Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EFT Payment Notification - May 2_ 2024.eml

Overview

General Information

Sample name:	EFT Payment Notification - May 2_ 2024.eml
Analysis ID:	1437710
MD5:	12cbcf6c24ed3c99dd41a6889a74f0f6
SHA1:	f3e00ab1ad0ee952d8f36b7b0135fd6aae0eac21
SHA256:	2c673df8530f050689e3c6439989f9b93ed818a380c02d6fd62a323caa7a7bf9
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Stores large binary data to the registry

Classification

×

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 6336 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\EFT Payment Notification - May 2_ 2024.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 1792 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "0A29E8C4-2C2E-4A26-93C1-E5FB27BDD2DB" "A7933F60-11C1-4862-8C31-914C1A6C8DCE" "6336" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6336, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engine

Classification label: clean1.winEML@3/10@0/9

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240507T2029060142-6336.etl

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\EFT Payment Notification - May 2_ 2024.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "0A29E8C4-2C2E-4A26-93C1-E5FB27BDD2DB" "A7933F60-11C1-4862-8C31-914C1A6C8DCE" "6336" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "0A29E8C4-2C2E-4A26-93C1-E5FB27BDD2DB" "A7933F60-11C1-4862-8C31-914C1A6C8DCE" "6336" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7D35CFA-348B-485E-B524-252725D697CA}\InProcServer32

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.113.194.132	unknown	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.52.131	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.189.173.7	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1437710
Start date and time:	2024-05-07 20:28:29 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	EFT Payment Notification - May 2_ 2024.eml
Detection:	CLEAN
Classification:	clean1.winEML@3/10@0/9
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.52.131, 52.113.194.132, 20.189.173.7
Excluded domains from analysis (whitelisted): ecs.office.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, asia.configsvc1.live.com.akadns.net, mobile.events.data.microsoft.com, onedscolprdwus06.westus.cloudapp.azure.com, ecs-office.s-0005.s-msedge.net, jpe-azsc-config.officeapps.live.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, mobile.events.data.trafficmanager.net
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: EFT Payment Notification - May 2_ 2024.eml

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.383868381532299
Encrypted:	false
SSDEEP:
MD5:	4316ECB55DB28B16C788B817DFF6354B
SHA1:	BB8A26DA4C1FE73E56FF4104C105CA865AB4BF47
SHA-256:	4E398A6B654D8FD2C96A52BE30BC1F18563877161DA9A3699824ED42C75865DB
SHA-512:	32E4A673E0B06E6D756CF7A44CE8D22DD00080C77E54A7BDEC39CCE52A71BE61FA792FFDB1272DFDBA0946D77DE19C7FABFFB985F7E019AEAE240C3EE1356243
Malicious:	false
Reputation:	unknown
Preview:	TH02...... ....h........SM01X...,....a.h............IPM.Activity...........h...............h............H..h..O.......MY...h...........H..h\cal ...pDat...h0O..0.....O....hO..0...........h........_`.j...h...0@...I.lw...h....H...8..j...0....T...............d.........2h...............k..............!h.............. hw.{..... .O...#h....8.........$h.......8....."h..r.......r...'h..h...........1hO..0<.........0h....4....j../h....h......jH..h..p.....O...-h .......L.O...+h...0......O................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\48F943CC-973B-4082-A517-9598C5352480

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	166208
Entropy (8bit):	5.3409463269269235
Encrypted:	false
SSDEEP:
MD5:	9DD00B035226CCBD83440B5D9E312772
SHA1:	71086740B9B9C3668FFE1025F2BC4C4F2F867F99
SHA-256:	1EC96A0CB90AD65E34DDB389ED2181F5B5AD989C6D69F02EEE4C31A16BEA6D09
SHA-512:	FE0979F6335A003E2313E08CA2945460FA13A7D7C3D9B82102A221DA7E890AA35175FABCD0325523862AA33D6E9E97CC79433658F320E006E1ED1C7FE45C370A
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-05-07T18:29:08">.. Build: 16.0.17629.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuth

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04568135146424745
Encrypted:	false
SSDEEP:
MD5:	B4886088C96D485208242D3DB6169AA7
SHA1:	3A15E24E9C996B85412D0976663C14C9F1B1B29A
SHA-256:	4A2E08BD752584BE22815DD0ACF4C20C8D9B21596D38755D322E6477533DD14E
SHA-512:	D41289B88248C0D6AF697A8FF6F82A4D105A78C900E16A46EF8B56651B2FBF49ED6B786DF53755688B81C77679A6D87BCE129ADFB47D21A01AA20839D10EB200
Malicious:	false
Reputation:	unknown
Preview:	..-......................1.].......\|2...(d...K..-......................1.].......\|2...(d...K........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	49472
Entropy (8bit):	0.4859293433460284
Encrypted:	false
SSDEEP:
MD5:	BC55699EC593932C21E4AA8DB7B3248A
SHA1:	BD7B2B355AE32CE6552D9B989EBC51E6DE3357EC
SHA-256:	F66AEA8631868C3AD5B2AA3816E642B5DA7E368A68605469AF8A7C426FBA48F8
SHA-512:	2116554C55DC564C9525CFF5F67E53A75EC06773B6806DC8D9F1AD456219A8F604708DEDB1BD617430CEDEFE895562D17473E6152312B1B54F228719CCF830C0
Malicious:	false
Reputation:	unknown
Preview:	7....-.............\|2...}..I............\|2...nhbA...SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1715106546336901500_EAA4BB55-280F-43F0-9D13-E22B7C7813F4.log

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (28760), with CRLF line terminators
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.15900406803949874
Encrypted:	false
SSDEEP:
MD5:	6853560A9D8EC9568F1075B60BBC3D66
SHA1:	21461F68A37CC58DC1E316F12DD459C8272AF140
SHA-256:	B513393E3A8DE8D6CD41A4D9C67FEA9C6056C32486AA36A31F5513C63B3D3FAC
SHA-512:	16A603ECDE9EC65870138EE60624CC23B05A80E66ED154535F2ED816BE974B8D9165D9CD662E3AF2EA6A73DAE9BFB732EF6E31514A3FD7F8842520855CEC8075
Malicious:	false
Reputation:	unknown
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..05/07/2024 18:29:06.395.OUTLOOK (0x18C0).0xB54.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-05-07T18:29:06.395Z","Contract":"Office.System.Activity","Activity.CV":"Vbuk6g8o8EOdE+IrfHgT9A.4.9","Activity.Duration":12,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...05/07/2024 18:29:06.411.OUTLOOK (0x18C0).0xB54.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-05-07T18:29:06.411Z","Contract":"Office.System.Activity","Activity.CV":"Vbuk6g8o8EOdE+IrfHgT9A.4.10","Activity.Duration":11938,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVer

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1715106546339351700_EAA4BB55-280F-43F0-9D13-E22B7C7813F4.log

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240507T2029060142-6336.etl

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	modified
Size (bytes):	106496
Entropy (8bit):	4.500857989744023
Encrypted:	false
SSDEEP:
MD5:	CCBEA2589A9229DD3B2E19B34176BA98
SHA1:	D410B5A66C5667337E9C2C0BAA9AE47F8D5A58D1
SHA-256:	DB4190BFFD80FF3ADD19CC70C7EF49C8F95C7D51BD32F9ADAA6A106FC187950C
SHA-512:	46803A4DB441C0F4D8A083E34A981478319AB4E4D59D971CE684816B7199BE8607765B65664945F1992B0C9FE16AEBD55D19D48CE8D2671460EC675EC12E5466
Malicious:	false
Reputation:	unknown
Preview:	............................................................................`...T..........q....................eJ..............Zb..2.......................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1............................................................./..Y.............q............v.2._.O.U.T.L.O.O.K.:.1.8.c.0.:.1.d.0.1.f.1.1.3.c.a.2.e.4.a.c.4.a.2.7.a.e.5.7.4.9.b.3.f.9.b.e.7...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.5.0.7.T.2.0.2.9.0.6.0.1.4.2.-.6.3.3.6...e.t.l.......P.P.T..........q............................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:
MD5:	A3CCC4BA25EA15B8D846B72D0CAAD07E
SHA1:	9CFD12A935805959817F0A0073AE516387B41E46
SHA-256:	21EF18135CE0C54E245AA51E76241CD66319F55C6CBC28B40667047FE0FB7122
SHA-512:	B181317118248C786DA5C827C15749C46F433D074C4DB435FEB481BE49781052374D9F167D5FFFD1F4E3249170E3D572520F5C18767D0B1427C632C7F93B204B
Malicious:	false
Reputation:	unknown
Preview:	....5.........................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	2.1964050067156418
Encrypted:	false
SSDEEP:
MD5:	6F2B8E7072F4A9446C121233590E6439
SHA1:	29518B4479AB76B86B5B01CFCA95363B2BB366CC
SHA-256:	7E4C5F760987AE414C6A7B627C7CA4639018567748B437831FBD6AB70675572E
SHA-512:	7532C778BB6D8DE104E62C84BACE6CA7A8C4467503692B869B9700E301C3833AB3BA6BFBF0F3E71FBF79972803077628B6F35AE6E15C63E37A02256E88FDB59B
Malicious:	false
Reputation:	unknown
Preview:	!BDN....SM......\...a...................W................@...........@...@...................................@...........................................................................$.......D...............................X..................................................................................................................................................................................................................................................................................................\.......b+...:......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	3.60218499363447
Encrypted:	false
SSDEEP:
MD5:	5A1A7404344DFAA1638D76289CF2FE18
SHA1:	D55A160BFE594D4215FEFF9D2C37A09AE8695B4E
SHA-256:	98B9B8D271C6633CF62E9CC09D8EA778D460DA3602A8D758FE6C37DFCE652431
SHA-512:	B0E39A37B81E6A7EDC116FB114D8830CC145FCADFC572C7C1AC9CC517C1306A3C7FB6C2F7BED4AC1A0D4FF32B1F7F2B0C241C606CE6E199D8271A36FBA2D7E4E
Malicious:	false
Reputation:	unknown
Preview:	.?.NC...T.............tq......................#.!BDN....SM......\...a...................W................@...........@...@...................................@...........................................................................$.......D...............................X..................................................................................................................................................................................................................................................................................................\.......b+...:....tq.........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	RFC 822 mail, ASCII text, with very long lines (347), with CRLF line terminators
Entropy (8bit):	6.050368225208865
TrID:	E-Mail message (Var. 5) (54515/1) 100.00%
File name:	EFT Payment Notification - May 2_ 2024.eml
File size:	13'516 bytes
MD5:	12cbcf6c24ed3c99dd41a6889a74f0f6
SHA1:	f3e00ab1ad0ee952d8f36b7b0135fd6aae0eac21
SHA256:	2c673df8530f050689e3c6439989f9b93ed818a380c02d6fd62a323caa7a7bf9
SHA512:	de43bda3d9dbebbf69ae3d511a0a5dc0892dbb77317388c1dc02d7317e02e353d811603228398d19a0f44fc192e9215e0e28e5b78cdb801b9e0ea7dbb434054c
SSDEEP:	384:iQ6TrIHdtx15mB3P/hS6DavsRIilLWJmJnRuN:/6Ecf/xb1iJmC
TLSH:	3D521B108B453436DFA182458AB02C4D1122B9C2B9F7D0C47A9F75BA26CF87EBF35D95
File Content Preview:	Received: from SA1P223MB1092.NAMP223.PROD.OUTLOOK.COM (2603:10b6:806:3c9::11).. by CH0P223MB0330.NAMP223.PROD.OUTLOOK.COM with HTTPS; Thu, 2 May 2024.. 21:01:20 +0000..Received: from YQBPR0101CA0023.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00::36).. by SA1P2

Static Mail

General

Subject:	EFT Payment Notification - May 2, 2024
From:	Amy Crawford <amy64090@encore-consulting.net>
To:	Marsha Hepburn <marsha.hepburn@mackie1928.com>
Cc:
BCC:
Date:	Thu, 02 May 2024 20:45:15 +0000
Communications:	[EXTERNAL] Please refer to the attached PDF document which contains the detailed remittance advice for the recent EFT payment. Transaction Details: Transaction Number: EFT-00640 Date Processed: May 02, 2024 Amount: $8,260.08 Should you have any questions or require further information regarding this transaction, do not hesitate to get in touch by replying to this email. Warm regards, Amy Crawford Accounting Manager Security Business Capital Inc. Message ID : <20240502134515.203877D76BDE746C@encore-consulting.net>
Attachments:

Headers

Key	Value
Received	from [147.78.241.109] (147.78.241.109) by BN3PEPF0000B074.mail.protection.outlook.com (10.167.243.119) with Microsoft SMTP Server id 15.20.7544.18 via Frontend Transport; Thu, 2 May 2024 20:45:16 +0000
From	Amy Crawford <amy64090@encore-consulting.net>
To	Marsha Hepburn <marsha.hepburn@mackie1928.com>
Subject	EFT Payment Notification - May 2, 2024
Thread-Topic	EFT Payment Notification - May 2, 2024
Thread-Index	AQHanNPiihYBgX2AIUSIwS8gw7Jc5A==
Date	Thu, 02 May 2024 20:45:15 +0000
Message-ID	<20240502134515.203877D76BDE746C@encore-consulting.net>
List-Unsubscribe	<mailto:amy370@encore-consulting.net>
Reply-To	"amycrawfordap@pm.me" <amycrawfordap@pm.me>
Content-Language	en-US
X-MS-Exchange-Organization-AuthSource	QB1PEPF00004E0C.CANPRD01.PROD.OUTLOOK.COM
X-MS-Has-Attach
X-MS-Exchange-Organization-Network-Message-Id	9027943f-b615-45c8-5af4-08dc6aeb028f
X-MS-TNEF-Correlator
X-MS-Exchange-Organization-RecordReviewCfmType	0
x-forefront-antispam-report	CIP:108.60.195.213;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:CAL;SFV:NSPM;H:cx-a.mxthunder.net;PTR:cx-a.mxthunder.net;CAT:NONE;SFS:(13230031)(35042699013)(3613699003)(17130700007);DIR:INB;
x-microsoft-antispam	BCL:0;ARA:13230031\|35042699013\|3613699003\|17130700007;
authentication-results	spf=softfail (sender IP is 108.60.195.213) smtp.mailfrom=encore-consulting.net; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=encore-consulting.net;compauth=none reason=405
x-ms-exchange-organization-originalclientipaddress	108.60.195.213
x-ms-exchange-organization-originalserveripaddress	10.167.240.4
received-spf	SoftFail (protection.outlook.com: domain of transitioning encore-consulting.net discourages use of 147.78.241.109 as permitted sender)
x-eopattributedmessage	1
x-ms-publictraffictype	Email
x-ms-office365-filtering-correlation-id	9027943f-b615-45c8-5af4-08dc6aeb028f
x-ms-traffictypediagnostic	BN3PEPF0000B074:EE_\|DM6PR12MB4388:EE_\|QB1PEPF00004E0C:EE_\|SA1P223MB1092:EE_\|CH0P223MB0330:EE_
x-mxthunder-rf-authresults	bolt112a.mxthunder.net; dkim=none; dmarc=none; spf=pass (bolt112a.mxthunder.net: domain of amy370@encore-consulting.net designates 52.100.155.210 as permitted sender) smtp.mailfrom=amy370@encore-consulting.net
x-mxthunder-identifier	<20240502134515.203877D76BDE746C@encore-consulting.net>
x-mxthunder-ip-rating	0, 52.100.155.210, Ugly c=0.071429 p=0 Source Normal
x-mxthunder-scan-result	0
x-mxthunder-rules	0-0-0-9245-c
x-mxthunder-clean	Yes
x-mxthunder-group	OK
x-eoptenantattributedmessage	67201271-6e63-49f9-b8bc-1a3de047214a:0
x-ms-exchange-crosstenant-network-message-id	9027943f-b615-45c8-5af4-08dc6aeb028f
x-ms-exchange-crosstenant-originalarrivaltime	02 May 2024 21:01:16.9607 (UTC)
x-ms-exchange-crosstenant-fromentityheader	Internet
x-ms-exchange-transport-crosstenantheadersstamped	SA1P223MB1092
x-ms-exchange-crosstenant-id	67201271-6e63-49f9-b8bc-1a3de047214a
x-ms-exchange-transport-endtoendlatency	00:00:03.6974807
x-ms-exchange-processed-by-bccfoldering	15.20.7544.013
arc-seal	i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mjUzrS+f+6eodEvasydWPlVYXIOezVTS0XAGC+afx+FE5JgGGZKMYwsY18LJ9yXDIQ+1ZYGeWIFl+yBx1sQnM1fjHWJubRWXO3MtmF4g77BIFKRiS8Uo7x6fjPZ6C8CvqPbqtD8UYcSYnTm5fLDWsgdfxXSzgIOaeatroQneu0n5fsY4kwXIt4padpg2JsTC58xEWBL5NYHbQuJNzfkHhsHMISjhetn870vYcu1pW3sL47Zl0BBpbB+AXazZxpq5RCy4zevbo7d7B5O9K4AyfECeD9hVwaUjRRA2NQgNNKH6PoEQsvp4nOOKg8VpjjfnnIq1yHrcbAcUbSIAE7KrFA==
arc-message-signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OJMz9CKLrFCPmHDiElQQa2Pjiz27aqT4fXV+P3w2BWM=; b=WZbXTRGvQknK9ytypcvgAxTVIhuiC+SxktJX90dnMFhWyg8ZGuKR00e2dAjjCDrVfZdC/E3rZVzvcuYW5b30jKje5T0hdO5LFD2JXWyz7EMX/8jKpxh5A4XUhTsHys7Nay3mxv3DunN8W3Zx42kiscxK+5+AS3P6jMO2o/OPzaI3cKoXFhO6PYcV/9ZS9ZZMHM0PThVCcepLdSoYOjZYUQisUE9ASp34ZtTRQy10oAXh87YSdRZRdplCnpv/oNM1NXQ/MxFG+zVJW2xQU6TS5Db3qgHbNu7ftV6HafvexUuu5n32eAF/0X7EIhfJO1WFsAu22UvzvdfASYWXl4VRsA==
arc-authentication-results	i=1; mx.microsoft.com 1; spf=softfail (sender ip is 147.78.241.109) smtp.rcpttodomain=mackietransportation.com smtp.mailfrom=encore-consulting.net; dmarc=none action=none header.from=encore-consulting.net; dkim=none (message not signed); arc=none (0)
x-forefront-antispam-report-untrusted	CIP:147.78.241.109;CTRY:NL;LANG:en;SCL:8;SRV:;IPV:NLI;SFV:SPM;H:[147.78.241.109];PTR:ErrorRetry;CAT:OSPM;SFS:(13230031)(36860700004)(34020700007)(376005)(61400799018)(3613699003)(17130700007);DIR:OUT;SFP:1501;
x-ms-exchange-senderadcheck	1
x-microsoft-antispam-untrusted	BCL:0;ARA:13230031\|36860700004\|34020700007\|376005\|61400799018\|3613699003\|17130700007;
x-ms-exchange-transport-crosstenantheadersstripped	QB1PEPF00004E0C.CANPRD01.PROD.OUTLOOK.COM
x-ms-office365-filtering-correlation-id-prvs	eda661ef-9a9f-4fdd-8c16-08dc6ae8c611
x-ms-exchange-crosstenant-authsource	QB1PEPF00004E0C.CANPRD01.PROD.OUTLOOK.COM
x-ms-exchange-crosstenant-authas	Anonymous
x-ms-exchange-authentication-results	spf=softfail (sender IP is 147.78.241.109) smtp.mailfrom=encore-consulting.net; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=encore-consulting.net;
x-ms-exchange-antispam-relay	0
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
X-Microsoft-Antispam-Message-Info	bbXV3ksBq2s3JRucoO1y2PM5uTOGXCXyEs2trd8tuLoBgpgPW5psZ8wDKhK6vsQhkiSw1sADEmh6ZGj7aTx/i22p8QI2NCYzHON+3y9hZ84FIXJVfpn171GTDCZcMkZw8OOyBVVlHRPhwxKcI191pzpS4LTfyULaES8kk4E7YOHtkbmQK6b1t7ut9b2zJOB5YQb8jFpX62rn4A5PFMRnGjcQ2xeb0HV4FZcAIJR8uSZ/nG6OG+Tv/Ub61GN0tuc1i2nk81mn236Yl+J2Y3qXNg6x1E7SY4t0m8NTMFXEqZilINstqNaTFm2FhN8gWWRE6dAq6gUxF57yrJaT/TLIDZ8SOe22WHBYaRfHCJaFpI6psx5KDxyAZOFAS44QPQuHYjiqRyUXpcZ4PvSIpU8lGrsdZXt+osWtR6s/yFUdNZo+zyChIsgcBUWOhgJeXgrrRGL+6q0YnvvN1FAv13FkZv6WwVGEBAUOMRnhLxRRN2NmxBABFkspKEYmq1I6niIMK4lbg9HgXLd+5w3yVH7P9/GtwM0ZUsEX4HrHMhSfPHvEkoP7JWtM4mHSu4nFu6MUSIHJX/uUsDdnEBj+xNBl0I+mbGkx0PK9YHUYl7ASXo+c9ylUrcxpmDjsCkBt2x1yKshuoVULmhfUDVqhgsKhNlzhcDYgZUp+aWolFVc14pE7y/nxJqlfzyyiVdB4bHLeiR8Uc04d3xx4YCymo3JCwUnhqaavzQCq1C8qpExwoi9EKX4hmIqhrlzBzOhQJW7W4aGYJr1Lx6NvyVQ5el82m8mQEIH5AtKVJtUkt9BjFyztlqeOR8W1GiJkpRWqmxMcP1KMpfuqIwobD8rsUDlhQVCmSYKEe2ykkqrAm+MtZxWDMEixGaBfJ+kyBuMjcNAoTZshR6n+dNTNOtNzaIw6uuX7rMAppkxj/NXBYKE64khr4G4+6Zg7cnw3SFaUJyXcqCIbVgwOYT7mNtkWrDSEk+jBmyGGmGXo81PY9VWoSSFH221sGXEKart4W+qyGGNf0aGRjRZVjKJf7z8lMDFQON6/llqm6j2mqfHQTMSag7QTxe/lG0oNQVt2xoeE7TQ/6NXQx8UI5l+mPROSpzF5rAM5nw0PpN2vWbyazr9n71AH0CMy80nEk5MK1xXxRdQPA23oZIsUUXIQFto1Q4KWDO1qVZY5d0d1qDV2OMZEGkRfz3uz+Ik7zVNccAJiO/Xeq8NNqohWaSuTIsZRc2Xlms/N4FsAc4Ik1W0I5T/DvEkDG9m6TbXyxbagE4d/beerDtVDTqREqrWI7UUsnfpYOLvjf5TIXMJDJSNcPTXDgeX/+OAJeBC8cqPGOryEKw7Ok/KaAcUs2Cr3JMVACpNbb9HN2iCGHyljaf/Yjfa1IQY/j3vuDt903/y1iMwyWq4CqiUIu5snJwKM/1FUGFZeM7GE2JAZXDwpR9bTbY7L+3c2d+znDuYuAKoJJQwQraJEt34wmQRSJN+GuUpv2DZweLoGZ2rrho0geXHtvSMc1Nzpx8mmLlkiB9qaVVPn6+Fk1ty1QTes0I4KukEj+ihL6bGE/dQFHIG2AVZA7EAoPpCJCjXUeyv8QE9quwxrXlV1SIYTS+Gb14MNIqIHlvUjysWNCLLGZ858UZxjDFQP+FFKTd+o4mPwwbvPskDyYYdpMWrSsEwe4kUlXDa0uP7HZNezwRXp6dhhfz5r0d3BLMWBnzN6FEtj3ZyBQEsNBpMN6oWgUkZK/kPc1FnW1b49ywdz2k4+C8XRsFD/a69RIon42fJJLJh8Oi5bKSygdD0kzTxF3pHxUyQWB/xnOmuAK/BIB7h9LsCE/lVZNI0r6YBfI7XhulDs2VtXlqopwiFIm/esA/Q0UJnccNCZFenK0nxYqdEKfVek/y0beSl1ECp710ppxNE27MFl9mm3LAXZAwQb0t2XjDnthgeVuHgMCc0RsQO6VO2862KfEQOG+k7FyB0aTGZnHCEKC4k81IoCJ3BZaTMEreY9q81sZ5a0ND7zXDcQ4hwWrSBmazGiycF4jFoVwLlmjU+6g/WU4PRESvOHZk7Ltr63pDyCCvYDXmpbn17DsR/18poEgxWtA/IC6YHw5dMi2gJteM77fwEEqPP5AOor+TDWlMch8bIwNliWhs/vXF9bHIWphkrSA8o1rYrnGwV3BFbvzlNvEdmuWDcjEiULzqBZWkNCIdW4wLDCBTGaFb03feGXWuQq0xlqtvibP+rRCWVxtq3x1+djAoyWvO1Y0efTe7Xw3I1FU5cxT4OiYVgaFnPcJMalThUIIowXm4OwGCGsS4BQ710wBZb8bGWyABe36+HrxyFlH3RB8N+74ADq6cMOKr04YgDhlO6qgek1MSggKr/djrrjkLum67WOzeZwWBhm7h0yiWcFTI6WsSXczlr/+74mnsQY8BMW1Vv67wTHqHIFbDTauOaMEpmScCYOfDP9xs5SWg+WBFBaZBW4gj56NPXXDnCUYSOJrUwfnkF44nlrmVl8bWntCW0HdVD17nGKycL3hgXZhUAAdq5EJuX+miXrLHEl9n0uBb1+OI6KFCmXW7xVigcfmwssyJHHhGSmmr1cYI/MazeR3xSREoLlFHZuuFLi6NgHayVWdA7DhQEQSfkoWB2aZTWU7l90+6LNcgainm57LXGoD2rMQchxJIzw0RITAL1960sqqSFQiPcpBy5sukbm/wtpsg8T0lD2pcjXTmaIThvubRYT4vYIqfq9G3fP/IPSpPG0m6Hlpo8lJbdHIEfbrcD/WYmsI9BwQ77WCNb5YUUS+l5tPxqAZ1Y3N7G9McPuXpyp4EwA9JWpEDTYVcKIRXmcDUe84lfS+0saBg==
Content-Type	text/plain; charset="utf-8"
Content-ID	<CF9BAB92524B6C49AD3F29EEB7F606EF@NAMP223.PROD.OUTLOOK.COM>
Content-Transfer-Encoding	base64
MIME-Version	1.0

File Icon


Icon Hash:	46070c0a8e0c67d6