Windows
Analysis Report
EFT Payment Notification - May 2_ 2024.eml
Overview
General Information
Detection
Score: | 1 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64_ra
- OUTLOOK.EXE (PID: 6336 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\OUTLO OK.EXE" /e ml "C:\Use rs\user\De sktop\EFT Payment No tification - May 2_ 2024.eml" MD5: 91A5292942864110ED734005B7E005C0) - ai.exe (PID: 1792 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \root\vfs\ ProgramFil esCommonX6 4\Microsof t Shared\O ffice16\ai .exe" "0A2 9E8C4-2C2E -4A26-93C1 -E5FB27BDD 2DB" "A793 3F60-11C1- 4862-8C31- 914C1A6C8D CE" "6336" "C:\Progr am Files ( x86)\Micro soft Offic e\Root\Off ice16\OUTL OOK.EXE" " WordCombin edFloatieL reOnline.o nnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
- cleanup
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Classification label: |
Source: | File created: |
Source: | File created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Key value queried: |
Source: | Window found: |
Source: | Window detected: |
Source: | Key opened: |
Source: | Key value created or modified: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Process information queried: |
Source: | Queries volume information: |
Source: | Key value queried: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Process Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Modify Registry | LSASS Memory | 12 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
52.113.194.132 | unknown | United States | 8068 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
52.109.52.131 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
20.189.173.7 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1437710 |
Start date and time: | 2024-05-07 20:28:29 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 10 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | stream |
Analysis stop reason: | Timeout |
Sample name: | EFT Payment Notification - May 2_ 2024.eml |
Detection: | CLEAN |
Classification: | clean1.winEML@3/10@0/9 |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.109.52.131, 52.113.194.132, 20.189.173.7
- Excluded domains from analysis (whitelisted): ecs.office.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, asia.configsvc1.live.com.akadns.net, mobile.events.data.microsoft.com, onedscolprdwus06.westus.cloudapp.azure.com, ecs-office.s-0005.s-msedge.net, jpe-azsc-config.officeapps.live.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, mobile.events.data.trafficmanager.net
- Report size getting too big, too many NtQueryAttributesFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: EFT Payment Notification - May 2_ 2024.eml
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 231348 |
Entropy (8bit): | 4.383868381532299 |
Encrypted: | false |
SSDEEP: | |
MD5: | 4316ECB55DB28B16C788B817DFF6354B |
SHA1: | BB8A26DA4C1FE73E56FF4104C105CA865AB4BF47 |
SHA-256: | 4E398A6B654D8FD2C96A52BE30BC1F18563877161DA9A3699824ED42C75865DB |
SHA-512: | 32E4A673E0B06E6D756CF7A44CE8D22DD00080C77E54A7BDEC39CCE52A71BE61FA792FFDB1272DFDBA0946D77DE19C7FABFFB985F7E019AEAE240C3EE1356243 |
Malicious: | false |
Reputation: | unknown |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\48F943CC-973B-4082-A517-9598C5352480
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 166208 |
Entropy (8bit): | 5.3409463269269235 |
Encrypted: | false |
SSDEEP: | |
MD5: | 9DD00B035226CCBD83440B5D9E312772 |
SHA1: | 71086740B9B9C3668FFE1025F2BC4C4F2F867F99 |
SHA-256: | 1EC96A0CB90AD65E34DDB389ED2181F5B5AD989C6D69F02EEE4C31A16BEA6D09 |
SHA-512: | FE0979F6335A003E2313E08CA2945460FA13A7D7C3D9B82102A221DA7E890AA35175FABCD0325523862AA33D6E9E97CC79433658F320E006E1ED1C7FE45C370A |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 32768 |
Entropy (8bit): | 0.04568135146424745 |
Encrypted: | false |
SSDEEP: | |
MD5: | B4886088C96D485208242D3DB6169AA7 |
SHA1: | 3A15E24E9C996B85412D0976663C14C9F1B1B29A |
SHA-256: | 4A2E08BD752584BE22815DD0ACF4C20C8D9B21596D38755D322E6477533DD14E |
SHA-512: | D41289B88248C0D6AF697A8FF6F82A4D105A78C900E16A46EF8B56651B2FBF49ED6B786DF53755688B81C77679A6D87BCE129ADFB47D21A01AA20839D10EB200 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 49472 |
Entropy (8bit): | 0.4859293433460284 |
Encrypted: | false |
SSDEEP: | |
MD5: | BC55699EC593932C21E4AA8DB7B3248A |
SHA1: | BD7B2B355AE32CE6552D9B989EBC51E6DE3357EC |
SHA-256: | F66AEA8631868C3AD5B2AA3816E642B5DA7E368A68605469AF8A7C426FBA48F8 |
SHA-512: | 2116554C55DC564C9525CFF5F67E53A75EC06773B6806DC8D9F1AD456219A8F604708DEDB1BD617430CEDEFE895562D17473E6152312B1B54F228719CCF830C0 |
Malicious: | false |
Reputation: | unknown |
Preview: |
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1715106546336901500_EAA4BB55-280F-43F0-9D13-E22B7C7813F4.log
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.15900406803949874 |
Encrypted: | false |
SSDEEP: | |
MD5: | 6853560A9D8EC9568F1075B60BBC3D66 |
SHA1: | 21461F68A37CC58DC1E316F12DD459C8272AF140 |
SHA-256: | B513393E3A8DE8D6CD41A4D9C67FEA9C6056C32486AA36A31F5513C63B3D3FAC |
SHA-512: | 16A603ECDE9EC65870138EE60624CC23B05A80E66ED154535F2ED816BE974B8D9165D9CD662E3AF2EA6A73DAE9BFB732EF6E31514A3FD7F8842520855CEC8075 |
Malicious: | false |
Reputation: | unknown |
Preview: |
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1715106546339351700_EAA4BB55-280F-43F0-9D13-E22B7C7813F4.log
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | |
MD5: | 8F4E33F3DC3E414FF94E5FB6905CBA8C |
SHA1: | 9674344C90C2F0646F0B78026E127C9B86E3AD77 |
SHA-256: | CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC |
SHA-512: | 7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB |
Malicious: | false |
Reputation: | unknown |
Preview: |
C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240507T2029060142-6336.etl
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 106496 |
Entropy (8bit): | 4.500857989744023 |
Encrypted: | false |
SSDEEP: | |
MD5: | CCBEA2589A9229DD3B2E19B34176BA98 |
SHA1: | D410B5A66C5667337E9C2C0BAA9AE47F8D5A58D1 |
SHA-256: | DB4190BFFD80FF3ADD19CC70C7EF49C8F95C7D51BD32F9ADAA6A106FC187950C |
SHA-512: | 46803A4DB441C0F4D8A083E34A981478319AB4E4D59D971CE684816B7199BE8607765B65664945F1992B0C9FE16AEBD55D19D48CE8D2671460EC675EC12E5466 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 30 |
Entropy (8bit): | 1.2389205950315936 |
Encrypted: | false |
SSDEEP: | |
MD5: | A3CCC4BA25EA15B8D846B72D0CAAD07E |
SHA1: | 9CFD12A935805959817F0A0073AE516387B41E46 |
SHA-256: | 21EF18135CE0C54E245AA51E76241CD66319F55C6CBC28B40667047FE0FB7122 |
SHA-512: | B181317118248C786DA5C827C15749C46F433D074C4DB435FEB481BE49781052374D9F167D5FFFD1F4E3249170E3D572520F5C18767D0B1427C632C7F93B204B |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 271360 |
Entropy (8bit): | 2.1964050067156418 |
Encrypted: | false |
SSDEEP: | |
MD5: | 6F2B8E7072F4A9446C121233590E6439 |
SHA1: | 29518B4479AB76B86B5B01CFCA95363B2BB366CC |
SHA-256: | 7E4C5F760987AE414C6A7B627C7CA4639018567748B437831FBD6AB70675572E |
SHA-512: | 7532C778BB6D8DE104E62C84BACE6CA7A8C4467503692B869B9700E301C3833AB3BA6BFBF0F3E71FBF79972803077628B6F35AE6E15C63E37A02256E88FDB59B |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 3.60218499363447 |
Encrypted: | false |
SSDEEP: | |
MD5: | 5A1A7404344DFAA1638D76289CF2FE18 |
SHA1: | D55A160BFE594D4215FEFF9D2C37A09AE8695B4E |
SHA-256: | 98B9B8D271C6633CF62E9CC09D8EA778D460DA3602A8D758FE6C37DFCE652431 |
SHA-512: | B0E39A37B81E6A7EDC116FB114D8830CC145FCADFC572C7C1AC9CC517C1306A3C7FB6C2F7BED4AC1A0D4FF32B1F7F2B0C241C606CE6E199D8271A36FBA2D7E4E |
Malicious: | false |
Reputation: | unknown |
Preview: |
File type: | |
Entropy (8bit): | 6.050368225208865 |
TrID: |
|
File name: | EFT Payment Notification - May 2_ 2024.eml |
File size: | 13'516 bytes |
MD5: | 12cbcf6c24ed3c99dd41a6889a74f0f6 |
SHA1: | f3e00ab1ad0ee952d8f36b7b0135fd6aae0eac21 |
SHA256: | 2c673df8530f050689e3c6439989f9b93ed818a380c02d6fd62a323caa7a7bf9 |
SHA512: | de43bda3d9dbebbf69ae3d511a0a5dc0892dbb77317388c1dc02d7317e02e353d811603228398d19a0f44fc192e9215e0e28e5b78cdb801b9e0ea7dbb434054c |
SSDEEP: | 384:iQ6TrIHdtx15mB3P/hS6DavsRIilLWJmJnRuN:/6Ecf/xb1iJmC |
TLSH: | 3D521B108B453436DFA182458AB02C4D1122B9C2B9F7D0C47A9F75BA26CF87EBF35D95 |
File Content Preview: | Received: from SA1P223MB1092.NAMP223.PROD.OUTLOOK.COM (2603:10b6:806:3c9::11).. by CH0P223MB0330.NAMP223.PROD.OUTLOOK.COM with HTTPS; Thu, 2 May 2024.. 21:01:20 +0000..Received: from YQBPR0101CA0023.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00::36).. by SA1P2 |
Subject: | EFT Payment Notification - May 2, 2024 |
From: | Amy Crawford <amy64090@encore-consulting.net> |
To: | Marsha Hepburn <marsha.hepburn@mackie1928.com> |
Cc: | |
BCC: | |
Date: | Thu, 02 May 2024 20:45:15 +0000 |
Communications: |
|
Attachments: |
Key | Value |
---|---|
Received | from [147.78.241.109] (147.78.241.109) by BN3PEPF0000B074.mail.protection.outlook.com (10.167.243.119) with Microsoft SMTP Server id 15.20.7544.18 via Frontend Transport; Thu, 2 May 2024 20:45:16 +0000 |
From | Amy Crawford <amy64090@encore-consulting.net> |
To | Marsha Hepburn <marsha.hepburn@mackie1928.com> |
Subject | EFT Payment Notification - May 2, 2024 |
Thread-Topic | EFT Payment Notification - May 2, 2024 |
Thread-Index | AQHanNPiihYBgX2AIUSIwS8gw7Jc5A== |
Date | Thu, 02 May 2024 20:45:15 +0000 |
Message-ID | <20240502134515.203877D76BDE746C@encore-consulting.net> |
List-Unsubscribe | <mailto:amy370@encore-consulting.net> |
Reply-To | "amycrawfordap@pm.me" <amycrawfordap@pm.me> |
Content-Language | en-US |
X-MS-Exchange-Organization-AuthSource | QB1PEPF00004E0C.CANPRD01.PROD.OUTLOOK.COM |
X-MS-Has-Attach | |
X-MS-Exchange-Organization-Network-Message-Id | 9027943f-b615-45c8-5af4-08dc6aeb028f |
X-MS-TNEF-Correlator | |
X-MS-Exchange-Organization-RecordReviewCfmType | 0 |
x-forefront-antispam-report | CIP:108.60.195.213;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:CAL;SFV:NSPM;H:cx-a.mxthunder.net;PTR:cx-a.mxthunder.net;CAT:NONE;SFS:(13230031)(35042699013)(3613699003)(17130700007);DIR:INB; |
x-microsoft-antispam | BCL:0;ARA:13230031|35042699013|3613699003|17130700007; |
authentication-results | spf=softfail (sender IP is 108.60.195.213) smtp.mailfrom=encore-consulting.net; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=encore-consulting.net;compauth=none reason=405 |
x-ms-exchange-organization-originalclientipaddress | 108.60.195.213 |
x-ms-exchange-organization-originalserveripaddress | 10.167.240.4 |
received-spf | SoftFail (protection.outlook.com: domain of transitioning encore-consulting.net discourages use of 147.78.241.109 as permitted sender) |
x-eopattributedmessage | 1 |
x-ms-publictraffictype | |
x-ms-office365-filtering-correlation-id | 9027943f-b615-45c8-5af4-08dc6aeb028f |
x-ms-traffictypediagnostic | BN3PEPF0000B074:EE_|DM6PR12MB4388:EE_|QB1PEPF00004E0C:EE_|SA1P223MB1092:EE_|CH0P223MB0330:EE_ |
x-mxthunder-rf-authresults | bolt112a.mxthunder.net; dkim=none; dmarc=none; spf=pass (bolt112a.mxthunder.net: domain of amy370@encore-consulting.net designates 52.100.155.210 as permitted sender) smtp.mailfrom=amy370@encore-consulting.net |
x-mxthunder-identifier | <20240502134515.203877D76BDE746C@encore-consulting.net> |
x-mxthunder-ip-rating | 0, 52.100.155.210, Ugly c=0.071429 p=0 Source Normal |
x-mxthunder-scan-result | 0 |
x-mxthunder-rules | 0-0-0-9245-c |
x-mxthunder-clean | Yes |
x-mxthunder-group | OK |
x-eoptenantattributedmessage | 67201271-6e63-49f9-b8bc-1a3de047214a:0 |
x-ms-exchange-crosstenant-network-message-id | 9027943f-b615-45c8-5af4-08dc6aeb028f |
x-ms-exchange-crosstenant-originalarrivaltime | 02 May 2024 21:01:16.9607 (UTC) |
x-ms-exchange-crosstenant-fromentityheader | Internet |
x-ms-exchange-transport-crosstenantheadersstamped | SA1P223MB1092 |
x-ms-exchange-crosstenant-id | 67201271-6e63-49f9-b8bc-1a3de047214a |
x-ms-exchange-transport-endtoendlatency | 00:00:03.6974807 |
x-ms-exchange-processed-by-bccfoldering | 15.20.7544.013 |
arc-seal | i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mjUzrS+f+6eodEvasydWPlVYXIOezVTS0XAGC+afx+FE5JgGGZKMYwsY18LJ9yXDIQ+1ZYGeWIFl+yBx1sQnM1fjHWJubRWXO3MtmF4g77BIFKRiS8Uo7x6fjPZ6C8CvqPbqtD8UYcSYnTm5fLDWsgdfxXSzgIOaeatroQneu0n5fsY4kwXIt4padpg2JsTC58xEWBL5NYHbQuJNzfkHhsHMISjhetn870vYcu1pW3sL47Zl0BBpbB+AXazZxpq5RCy4zevbo7d7B5O9K4AyfECeD9hVwaUjRRA2NQgNNKH6PoEQsvp4nOOKg8VpjjfnnIq1yHrcbAcUbSIAE7KrFA== |
arc-message-signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OJMz9CKLrFCPmHDiElQQa2Pjiz27aqT4fXV+P3w2BWM=; b=WZbXTRGvQknK9ytypcvgAxTVIhuiC+SxktJX90dnMFhWyg8ZGuKR00e2dAjjCDrVfZdC/E3rZVzvcuYW5b30jKje5T0hdO5LFD2JXWyz7EMX/8jKpxh5A4XUhTsHys7Nay3mxv3DunN8W3Zx42kiscxK+5+AS3P6jMO2o/OPzaI3cKoXFhO6PYcV/9ZS9ZZMHM0PThVCcepLdSoYOjZYUQisUE9ASp34ZtTRQy10oAXh87YSdRZRdplCnpv/oNM1NXQ/MxFG+zVJW2xQU6TS5Db3qgHbNu7ftV6HafvexUuu5n32eAF/0X7EIhfJO1WFsAu22UvzvdfASYWXl4VRsA== |
arc-authentication-results | i=1; mx.microsoft.com 1; spf=softfail (sender ip is 147.78.241.109) smtp.rcpttodomain=mackietransportation.com smtp.mailfrom=encore-consulting.net; dmarc=none action=none header.from=encore-consulting.net; dkim=none (message not signed); arc=none (0) |
x-forefront-antispam-report-untrusted | CIP:147.78.241.109;CTRY:NL;LANG:en;SCL:8;SRV:;IPV:NLI;SFV:SPM;H:[147.78.241.109];PTR:ErrorRetry;CAT:OSPM;SFS:(13230031)(36860700004)(34020700007)(376005)(61400799018)(3613699003)(17130700007);DIR:OUT;SFP:1501; |
x-ms-exchange-senderadcheck | 1 |
x-microsoft-antispam-untrusted | BCL:0;ARA:13230031|36860700004|34020700007|376005|61400799018|3613699003|17130700007; |
x-ms-exchange-transport-crosstenantheadersstripped | QB1PEPF00004E0C.CANPRD01.PROD.OUTLOOK.COM |
x-ms-office365-filtering-correlation-id-prvs | eda661ef-9a9f-4fdd-8c16-08dc6ae8c611 |
x-ms-exchange-crosstenant-authsource | QB1PEPF00004E0C.CANPRD01.PROD.OUTLOOK.COM |
x-ms-exchange-crosstenant-authas | Anonymous |
x-ms-exchange-authentication-results | spf=softfail (sender IP is 147.78.241.109) smtp.mailfrom=encore-consulting.net; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=encore-consulting.net; |
x-ms-exchange-antispam-relay | 0 |
X-Microsoft-Antispam-Mailbox-Delivery | ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003); |
X-Microsoft-Antispam-Message-Info | bbXV3ksBq2s3JRucoO1y2PM5uTOGXCXyEs2trd8tuLoBgpgPW5psZ8wDKhK6vsQhkiSw1sADEmh6ZGj7aTx/i22p8QI2NCYzHON+3y9hZ84FIXJVfpn171GTDCZcMkZw8OOyBVVlHRPhwxKcI191pzpS4LTfyULaES8kk4E7YOHtkbmQK6b1t7ut9b2zJOB5YQb8jFpX62rn4A5PFMRnGjcQ2xeb0HV4FZcAIJR8uSZ/nG6OG+Tv/Ub61GN0tuc1i2nk81mn236Yl+J2Y3qXNg6x1E7SY4t0m8NTMFXEqZilINstqNaTFm2FhN8gWWRE6dAq6gUxF57yrJaT/TLIDZ8SOe22WHBYaRfHCJaFpI6psx5KDxyAZOFAS44QPQuHYjiqRyUXpcZ4PvSIpU8lGrsdZXt+osWtR6s/yFUdNZo+zyChIsgcBUWOhgJeXgrrRGL+6q0YnvvN1FAv13FkZv6WwVGEBAUOMRnhLxRRN2NmxBABFkspKEYmq1I6niIMK4lbg9HgXLd+5w3yVH7P9/GtwM0ZUsEX4HrHMhSfPHvEkoP7JWtM4mHSu4nFu6MUSIHJX/uUsDdnEBj+xNBl0I+mbGkx0PK9YHUYl7ASXo+c9ylUrcxpmDjsCkBt2x1yKshuoVULmhfUDVqhgsKhNlzhcDYgZUp+aWolFVc14pE7y/nxJqlfzyyiVdB4bHLeiR8Uc04d3xx4YCymo3JCwUnhqaavzQCq1C8qpExwoi9EKX4hmIqhrlzBzOhQJW7W4aGYJr1Lx6NvyVQ5el82m8mQEIH5AtKVJtUkt9BjFyztlqeOR8W1GiJkpRWqmxMcP1KMpfuqIwobD8rsUDlhQVCmSYKEe2ykkqrAm+MtZxWDMEixGaBfJ+kyBuMjcNAoTZshR6n+dNTNOtNzaIw6uuX7rMAppkxj/NXBYKE64khr4G4+6Zg7cnw3SFaUJyXcqCIbVgwOYT7mNtkWrDSEk+jBmyGGmGXo81PY9VWoSSFH221sGXEKart4W+qyGGNf0aGRjRZVjKJf7z8lMDFQON6/llqm6j2mqfHQTMSag7QTxe/lG0oNQVt2xoeE7TQ/6NXQx8UI5l+mPROSpzF5rAM5nw0PpN2vWbyazr9n71AH0CMy80nEk5MK1xXxRdQPA23oZIsUUXIQFto1Q4KWDO1qVZY5d0d1qDV2OMZEGkRfz3uz+Ik7zVNccAJiO/Xeq8NNqohWaSuTIsZRc2Xlms/N4FsAc4Ik1W0I5T/DvEkDG9m6TbXyxbagE4d/beerDtVDTqREqrWI7UUsnfpYOLvjf5TIXMJDJSNcPTXDgeX/+OAJeBC8cqPGOryEKw7Ok/KaAcUs2Cr3JMVACpNbb9HN2iCGHyljaf/Yjfa1IQY/j3vuDt903/y1iMwyWq4CqiUIu5snJwKM/1FUGFZeM7GE2JAZXDwpR9bTbY7L+3c2d+znDuYuAKoJJQwQraJEt34wmQRSJN+GuUpv2DZweLoGZ2rrho0geXHtvSMc1Nzpx8mmLlkiB9qaVVPn6+Fk1ty1QTes0I4KukEj+ihL6bGE/dQFHIG2AVZA7EAoPpCJCjXUeyv8QE9quwxrXlV1SIYTS+Gb14MNIqIHlvUjysWNCLLGZ858UZxjDFQP+FFKTd+o4mPwwbvPskDyYYdpMWrSsEwe4kUlXDa0uP7HZNezwRXp6dhhfz5r0d3BLMWBnzN6FEtj3ZyBQEsNBpMN6oWgUkZK/kPc1FnW1b49ywdz2k4+C8XRsFD/a69RIon42fJJLJh8Oi5bKSygdD0kzTxF3pHxUyQWB/xnOmuAK/BIB7h9LsCE/lVZNI0r6YBfI7XhulDs2VtXlqopwiFIm/esA/Q0UJnccNCZFenK0nxYqdEKfVek/y0beSl1ECp710ppxNE27MFl9mm3LAXZAwQb0t2XjDnthgeVuHgMCc0RsQO6VO2862KfEQOG+k7FyB0aTGZnHCEKC4k81IoCJ3BZaTMEreY9q81sZ5a0ND7zXDcQ4hwWrSBmazGiycF4jFoVwLlmjU+6g/WU4PRESvOHZk7Ltr63pDyCCvYDXmpbn17DsR/18poEgxWtA/IC6YHw5dMi2gJteM77fwEEqPP5AOor+TDWlMch8bIwNliWhs/vXF9bHIWphkrSA8o1rYrnGwV3BFbvzlNvEdmuWDcjEiULzqBZWkNCIdW4wLDCBTGaFb03feGXWuQq0xlqtvibP+rRCWVxtq3x1+djAoyWvO1Y0efTe7Xw3I1FU5cxT4OiYVgaFnPcJMalThUIIowXm4OwGCGsS4BQ710wBZb8bGWyABe36+HrxyFlH3RB8N+74ADq6cMOKr04YgDhlO6qgek1MSggKr/djrrjkLum67WOzeZwWBhm7h0yiWcFTI6WsSXczlr/+74mnsQY8BMW1Vv67wTHqHIFbDTauOaMEpmScCYOfDP9xs5SWg+WBFBaZBW4gj56NPXXDnCUYSOJrUwfnkF44nlrmVl8bWntCW0HdVD17nGKycL3hgXZhUAAdq5EJuX+miXrLHEl9n0uBb1+OI6KFCmXW7xVigcfmwssyJHHhGSmmr1cYI/MazeR3xSREoLlFHZuuFLi6NgHayVWdA7DhQEQSfkoWB2aZTWU7l90+6LNcgainm57LXGoD2rMQchxJIzw0RITAL1960sqqSFQiPcpBy5sukbm/wtpsg8T0lD2pcjXTmaIThvubRYT4vYIqfq9G3fP/IPSpPG0m6Hlpo8lJbdHIEfbrcD/WYmsI9BwQ77WCNb5YUUS+l5tPxqAZ1Y3N7G9McPuXpyp4EwA9JWpEDTYVcKIRXmcDUe84lfS+0saBg== |
Content-Type | text/plain; charset="utf-8" |
Content-ID | <CF9BAB92524B6C49AD3F29EEB7F606EF@NAMP223.PROD.OUTLOOK.COM> |
Content-Transfer-Encoding | base64 |
MIME-Version | 1.0 |
Icon Hash: | 46070c0a8e0c67d6 |