Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
phish_alert_sp2_2.0.0.0.eml

Overview

General Information

Sample name:phish_alert_sp2_2.0.0.0.eml
Analysis ID:1635713
MD5:c0b81bc8aa2ccf669c918661b0994bee
SHA1:7a4e83ef3b490985fa6d400674a99368c288f274
SHA256:454f505746bbad734ddf989c9d3545bbd954f695c65fa1c241ddbe6758388cb9
Infos:

Detection

Score:52
Range:0 - 100
Confidence:100%

Signatures

AI detected suspicious Javascript
AI detected suspicious elements in Email content
AI detected suspicious elements in Email header
Creates files inside the system directory
Deletes files inside the Windows folder
HTML page contains hidden javascript code
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Outlook Security Settings Updated - Registry
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 7028 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 6240 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "DBE6AEAF-8ACF-4E26-AC80-56DF73B9FD99" "AB61F736-4CC5-4D7A-BBC4-71A783FFB06B" "7028" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • chrome.exe (PID: 5776 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\GRW8P7TM\Murexltd00990__098.html MD5: E81F54E6C1129887AEA47E7D092680BF)
      • chrome.exe (PID: 7160 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1976,i,15769068275522898566,8139127617830743890,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7028, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
Sigma detected: Outlook Security Settings Updated - Registry
Source: Registry Key setAuthor: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\GRW8P7TM\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7028, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-11T22:51:34.709283+010028032742Potentially Bad Traffic192.168.2.1649697172.67.74.152443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected suspicious Javascript
Source: 0.0..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/AppData/Local/Microsoft/Wind... This script exhibits several high-risk behaviors, including dynamic code execution through the use of `atob()` to decode a URL, and data exfiltration by sending user data (potentially sensitive) to an untrusted domain (`mkologin.filematrix.de`). The obfuscated code and suspicious domain further increase the risk score.
AI detected suspicious elements in Email content
Source: EmailJoe Sandbox AI: Detected potential phishing email: Extremely suspicious and complex sender email address with random characters and multiple domains mixed together. Subject line contains suspicious reference number and mentions payment/EFT which is a common phishing lure. Attachment is HTML file which is a dangerous format commonly used in phishing attacks
AI detected suspicious elements in Email header
Source: EmailJoe Sandbox AI: Detected suspicious elements in Email header: Suspicious return-path with extremely long, random-looking string and mixed domains (pandadoc.net and dixieweldfab.net). Local sending IP (127.0.0.1) in received headers, but actual origin is 13.86.115.111, indicating potential header manipulation. Unusual boundary string format with suspicious characters. Complex and suspicious message-id format that doesn't match standard patterns. Despite low SCL and BCL scores, the combination of header anomalies strongly suggests a malicious email. Return-path contains suspicious encoded characters and unusual formatting. Multiple authentication and routing inconsistencies between claimed sender domain and actual mail flow
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/GRW8P7TM/Murexltd00990__098.htmlHTTP Parser: Base64 decoded: bbaumeister@murexltd.com
Source: EmailClassification: Invoice Scam
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/GRW8P7TM/Murexltd00990__098.htmlHTTP Parser: No favicon
Source: chrome.exeMemory has grown: Private usage: 1MB later: 34MB
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.16:49697 -> 172.67.74.152:443
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.2
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.2
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.2
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.77.188
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.22
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.77.188
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.22
Source: global trafficDNS traffic detected: DNS query: mkologin.filematrix.de
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir5776_334728346
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir5776_334728346
Source: classification engineClassification label: mal52.winEML@23/3@4/111
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250311T1751440849-7028.etl
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.ini
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "DBE6AEAF-8ACF-4E26-AC80-56DF73B9FD99" "AB61F736-4CC5-4D7A-BBC4-71A783FFB06B" "7028" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\GRW8P7TM\Murexltd00990__098.html
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "DBE6AEAF-8ACF-4E26-AC80-56DF73B9FD99" "AB61F736-4CC5-4D7A-BBC4-71A783FFB06B" "7028" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1976,i,15769068275522898566,8139127617830743890,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:3
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\GRW8P7TM\Murexltd00990__098.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1976,i,15769068275522898566,8139127617830743890,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation21
Browser Extensions		1
Process Injection		11
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Extra Window Memory Injection		1
DLL Side-Loading		Security Account Manager13
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
File Deletion		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Extra Window Memory Injection		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
phish_alert_sp2_2.0.0.0.eml6%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/GRW8P7TM/Murexltd00990__098.html0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.250.184.228
truefalse
    		high
    s-0005.dual-s-msedge.net
    		52.123.128.14
    		truefalse
      		high
      mkologin.filematrix.de
      		188.114.96.3
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/GRW8P7TM/Murexltd00990__098.htmlfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        142.250.185.99
        		unknownUnited States
        		15169GOOGLEUSfalse
        142.250.186.67
        		unknownUnited States
        		15169GOOGLEUSfalse
        1.1.1.1
        		unknownAustralia
        		13335CLOUDFLARENETUSfalse
        142.250.186.174
        		unknownUnited States
        		15169GOOGLEUSfalse
        52.123.128.14
        		s-0005.dual-s-msedge.netUnited States
        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
        142.250.181.238
        		unknownUnited States
        		15169GOOGLEUSfalse
        142.250.185.142
        		unknownUnited States
        		15169GOOGLEUSfalse
        188.114.96.3
        		mkologin.filematrix.deEuropean Union
        		13335CLOUDFLARENETUStrue
        142.250.184.228
        		www.google.comUnited States
        		15169GOOGLEUSfalse
        172.217.16.195
        		unknownUnited States
        		15169GOOGLEUSfalse
        52.109.76.144
        		unknownUnited States
        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
        13.89.179.8
        		unknownUnited States
        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
        66.102.1.84
        		unknownUnited States
        		15169GOOGLEUSfalse

        Private

        IP
        192.168.2.16

        General Information

        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1635713
        Start date and time:2025-03-11 22:51:02 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsinteractivecookbook.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:17
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        Analysis Mode:stream
        Analysis stop reason:Timeout
        Sample name:phish_alert_sp2_2.0.0.0.eml
        Detection:MAL
        Classification:mal52.winEML@23/3@4/111
        Cookbook Comments:
        • Found application associated with file extension: .eml

        Warnings

        • Exclude process from analysis (whitelisted): SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 52.109.76.144, 13.89.179.8, 20.12.23.50, 52.123.128.14, 2.16.185.191
        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtOpenFile calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtSetValueKey calls found.
        • VT rate limit hit for: mkologin.filematrix.de

        Created / dropped Files

        C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250311T1751440849-7028.etl

        Download File
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        File Type:data
        Category:modified
        Size (bytes):102400
        Entropy (8bit):4.478093462890911
        Encrypted:false
        SSDEEP:
        MD5:F27779C851D11D6E829D97EBC03D7A3D
        SHA1:30A26F0BA59139CAEA4A289D4A45DE4AF62E4B49
        SHA-256:6AA4ACAC07376990A7E92DDC8E1A81BB5F39588EE007B16AF36EA5FE296917D1
        SHA-512:7A7ACA68A29396E0B6719987B5417CC3FBADAC13F15025311BA81D1FC81F06F8157188BC4D2155FEA49E65B8E92C90D5C9D97CC0F2743F139E231BA962DBF284
        Malicious:false
        Reputation:unknown
        Preview:............................................................................`...x...t..........................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................O..3..........................v.2._.O.U.T.L.O.O.K.:.1.b.7.4.:.2.b.0.6.3.8.5.e.4.d.e.8.4.9.c.3.9.f.8.c.d.1.5.7.9.3.2.b.9.3.1.a...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.3.1.1.T.1.7.5.1.4.4.0.8.4.9.-.7.0.2.8...e.t.l.......P.P.x...t....Z.............................................................................................................................................................................................................................................................................................................

        C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

        Download File
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        File Type:Microsoft Outlook email folder (>=2003)
        Category:dropped
        Size (bytes):271360
        Entropy (8bit):2.6280033765156157
        Encrypted:false
        SSDEEP:
        MD5:B260E155BFC117548F5231937C1FFDBA
        SHA1:A75518C4524172809A3DD8B6CE04983AAFCD7F93
        SHA-256:F23F0AB9E18F850043393DADE318EED006B304E0678ADC8F97D47C814368CA6D
        SHA-512:15F5BCCEF85705CB284798CFFF5E26142E756B5E010E22239C99F0F11CB049486CE1E274195783AC02AE9240EEE299B8882334A2134A7790512C6392890F7F57
        Malicious:true
        Reputation:unknown
        Preview:!BDN...SM......\...,...................[................@...........@...@...................................@...........................................................................$.......D......@........................p..................................................................................................................................................................................................................................................................................................t.........r.n.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

        Download File
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        File Type:data
        Category:dropped
        Size (bytes):131072
        Entropy (8bit):3.4153106880379878
        Encrypted:false
        SSDEEP:
        MD5:7D48F9F06E820C8897DABF5183D5DA0E
        SHA1:A06CBFD39E6C6C4B2C9BF321B2FF198026C7E964
        SHA-256:26555E168C7BA1D9C1EA3FA9154EF16D2C7B9E2F3435E5CCDE6BAA684A0E1C84
        SHA-512:DF4B05896D55D1CFC48FEA65A8D154A09825AE1BE5DDD847C214F1E3775DF0FFF3E18BB045652F261B726994582AF30709478790EE58A90888BE08B5FE6187D5
        Malicious:true
        Reputation:unknown
        Preview:R...C...m.......t....E.......................#.!BDN...SM......\...,...................[................@...........@...@...................................@...........................................................................$.......D......@........................p..................................................................................................................................................................................................................................................................................................t.........r.n....E..........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

        Static File Info

        General

        File type:RFC 822 mail, ASCII text, with very long lines (2073), with CRLF line terminators
        Entropy (8bit):6.052111561042157
        TrID:
        • E-Mail message (Var. 5) (54515/1) 100.00%
        File name:phish_alert_sp2_2.0.0.0.eml
        File size:16'662 bytes
        MD5:c0b81bc8aa2ccf669c918661b0994bee
        SHA1:7a4e83ef3b490985fa6d400674a99368c288f274
        SHA256:454f505746bbad734ddf989c9d3545bbd954f695c65fa1c241ddbe6758388cb9
        SHA512:617d92e68876d678145d73b7b9be66a3b83eb6e0bc1fdfcd2a08efe21fb0688183f125cfcf8be9f1fdf125abe48da07d24e8b5bf4750ca1baee7cf295098f2b5
        SSDEEP:384:BHk73R8RNh3KK+Ubi1yFK2ZVVNCTb3riX:BG3eDh3KBcBen3GX
        TLSH:B8726D95989418289FD6A3899310B801B3A671C259F390D1B6DF4EB10BD7184FF4A9EF
        File Content Preview:Received: from DM4PR16MB5363.namprd16.prod.outlook.com.. (2603:10b6:8:187::12) by BN0PR16MB4591.namprd16.prod.outlook.com with.. HTTPS; Tue, 11 Mar 2025 16:41:59 +0000..Received: from BN9P222CA0004.NAMP222.PROD.OUTLOOK.COM.. (2603:10b6:408:10c::9) by DM4P

        Static Mail

        General

        Subject:Approved EFT / ePayments Remittance for Murexltd is attached powered by VolpLine Ref_563dc8198a0aac63900e90cf56e3c75fe9d119c3.
        From:"Vergie Kshlerin <Vergie.Kshlerin@rolfsono'haraandward.com>" <"AR_report.20220104182931044334fadceb388a85af9bdfS06d7/1625a670VTBi6CQyXeyDy1wryFIMr3RzkndQNcHCwzONIhSLem ail.email.pandadoc.net/c/eJxMj8Fu2zwQhJ9GvMmguBRFHXSI80NMDkyLUVNSS04NZUAAAGVw6CR29v/pvc1904L93trBtOEtASP_BLDVCUpdT7gGMZDh16GQXhTGSDbK6XDg/rr4UBwmx.01-sarah.farmer"@dixieweldfab.net>
        To:Bobby Baumeister <bbaumeister@murexltd.com>
        Cc:
        BCC:
        Date:Tue, 11 Mar 2025 16:41:47 +0000
        Communications:
          Attachments:
          • Murexltd00990__098.html

          Headers

          Key Value
          Receivedfrom [127.0.0.1] (13.86.115.111) by SJ1PEPF000023CF.mail.protection.outlook.com (10.167.244.11) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8534.20 via Frontend Transport; Tue, 11 Mar 2025 16:41:48 +0000
          Arc-Seali=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=AUo63yjZYc9aec7KbiQNcicrR7/eJKhBQaCaLxH4dZmfJB6nVRZZpC1i22qPuaMVz2Pyqjm6kxep8B91z269G1hpOFwIcYxrkBKvAQV81E+5WbKDo0Dp+QBeztZJM2rvRXuWE30ZjQUwOcicq/oYpZ5+kZ7mtLn4WySEA5Yl2Ng5qKuxGKotWWJ1D360RNA4nLJbOqvf6g+F7pajUny3Il0ZGQHwqvRV9RmQWo58AKKTMM0IXCw3eCYmpfwaShctzunbCL1yDiPLKZpzqgSVU/DaG1aghIZ+ycFfVHj1cf9TwUmVN99fvAY4MFFxUvhPUn44nDXXVMft/AI1xzBZdQ==
          Arc-Message-Signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=806ZjydHKydqRqCzh/yBlmEBSbnMqpSW6YiWjCjoFpI=; b=UT7cxd89F4ycXveYyHx/whYZP1PIf7w98FWYSUnhPU2kTU35XXkPiGc0Ar7czIkXJa6bNeyrXW4mB40jq/KCMI2qlBZI9xh0QBqAKoakwmswlaXmw7Aa7M55DQXr9Ub38Eewu2e7UXZhM9p+bMlVzBGueRmWo3SXiZMzj3rt96nb5+KXyU3PW0DEsGee0mEmHgtFysSK938sKqio7uhB6hcKaaXEm5e5q6WYtHexEDSRxGJ1ZX+E1VjQz35jN/RmXqs9yDE7v2AnvqHEBOWWx5ybf7JI/V+Gx9so4eAlsr9yTKrUx2TjCq3tcUjRVNAFqff92VgKjUX9AM3p61PEJA==
          Arc-Authentication-Resultsi=1; mx.microsoft.com 1; spf=fail (sender ip is 13.86.115.111) smtp.rcpttodomain=murexltd.com smtp.mailfrom=dixieweldfab.net; dmarc=none action=none header.from=dixieweldfab.net; dkim=none (message not signed); arc=none (0)
          Authentication-Resultsspf=pass (sender IP is 2a01:111:f403:2418::712) smtp.mailfrom=dixieweldfab.net; dkim=none (message not signed) header.d=none;dmarc=bestguesspass action=none header.from=dixieweldfab.net;compauth=pass reason=109
          Received-SpfFail (protection.outlook.com: domain of dixieweldfab.net does not designate 13.86.115.111 as permitted sender) receiver=protection.outlook.com; client-ip=13.86.115.111; helo=[127.0.0.1];
          X-Ms-Exchange-Authentication-Resultsspf=fail (sender IP is 13.86.115.111) smtp.mailfrom=dixieweldfab.net; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=dixieweldfab.net;
          Content-Typemultipart/mixed; boundary="----sinikael-?=_1-17417121656290.3443412411279345"
          Content-Transfer-Encoding7bit
          Content-Dispositionattachment
          From"Vergie Kshlerin <Vergie.Kshlerin@rolfsono'haraandward.com>" <"AR_report.20220104182931044334fadceb388a85af9bdfS06d7/1625a670VTBi6CQyXeyDy1wryFIMr3RzkndQNcHCwzONIhSLem ail.email.pandadoc.net/c/eJxMj8Fu2zwQhJ9GvMmguBRFHXSI80NMDkyLUVNSS04NZUAAAGVw6CR29v/pvc1904L93trBtOEtASP_BLDVCUpdT7gGMZDh16GQXhTGSDbK6XDg/rr4UBwmx.01-sarah.farmer"@dixieweldfab.net>
          ToBobby Baumeister <bbaumeister@murexltd.com>
          SubjectApproved EFT / ePayments Remittance for Murexltd is attached powered by VolpLine Ref_563dc8198a0aac63900e90cf56e3c75fe9d119c3.
          Message-Id<7b19a895-1f6d-6229-e8b0-7c6712c25578@dixieweldfab.net>
          DateTue, 11 Mar 2025 16:41:47 +0000
          MIME-Version1.0
          Return-Path "AR_report.20220104182931044334fadceb388a85af9bdfS06d7/1625a670VTBi6CQyXeyDy1wryFIMr3RzkndQNcHCwzONIhSLem ail.email.pandadoc.net/c/eJxMj8Fu2zwQhJ9GvMmguBRFHXSI80NMDkyLUVNSS04NZUAAAGVw6CR29v/pvc1904L93trBtOEtASP_BLDVCUpdT7gGMZDh16GQXhTGSDbK6XDg/rr4UBwmx.01-sarah.farmer"@dixieweldfab.net
          X-Eopattributedmessage1
          X-Ms-Traffictypediagnostic SJ1PEPF000023CF:EE_|DS1PR15MB6672:EE_|BN3PEPF0000B06B:EE_|DM4PR16MB5363:EE_|BN0PR16MB4591:EE_
          X-Ms-Office365-Filtering-Correlation-Id 4b1ed06e-15cf-4c0f-7768-08dd60bb9fc4
          X-Ms-Exchange-Senderadcheck1
          X-Ms-Exchange-Antispam-Relay0
          X-Microsoft-Antispam-Untrusted BCL:0;ARA:13230040|2093699003|82310400026|376014|37132699006|38142699006|36860700013|34020700016|61400799027|3143699003|9613299012|3123699003|10002299003|4053099003|9015299003|1513699012|2613699012|3613699012|95630200002;
          X-Microsoft-Antispam-Message-Info-Original n1axQIu1LzP0QqzDLJKUM0YaZJ3upDerQFKyJmCLQK1OvDhECauxuNa7RNiVHu8xPk7xf33OmUFSGe6Sa2kNjzQpDA5OW3dUeY3QTTR5KbgKl7W98wQhbReioqzbRLQ8QHSaDUPcWlHrnwkEYGh2G3qYQ8JjeQWH+vFs+FqD8cNaxNV2X26ykaZy/tkYMgqV+O7ZJiFpfc612RGdXupU3tXKrXlawme8zTtuD7pUu7Pr3mhT+9ydHU0aBcdYf/r4BCG4pBiDOADlvtRAUzz6QfNdUHajqm8BHL5b9Fvi1+CDTCrngP3ByOfwIqIcAspR8HYYWR12x9JB77+ES/7Fjq9QtHwsK1szK68rPZARCRfrl5hIJyrufzotgEiOKCWee2fPQvfV/lJT+RKpvVSGE1lRRhpmTb2L1S4dtzLCGpzGu1/tO4KT6ivLGoL2UpIRHPV5PzMvQwy0yius6GjrRe1IEea1EJV6JJdriPJHc2wTR7ZPfSbtzOBK1LxErosk5yMMAGbU1wNNh9Mr5IRT38KJtckfgIJphWJtzCEV7Us6lcnMY+GcV0ACP1oa1CsDcSUZEFHibhr3kEWdbScG8D0pCXzycObXABVTfxx9jfEypx1dLcn+Hn+JoguARoY67rmTWIi8nrDA/wSw68EY/11v7y3q4HydM2kYpvVry0yLFR7gc3yr8ynzoxfnVrmdVnFVLtI7dmNy6WDQ9EdX5+V4W1G+NICLlwN23KM4jAmNS1yvSD0FeDUbgs8TpoyZEtkzatptF3VHLzYofGA4QvMuCvmZXn10fUKf3SMUP2RaGS7zEuSsw7l9IRvBj7D/92viCQKVhgeNJnkYTgdlcizJ7SGe9OBOxMznO9Gothkr21BzuF0SNAE8iBP6KILhHytULYPHeVjHzBs7LbqIv5sBnumy2x9Rrb25BgQzYL+ETDKG0rFHwd5R8NQyq0dw7f+7ENHCyG+dZsZScUK7ORRXstymLwc9o2odFoe7R2IYztUhrCp3RjdKX+sU2KPX52R6X6kgHm53k+twqMLDWvV/Ahj6Zo4Nyg5Qco6Jma5Z2Ij7uJ5WtkL0yQesNTBlDPhjL9AaW8hXhNDJdaMT7ChlJ02FKMVOSOJT4cfRT2lgY3pKW0r5bAwqOe9C0HiAQiP2wT5zsZyT+8t9lerOT5RHKOSWamn93QTCeuK7IdhhcMdG3yAJ0Q6OfJ+l2p2bXgOMooC+5LAKuyMqV2enHMVhEB0nTAB+EP3JJiRQDS5xl3rcuTwIKllQ1IF7RNiLBVDfJIdEkYgMpVSeCsv/H2HOtUNm7y25OoMOYECAd9+ojoWo0jWD7lVgzHT1t2YaB9k8bANRf+2oGLr4P4HDQ5pVCC7wNFOoPGNPsDNGVMJoLT8l3SFliTT7Nm0ZR1do2GSKxM2DHpb85nz55SxjyD7ybsrZsrNNMqgHAU24Ioz7cZIyJPNyHt3jz1ELtQLu
          X-Forefront-Antispam-Report-Untrusted CIP:13.86.115.111;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:[127.0.0.1];PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(2093699003)(82310400026)(376014)(37132699006)(38142699006)(36860700013)(34020700016)(61400799027)(3143699003)(9613299012)(3123699003)(10002299003)(4053099003)(9015299003)(1513699012)(2613699012)(3613699012)(95630200002);DIR:OUT;SFP:1102;
          X-Ms-Exchange-Transport-CrosstenantheadersstampedDM4PR16MB5363
          X-Ms-Exchange-Organization-Expirationstarttime11 Mar 2025 16:41:51.2082 (UTC)
          X-Ms-Exchange-Organization-ExpirationstarttimereasonOriginalSubmit
          X-Ms-Exchange-Organization-Expirationinterval1:00:00:00.0000000
          X-Ms-Exchange-Organization-ExpirationintervalreasonOriginalSubmit
          X-Ms-Exchange-Organization-Network-Message-Id 4b1ed06e-15cf-4c0f-7768-08dd60bb9fc4
          X-Eoptenantattributedmessaged5ea0ba6-3c9e-43c2-9d1e-fffeb0d842e5:0
          X-Ms-Exchange-Organization-MessagedirectionalityIncoming
          X-Ms-Exchange-Transport-Crosstenantheadersstripped BN3PEPF0000B06B.namprd21.prod.outlook.com
          X-Ms-Exchange-Transport-Crosstenantheaderspromoted BN3PEPF0000B06B.namprd21.prod.outlook.com
          X-Ms-PublictraffictypeEmail
          X-Ms-Exchange-Organization-Authsource BN3PEPF0000B06B.namprd21.prod.outlook.com
          X-Ms-Exchange-Organization-AuthasAnonymous
          X-Ms-Office365-Filtering-Correlation-Id-Prvs 6641f4e8-5461-4a41-76e6-08dd60bb9df1
          X-Ms-Exchange-AtpmessagepropertiesSA|SL
          X-Ms-Exchange-Organization-Scl1
          X-Microsoft-Antispam BCL:0;ARA:13230040|2093699003|38142699006|37132699006|35042699022|3143699003|12062699021|3123699003|4053099003|8052699015|3613699012|95630200002;
          X-Forefront-Antispam-Report CIP:2a01:111:f403:2418::712;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:NAM12-BN8-obe.outbound.protection.outlook.com;PTR:mail-bn8nam12on20712.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(2093699003)(38142699006)(37132699006)(35042699022)(3143699003)(12062699021)(3123699003)(4053099003)(8052699015)(3613699012)(95630200002);DIR:INB;
          X-Ms-Exchange-Crosstenant-Originalarrivaltime11 Mar 2025 16:41:51.0832 (UTC)
          X-Ms-Exchange-Crosstenant-Network-Message-Id 4b1ed06e-15cf-4c0f-7768-08dd60bb9fc4
          X-Ms-Exchange-Crosstenant-Idd5ea0ba6-3c9e-43c2-9d1e-fffeb0d842e5
          X-Ms-Exchange-Crosstenant-Originalattributedtenantconnectingip TenantId=c2979701-5c28-46ab-9791-e917ba9dacda;Ip=[13.86.115.111];Helo=[[127.0.0.1]]
          X-Ms-Exchange-Crosstenant-Authsource BN3PEPF0000B06B.namprd21.prod.outlook.com
          X-Ms-Exchange-Crosstenant-AuthasAnonymous
          X-Ms-Exchange-Crosstenant-FromentityheaderInternet
          X-Ms-Exchange-Transport-Endtoendlatency00:00:08.7929606
          X-Ms-Exchange-Processed-By-Bccfoldering15.20.8511.025
          X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(920097)(930097)(140003);
          X-Microsoft-Antispam-Message-Info bYXmrMC8Qnw20OF2J2PZChg0xV45YxaOgY+N7nVK0dyWKzoZknrRCMRETebHs3ZL16dLGJ74tmlPddYqkrbQ8ElndKS8gQV3FWHi5h7zo+U6NkJU2lzAMs8oJ3i1bFy/KxVSks9sMzPshSeM9lPNpyhPMA2Ne3ggKHE0d6fTgv3q5HgiAbJNPWqoQcJ4/CCz7gApS2y+1yW72Wx8MxXESt0HGYGKs2W4cp5KA3S/ZRGAwB47GFslNk3CYJuhZzIZJctOSDwgkFyrfrtcUaBrw363KJ9NDN5pB6kfXnSlldPBGkVDZeViJ9nI4F7NdXtkLgWDfD5WCuaDvaaLt9wL141fXbvGrJCOm5OEblIq+fx5pnLudzO3kgrS4n5U0dHTlxW9+CwHDD2ivxOZQlrY9AOAbPYHMntZm+uNt0W8M2SvICy2pO/C/Q6/lvh1ZD8ohFTqTL022LPaGvvyMifEswaxSqLvmKu3gD8b5IrB3vN3U6S1AR+T3djthnNdHVheKo6XTOnqb7Zt42G1Kure8GzcElTrhMFX2QVnGjQg3LpY8iZ2c50Nd2JQ3bXijTwoF0QyG6IX4pO3DXnrNSpzqH3uY4vCc8yHI3U+WyBr0jPzYvSU55/of4p9WWtQ6SLYZ1pw6XOdWT64QLN/djQ6tR0mGLk7EfceqOijvkiyDG5F5XiFWdCkjkZd6LXYlzAUaWPEmN5VPzSnogKpz59XN4Vftr6ETUKAWBAXMijL+h4IWTVjTpxpXtPG0/D2Gv4YOMvFKBpPzN80+ZarPGsDnXyXZki1eN/PzJFLM5Dl1vUe44asvL/J8GjjEh+t/rgNTEKYBeLDO4N5+F+cIQNaA1OQUzgCG2xQ5/HY8QJI7dDE9BHYNaA3pKwt7FQh3lCMW56aWh/cuev9cY+LGP6LTQZe8kbwB0jjhD/qjiz3vmHQbOD8xDEZNiBouyS+xbO5LruV4DyhfXgX6AMfwbJStrsMO2Cp5pdzIcVmXyOSwH3gKJPXkewnT6v0L5i8fzy3ZhwDnX2ORePQna8GPrO2l4ovaBkJAgz+JfJzN47HXsgXPPQ6yosMO7sHtzP8WcOlYWGqDGSW7P3I9yjpjJGpikEmjcT5ok7Vz0PoVLrYD/3q25iibG4EeSsMM/IcFhcHu3TiHOoIvdSx4q+uDWgY5lnbIENolhxcYuU+xivE7t6nbrXz/7o0Q1OJ8w24XioEZc6jL6+RbgX0n061/L6LTDivGl684yzSios35qaOLECCQ1AzqfbHxnHCDH7CVejqSOPnZRsS2jUO3ebA+c8sZRUmOaIljC2GDC5iRnRQTKIfAw2XhX/Sgg4ikSKCXf19YNgi8u1ME+Lp4aKeXBQ0fEI/EhbbWxPziFrxXNw4WfM73Nw7c/qm3tAUUP+iW1OqnkV8Eq6TlrJCfWYTq5JK9RsMUGdKzR06vGTjuyKrisV/BjmcSEZ4pCBjoZ9j76cy8/N0lEZ9dRI8CHqZCJtDQpvicUM9QmR3JvC6Mt3lfNgyu8XFHXzjO9CjYwYYgdxIjfbw1xU6nqkuqUsU16NOAVOo8e6kSZ29oy6Ytw8U36A/GiqvCl4hqAvvzf00c4HhvlD0LroA6A8QTd//J+H71vvi6zXDcudF81t3kGSHYFTCmNrhqIH9K0tkmuCgebzX4aGugoXKikAXtj/hnjwbAargUgQb6WYhR8XTosT+rORg4vKMbl8nbDCpy9M0Zmh2KjFnXOs9/N4wqePmihTWB8slfoMj0dMI6hoqftCbuGGKc0yHwJPuYmu87+q0fLCGJamhu05j7qmVJN0UaJB6eyVcFONfZFWvrk0tJ7VcZ+FJEpeS1H63emFuPDt7yXk1PLnkjf57xUN+9nA6CJdkNjoR8ZgYV2JPbi1HesiAVXEFd8WB2kLDYMYZFX2IufF/U32bjw9uJi7m+dGsCYlvMD5dDcJCtdpyCCQ7GWuaFNchgEeMAMr5Yw4XHZFzxSdX4qNvI1vW6EPEZtWmHtb19xrqJ9mL8CLvRqyazkx/SgIff/8E2ceLehHuiiSrnPVHNohpWxEbOJrI5X1FdJkmaQ==

          File Icon

          Icon Hash:46070c0a8e0c67d6