511.025
                                        X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(4710137)(4712020)(920097)(930097)(140003);
                                        X-Microsoft-Antispam-Message-Info j648FkcUSF0MraJxPmx540j0ReUTnzQ0zq6BUNUchofcixd/hj8BlnNsDxIT/DehzntBsAdPkBffg/no56cdBZCozJ5kq7Kq/8piwaEY47mEBft3QD4FSRULUbCwjZZddTCJ6whsNIU3a+JdxNhlYI0H24V73KKIO9GebeG/PhsFUZE85CSk49oVkpm929QIZOuI2KDOO7I/J6BkVWqs0dsrgDVIb+95MEDNg48ak+dat0+eSkrePTdTAV0AgseTQQaRLX4Ouw5U+wrIMlOjMsIHDzhSOTuWdV54Jsq4J+mugb2hXa9oR0778tOzRJKMTC8O4//RCO9fuAT/+10kV7YOY/+m9sEYILXdND+hp9mjspV9WkAX45GrtBXlfZpZctucZmoGzBHzVSoqFvCWEgRO8HCfjCnbI0qvCp8SnRX9fi6djh56pav2rGXXjDJAwxAIgpHZkqxZFX9CpT0UVigCNlEHzFCjoA7ZV6iVZHGgl0bbVGvDyxBPbIJwy0AjnmAHR2FuvB4URK7Wu/TmZUgcDO5XIyfa694gOC/UoVlRQA/t+DMTpQE/cEiLC/ebcrHI1Dj/Py9efQlrHQKdd+Ya4nY3KyWjS0rJKEOBLDwjsu2UFihwU1IziJE99u+1rPKKuhVs45Mx9FS0EwqEmcHMrQaLeE0U4VeJc/Gz4DbYF1AsFQ5Oihg/WGykT35lSJ0B24QGZbWHfeY9+YcYU+NDjuFz/geka6/Mn4rDDa/EqxBR+zhqwB6IcD64KeP8rCoXFEnPKD7ssXeSkJFwykQl5XJr326UV11660RV5rWyIB2mcz+25zhgL/NTN3Jx77KmHG4mtmzCTBagFprub9GT1/+rnbm0mI/eIbuc8bKFoqBqTI1lPYMsemiPWq2B4z83HmgLm0V8g1oueyQ15d/TaXaF0oumd9anGlQLRvu0h3U9NGtZvQEUWczJ2toiOPOOe/PeVMZGASBWGuOFlNetlVvHdHMaEGG9Fj92o8pExu3ng+X3humWiLVUCFffHjw5sQg8lqlSbPswee//FFFfD/oPzx4zNZfaoJwp9NHi502iVJ7VWlTvrSoPngx1Blr6VZ+AnBKZesGpNspBn+Wzn5tXQ+UcG2Sqd265GMNmW5woP0rMTyEbI6kpgAXLHojj7c2Bh+DbNR00++LzMxIFw8X251qcRHD5YxOeDAP/s7tBAKMvNi97JRVNrHO7yzWqJmGfcQCNGF4g/LqQEL1wwnNh0OO7dRufBxIXRi6n9g3pRlJMxcEtJL6ICE01qxYrGwQhVoV/dCCQoedQs9Qa/ptLeh15w8sQmVJkoLAlJq8U/hRkTDkIAXHhoCjZIfeMlbFOytLVbZJYZDyRjnYGmPiC2qMWdwV+2RwpgKevBgYjp7AoGodF5SSEP5+Nn9HBy/npvgeeOWc4un/35fYBiDp4/9ySTRyKdmEq3vb9zdmz/2G3NWFhy4qyqZ46vIVLsK3Iar+pr4NMYc82fP3hfLUll3TZB0ayoF8Xgk9sZWlDHhXrWtLplK95aVyqewW0En+72Z7QnsD5cyWFVFaQ5EiUIwF9Oq6OYAyos8f1GUafOkoGLsTqr1OtxXV3NWzEpGSPJNIdMU4JQ03ntB0zPvtpHlqSzVhHUehDom4djgwrNOFiGVQsBojLEa4KcM52qSPCNOgNdrf4nhRZijrrJCAm/f8NrgS3Z6iXMIqeUD37Zr9VNrBujw+8diwBUBv7GQrYfi/BcfPamPU7mez7adienwkotyejYd/9JzII5FeAStRcNdH/X1mKErY9KgUUMrrl/7jPXlzesicfACSclfBPtXUYh60ttF+BK5ZaCc8G3yNwaZM4V7YWL+Kr8KHuh2CnfNyrCHLzudqtxWShrY7cWg58zka2Gpm3NrZRb9dIuHbtiCd7xPik0DbgSTEykCEZtXsNJ5TwerClvI6ZR7PgFLeQGS6nHFBml1ykFmsNWyN/01u8gvZutdHyRcmfDQLdqxGclB8AaLCmQZOCjbX3migN+B6eyK5/R+eZPB0FiPIogGd8L5M1gFt5bWnfQcnx186xLGFTwKAL2NEYq5U9XUtVqoPCqqAW0HJCgV0qyR1MLyCOsYXKEUWC7bdjcwaCrPiU1QZkZ7pM5JUxj+PXG2MFkqCxNLiucKGFsIHZBEJXQGCG0Q8J4hwoycPaCuVC7VzVzdYnF1Y4Kl6dYAA6uuiju8UUPA9BN5ejk46zyoHTxX+UP0+Lga2ngRU2lasRgUxraB9NyqGJe3b3D0GGEZbMptKh864+KQI=
                                        MIME-Version1.0

                                        File Icon

                                        Icon Hash:46070c0a8e0c67d6