Edit tour
Windows
Analysis Report
20250304_150220_TA6NsGnFKBQP6WuMJfIAtA3XK3ok9HgQ.eml
Overview
General Information
| Sample name: | 20250304_150220_TA6NsGnFKBQP6WuMJfIAtA3XK3ok9HgQ.eml |
| Analysis ID: | 1635328 |
| MD5: | 534c66c925d1aa2bff10acf060c776fd |
| SHA1: | c76867949581f15900317216215f549b2959131a |
| SHA256: | c5a1c37fb023d2fc386b20b0a46fcbf76e4d794711d50a3a84d2f46754fc50cc |
| Infos: |  |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
AI detected suspicious elements in Email content
AI detected suspicious elements in Email header
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Classification
- System is w10x64_ra
OUTLOOK.EXE (PID: 1460 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\OUTLO OK.EXE" /e ml "C:\Use rs\user\De sktop\2025 0304_15022 0_TA6NsGnF KBQP6WuMJf IAtA3XK3ok 9HgQ.eml" MD5: 91A5292942864110ED734005B7E005C0) 
ai.exe (PID: 6928 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \root\vfs\ ProgramFil esCommonX6 4\Microsof t Shared\O ffice16\ai .exe" "C1F A6B9C-44DE -4FF9-8542 -00CCDA4DC DB1" "2CC1 B831-8F95- 4C5A-B4D2- 9CDC3FFF23 40" "1460" "C:\Progr am Files ( x86)\Micro soft Offic e\Root\Off ice16\OUTL OOK.EXE" " WordCombin edFloatieL reOnline.o nnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
- cleanup
⊘No yara matches
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Phishing |   |
|---|
| Source: | Joe Sandbox AI: | ||
| Source: | Joe Sandbox AI: | ||
| Source: | Classification: | ||
| Source: | Classification label: | ||
| Source: | File created: | ||
| Source: | File created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Key value queried: | ||
| Source: | Window found: | ||
| Source: | Window detected: | ||
| Source: | Key opened: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information queried: | ||
| Source: | Queries volume information: | ||
| Source: | Key value queried: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 11 Browser Extensions | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Process Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 12 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| s-0005.dual-s-dc-msedge.net | 52.123.130.14 | true | false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 52.182.143.208 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
| 52.123.130.14 | s-0005.dual-s-dc-msedge.net | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1635328 |
| Start date and time: | 2025-03-11 15:35:02 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | stream |
| Analysis stop reason: | Timeout |
| Sample name: | 20250304_150220_TA6NsGnFKBQP6WuMJfIAtA3XK3ok9HgQ.eml |
| Detection: | MAL |
| Classification: | mal48.winEML@3/3@0/19 |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): SIHClient.exe
- Excluded IPs from analysis (whitelisted): 52.123.130.14
- Excluded domains from analysis (whitelisted): ecs.office.com, dual-s-0005-office.config.skype.com, ecs.office.trafficmanager.net
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryAttributesFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250311T1035350360-1460.etl
Download File
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | modified |
| Size (bytes): | 110592 |
| Entropy (8bit): | 4.4980615686832675 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | 392A4611FAD6F476FDCBFD43D7DA6D00 |
| SHA1: | 61CEB4A772D8ED671D9FFB514FBB2B23B9D0A7AC |
| SHA-256: | 7FD96DE90AB65ECCF418A653FBCB0ED3C3B94665D6324DAC6218E189C221C810 |
| SHA-512: | 67360978F7E4196630ADE2AC90E69137A6181E736441D7799FA51EFA32E511DC4ABCF832C66E037730CEBF9284FA40B5AA38BC8CA2A4162CA2A517401CA31AA1 |
| Malicious: | false |
| Reputation: | unknown |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 271360 |
| Entropy (8bit): | 2.5811242389498554 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | 40073F538A8BE4F1D190E3E16AE96B46 |
| SHA1: | 520A5353221864624F8ACF78BF97E574DD736F25 |
| SHA-256: | 7AC8D254B50D48D72A9E42DBE53C1E6F38D9BB39B32ABE2B969AAEF4C3D33FC3 |
| SHA-512: | 2A175E0034A9FC3AFF9FF6D0B938840D1F9FFB387DC1555EF47CF8F64297B2487FB01F63CA1F887DD27EB2FBF61ADDADD195DC7F1F1F6F5FB27A6422D49FC3A9 |
| Malicious: | true |
| Reputation: | unknown |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 131072 |
| Entropy (8bit): | 3.1243570072590408 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | D71C226AD20B96A8F492B5D11C0A2EA8 |
| SHA1: | 69DAD7B634791B1BC16522C081434C45C127861A |
| SHA-256: | D074724B05B7C7F2269793C5F94BE0913907227483337992171FE147B6CC7C60 |
| SHA-512: | B1F3BC2C8F33484D5F73E78B02F25F1D015166132FEB58F316E4CFE9D08EDE3131A2262BB1F57F641A1789E7377BF54A95B7241B128EB0E9AA3E636FE953BEBB |
| Malicious: | true |
| Reputation: | unknown |
| Preview: |
| File type: | |
| Entropy (8bit): | 5.9071499532941045 |
| TrID: | |
| File name: | 20250304_150220_TA6NsGnFKBQP6WuMJfIAtA3XK3ok9HgQ.eml |
| File size: | 17'804 bytes |
| MD5: | 534c66c925d1aa2bff10acf060c776fd |
| SHA1: | c76867949581f15900317216215f549b2959131a |
| SHA256: | c5a1c37fb023d2fc386b20b0a46fcbf76e4d794711d50a3a84d2f46754fc50cc |
| SHA512: | 4c54e82d16b492af7a5380d10d59d5e36948e91310c0a183539af70392466f90c6a0b1e05daa18e811ae2b214ce87da01a6db6363d72f6fcfe8ef90354967a07 |
| SSDEEP: | 384:gBbkrP5Wd7kOzfVvIq0000000001iSp+Q/obeiNmx3vB+:g5krPId71zNQfxp+Q/obeHx3g |
| TLSH: | 5982F50768D7171364ADCC986B02BA3A3F27309D436D8770D895322DCBB5C9A760B6F8 |
| File Content Preview: | X-Proofpoint-Sentinel: stfjE/YoUs+L4Pf3aMUjFFhU4RUElp63eN6CLTQPYMkxpDJTYWx0ZWRfX/h. clIAYlN4TbVyYB786alypxQg0s3xtFxTVqonn3yQNMUUi7kB387Zlg2n9zl8tkoaG4Id6+GJFnvM. dyVXpVjt8NdbHK9aWJuDOuViV1H13FplmUUrbE2DaHH/3lHXBjDz8NQeHeWGOaGqAnUnNnWPr/rc. lcI4q9KiRJOhYDm |
| Subject: | [EXTERNAL] New Voicemail for Geoff.anderman: 29692f7b66f575b7b1d4c935432984d113d9587d - Duration: 1 minute 31 seconds. |
| From: | Mike <tenneile@bttwpg.com> |
| To: | geoff.anderman@stgusa.com |
| Cc: | |
| BCC: | |
| Date: | Tue, 04 Mar 2025 15:02:17 +0000 |
| Communications: |
|
| Attachments: |
|
| Key | Value |
|---|---|
| X-Proofpoint-Sentinel | stfjE/YoUs+L4Pf3aMUjFFhU4RUElp63eN6CLTQPYMkxpDJTYWx0ZWRfX/h clIAYlN4TbVyYB786alypxQg0s3xtFxTVqonn3yQNMUUi7kB387Zlg2n9zl8tkoaG4Id6+GJFnvM dyVXpVjt8NdbHK9aWJuDOuViV1H13FplmUUrbE2DaHH/3lHXBjDz8NQeHeWGOaGqAnUnNnWPr/rc lcI4q9KiRJOhYDmOuZSEf2TTgDW0RkI/BO+4smaYI+6dmWbsnKmAHFVcUh+/6TPKBWeGvDwFRUuv Pa+9Z/aan62nP1S3Getmg7w1itmhyLCtbHcwPbmSYNLpbr1uFj2k0HXRHuCoIkbhBpLdiZjlQOep nqT/jDxo5pTcQtyhe8rL3ugiwo/qbaxSfVmwTOT57dAh/FdJwuM+mveUDdnHyvcVKjzkTIgHDgj9 KgKBdgp3uTX2EFhwyazKLIuNPgNI1YiVsdBSa2/kwcNxdaEDbVQmHfAK8sfp61po3q1HdqvAaTnO 1Y87WiivEWkyPnLqpADEWMjamb48AX1FS1nheL3r6PebwLPPwOYS5wvX9wzIumPFGswbrAfv0ckH c7+Lk5RbYKAccxYqCugo+9ZBaPvaD8RTRD/LAtZAUbIbW9OranGN+SHZ5H1nyr9bPKHQmCQFX8Ai v5qVT6U+ULenuK+W5DciZXcDd6V8aeym46b7WoVDA5cZkq6FAzut99mkMxSyRwtrjnSiDzUkIgH2 gDKtv6Ok8/shhNdSid0ye5E1sN5S5I7RPTbfoj8uTSGvLuvNZhc6GzUu2ZwK0FVhYe1NVIHFG3Cl ivsp9GCogj7Q+V3HoV8w4jw4Ee4uhUB6Hs9a6uug/Bfhq3DOLPMVYqCYfY1DQY+qMohQKVEnuBKF ZcDs88muTBVtyeClEZl2BxuoZNkiswWJtF4ILaW0pmZmXr2QyYWyWckxroxH8/KwiQziokdTZAvO g5f+1CgR6Ax8hML6tvzN/puL8I5XL1ebhb6+zJqsz4vsLzkS9cqP+PcWKGJybn0ae5/RklQs+br6 r/VQ3EnatOMhh7mNxPqHJLAA= |
| Authentication-Results | ppops.net; dkim=pass header.d=bttwpgcom.onmicrosoft.com header.s=selector1-bttwpgcom-onmicrosoft-com; spf=pass smtp.mailfrom=tenneile@bttwpg.com; dmarc=none |
| Received | from [127.0.0.1] (139.64.164.134) by TO1PEPF00005345.mail.protection.outlook.com (10.167.241.5) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8511.15 via Frontend Transport; Tue, 4 Mar 2025 15:02:18 +0000 |
| ARC-Seal | i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=SW5jS6ST7ZASZNaQgAGr66hArXX1nn3VZtW7QObxPYfiIQ2YU6dde5HhZuTPheHrUWKn9zUxSnp2Y6ezTmIj0r2A6SJeK4DR/j1KJa1exVrp6XgWd5IfxKUrHz+747ulNzlh68cTN4bacnME/Gva7dHiz4uaG971BK9enGezAHutRERse+CZfJfSy9AR/RGs+h36z6GKdrKCahD/rhHAO4C7R2JP9mvygO+f/XExkNW+Wh8u5mqIFCJm2kDrt/vQL1GE3bQ1q1+TFBso1Ecmq+at8iCMiQGdzh6QRFeA2DQD6um85pMLH0W2Xcz/b+m1gDwdmyZV5D5Po3Z33kR1aw== |
| ARC-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6EKXN806xf0olLI3TeGyUbqyDK17QJ3yFa4d6ttJv5g=; b=IxPnuU89dbravOvmiwFoD2ozU6rGciql3X5BWiJi1FlWQ+7tf5c9k394lbaFBPxGQNrIw27tjtAvzaIVuTK263Y7Dtd5GvWacN4mOrz7AtUaBgTfooNwh9gIv0Z7mUrHJCkj0UXfe/8P7B0MrRsX845K6rGWXJFLz3coS+wW54mxZvBZCLYkxdsdUm2O6A0J5aDiL6FGJ7AzJyYO3TqliI9dDy7c2j4Ka8mcDY0MlgvwJt0tS7cgQ27GbC9pZ7MFEUC7qLEcaptEZgg55Z0gOvNrCA72I/DPQ4BpjegnWwffzUTn465dtYnuD9ao3wgf06ei9Xj4X9QhtrjJECm2Mg== |
| ARC-Authentication-Results | i=1; mx.microsoft.com 1; spf=fail (sender ip is 139.64.164.134) smtp.rcpttodomain=stgusa.com smtp.mailfrom=bttwpg.com; dmarc=none action=none header.from=bttwpg.com; dkim=none (message not signed); arc=none (0) |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=bttwpgcom.onmicrosoft.com; s=selector1-bttwpgcom-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6EKXN806xf0olLI3TeGyUbqyDK17QJ3yFa4d6ttJv5g=; b=od4CJsW/5KwG2hz724UcGqRJYjlq6pV9IEgtIJcpBW3TPke7AL1CeMaOF8Ze2AvHVZWlzMAk8H8RZpUyxvpiWJHhrk5u5X5hVQSb0yez4tnK2C28Pq44onjBa7NJ53muwz5cYoA1V2ERZRxQncDPOVoY+HvHqv4h9dp7cD563Ew= |
| X-MS-Exchange-Authentication-Results | spf=fail (sender IP is 139.64.164.134) smtp.mailfrom=bttwpg.com; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=bttwpg.com; |
| Received-SPF | Fail (protection.outlook.com: domain of bttwpg.com does not designate 139.64.164.134 as permitted sender) receiver=protection.outlook.com; client-ip=139.64.164.134; helo=[127.0.0.1]; |
| Content-Type | multipart/mixed; boundary="--_NmP-7584f49e72a554d5-Part_1" |
| From | Mike <tenneile@bttwpg.com> |
| To | geoff.anderman@stgusa.com |
| Message-ID | <05c8d7e7-2ac6-1efc-fa08-9c778eec6233@bttwpg.com> |
| Date | Tue, 04 Mar 2025 15:02:17 +0000 |
| MIME-Version | 1.0 |
| Return-Path | tenneile@bttwpg.com |
| X-EOPAttributedMessage | 0 |
| X-MS-PublicTrafficType | |
| X-MS-TrafficTypeDiagnostic | TO1PEPF00005345:EE_|YQXPR01MB5772:EE_ |
| X-MS-Office365-Filtering-Correlation-Id | e6b89856-b5a1-45cd-355f-08dd5b2d8ed7 |
| X-MS-Exchange-SenderADCheck | 1 |
| X-MS-Exchange-AntiSpam-Relay | 0 |
| X-Microsoft-Antispam | BCL:0;ARA:13230040|82310400026|1800799024|34070700014|36860700013|376014|4053099003|8096899003; |
| X-Microsoft-Antispam-Message-Info | 68jylCM1gT0eCG1SBva3WTtG6P4EIGCsZfrAeB3A9kGkF33gkMdiSlFImgopnJ3aoPWDSnSp4PvsF3x8oLN2Hb4adjLj2lXMNPTBCa2+zTRyzAUlVYEn4xFG1Rep8EWjAgmDB7fNVb69XzQHUFo+fXjRVQvnLaPLZhIL02eccdF1tzNoBdNIvy4lic4b+AE7/UpoT7yUYQ6oqhyiuANk88pXiRyqp0bXG7828zXafqMuYweUaDn3qNSUb+aJPZ+2MJub/vprrQSqDYe4H4cQ0nZ8luxR4HTmDQXb1jC6l/Uc1JgHr+xbE52ToP4Bpx3OHwqi0AhM4xm4ILvgQra2d4zTLHY3TorHRMDKijoXSFh9kBPgGl2W+r00nLxnXc2weYOAqsSp4UnXWgpRM36WwIQZ75D3hfbuogRFNuSA6SB5oDiXxFiSIE0rgLiZjxLRqY4NgIeYj25R4928Nvf84KRfrsoEr8DmtuEkz2KnPdjCWS2glCMniAf9yqk/JvTnfhoEuM1ZeIqRtOnsOBAuzoljr0Kowv/7QLT7neWaT/zlE+1TTirWqoRbduFH2OaNfwPoWGgZ23JoCEYlgWHGT3a+H3ykr/cx2n4aZVpNJR1EDl8ZzDNkohFnJe902m5yRX6hXhbqyeXLDn4i77nVI4loGh73RBpCrVixHsn9rRUsq+8rzfSJ5qwfMncOeSF54LZbCmARvNFtilKJt/sR+yoJmfAzNcF3Rdxz4NqT71MhblicHV4y+lWvJ5BtHkYchggBA7Gv4sPu+Vs76B2jb8cz8QuwjHeaiXony29eSgA/5UInga3M8eymIsrl33C+J0U4hBi1FShuyzunV4KfW/ZaTIMFzDQkIl7DVE3LfGpiP6uGxFNTv4DfezklTqzRfCA3jXQerTkrq2omtVDOEoYbGQ9W/dCaGegwoUWYcMnXz8B3t+gnwYdHYh4Yb6F7xrDP939gp18aw3dxkAaGvqcVajLRwo9VEnL6Mda+cu79c3qLXAqAhSQ3kA5bvpf9/8M/JiXFEyQ5rUF2f5EmnlXdimAKAtaTCwRk4upPvyIJSdnjInaylYu1eGCRH9wNhd2H43xVsnq3OK16rqwYfO3mPNus9SaL1RCOdjRs7kXu4W1MFuxekDNV3/a64U/levq8fAAlaGZkJl3m7zTYLyaZp0ERFp6odpBMuBuMrGASc/jwFOFKUPfuzIKcYD8XCLGMSTHV8N9Jbq/KQKA3vg== |
| X-Forefront-Antispam-Report | CIP:139.64.164.134;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:[127.0.0.1];PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(1800799024)(34070700014)(36860700013)(376014)(4053099003)(8096899003);DIR:OUT;SFP:1102; |
| X-OriginatorOrg | bttwpg.com |
| X-MS-Exchange-CrossTenant-OriginalArrivalTime | 04 Mar 2025 15:02:18.3196 (UTC) |
| X-MS-Exchange-CrossTenant-Network-Message-Id | e6b89856-b5a1-45cd-355f-08dd5b2d8ed7 |
| X-MS-Exchange-CrossTenant-Id | c79f80c5-b1df-46ce-9af0-f045eee8d657 |
| X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp | TenantId=c79f80c5-b1df-46ce-9af0-f045eee8d657;Ip=[139.64.164.134];Helo=[[127.0.0.1]] |
| X-MS-Exchange-CrossTenant-AuthSource | TO1PEPF00005345.CANPRD01.PROD.OUTLOOK.COM |
| X-MS-Exchange-CrossTenant-AuthAs | Anonymous |
| X-MS-Exchange-CrossTenant-FromEntityHeader | HybridOnPrem |
| X-MS-Exchange-Transport-CrossTenantHeadersStamped | YQXPR01MB5772 |
| X-Proofpoint-GUID | TA6NsGnFKBQP6WuMJfIAtA3XK3ok9HgQ |
| X-Authority-Analysis | v=2.4 cv=Aq4U3P9P c=1 sm=1 tr=0 ts=67c715fc cx=c_pps a=NOpdzIhjhtkpaSQuo2fSpQ==:117 a=CfxQvKvE8w22MpBonQQBYA==:17 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=Vs1iUdzkB0EA:10 a=s63m1ICgrNkA:10 a=q_XRVSm16zIA:10 a=J51EX-W4AAAA:8 a=tclcd6dtLQvEqt9_mmAA:9 a=_W_S_7VecoQA:10 a=L03L2QfmqWoA:10 a=1WNtSb5ECZgA:10 a=QEXdDO2ut3YA:10 a=aRNXqSZrRLmW49G0qUD7:22 |
| X-Proofpoint-ORIG-GUID | TA6NsGnFKBQP6WuMJfIAtA3XK3ok9HgQ |
| X-CLX-Shades | MLX |
| X-CLX-Response | 1TFkXGBkeEQpMehccGhEKWUQXYR0beBlHY2x8aWURClhYF2NMYBJaZnplWU1 6EQp4ThdmfVoTGkVIf35IcBEKQ0gXHxkRCkNZFwceEhoRCkNJFxoEGhoaEQpZTRdnZnIRCllJFx pxGhAadwYYGx5xGxkcEBp3BhgaBhoRClleF2hjeREKSUYXWV5NX1lLdUJFWV5PThEKSUcXeE9NE QpDThd+axxkWW1EbGFoe3ocfV9nYExja15rGXJhGUVBE2JNexEKWFwXHwQaBBkTGwUbGgQbGhoE GxkeBBkfEBseGh8aEQpeWRdPBWZbchEKTVwXGxgTEQpMWhdpeGlCTUMRCkVZF29rEQpMXxd6BQU FBQUFBQUFbxEKTU4XaGgRCkxGF2Nra2sRCkJPF2V5axJcQUxYZGZ/EQpDWhceGgQbGh0EGxMZBB saGxEKQl4XGxEKQkUXZFtGEh9Sfm1fckYRCkJOF2Z9WhMaRUh/fkhwEQpCTBdjTGASWmZ6ZVlNe hEKQmwXZEFaHWxfBUhrfgURCkJAF20dG3JDWR5FH2NiEQpCWBdsWR9hZ1BNGHpzZREKTV4XGxEK WlgXHhEKeUMXb0RrbWxsTmV4H04RCllLFxsSEhkRCnBnF2t4Q2sdeh9kRxIeEBoRCnBoF21TQU4 dRkxgblwFEB4aEQpwaBdlHV5pBR5oaG9BTRAeGhEKcGgXYR9+elB+aVJfWBsQHhoRCnBoF3pNRW 9YRl9zHlNPEB4aEQpwaBdgGmsZXBwdR1JMaRAeGhEKcGgXZ3IbYn4caExLYUgQGhEKcGsXYxgYZ X5LfkJyfQUQGxgaEQpwaxdpBWhpRVIFQFp/fRATHREKcGwXYGhSbW58QW9FQBwQHBkRCm1+FxsR ClhNF0sRIA== |
| X-Proofpoint-Banner-Trigger | unknownsender |
| Subject | [EXTERNAL] New Voicemail for Geoff.anderman: 29692f7b66f575b7b1d4c935432984d113d9587d - Duration: 1 minute 31 seconds. |
| X-Proofpoint-Virus-Version | |
| X-Proofpoint-Spam-Details | rule=inbound_phish policy=inbound score=100 suspectscore=0 malwarescore=0 mlxlogscore=144 mlxscore=0 clxscore=234 snscore=48 adultscore=0 priorityscore=60 lowpriorityscore=0 spamscore=0 phishscore=100 impostorscore=0 unknownsenderscore=20 bulkscore=0 classifier=phish authscore=0 authtc=n/a authcc= route=internal adjust=0 reason=mlx scancount=1 engine=8.19.0-2502100000 definitions=main-2503040122 domainage_hfrom=1883 |
 | |
| Icon Hash: | 46070c0a8e0c67d6 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node