Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
email.eml

Overview

General Information

Sample name:email.eml
Analysis ID:1591756
MD5:81f3056af0caf20e4332b2b267469693
SHA1:e111e9306afab985d93b0785d2661ad7720942a9
SHA256:3fcd78d78b482596897b6492e1235c7dcdd268b4cd87fa5b9a6d8398871c3f41
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious elements in Email content
AI detected suspicious elements in Email header
Creates a window with clipboard capturing capabilities
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Outlook Security Settings Updated - Registry

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 7028 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\email.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 6472 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "4511DD87-94CA-4A9B-9E00-EBDD1CDE456E" "E528932F-66C6-4B54-AFB3-40B585684DB4" "7028" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7028, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
Sigma detected: Outlook Security Settings Updated - Registry
Source: Registry Key setAuthor: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ENRFOHBR\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7028, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected suspicious elements in Email content
Source: EmailJoe Sandbox AI: Detected potential phishing email: Mass email sent to numerous recipients about a sensitive/controversial topic is suspicious. Sender email (gmail) doesn't match claimed identity of Henry Samueli. Subject line and mass distribution suggests potential scam or malicious content
AI detected suspicious elements in Email header
Source: EmailJoe Sandbox AI: Detected suspicious elements in Email header: Return-path Gmail address doesn't match the routing through Proofpoint and Microsoft Exchange servers. Suspicious IP (185.132.181.78) from Germany in X-Forefront-Antispam-Report. Multiple email security gateways in chain (Proofpoint, Microsoft) suggesting potential header manipulation. Complex routing path inconsistent with claimed Gmail origin. Presence of extensive Microsoft anti-spam headers with encoded data suggests possible evasion attempt. Message appears to be trying to pass through multiple security layers while masquerading as Gmail
Source: EmailClassification: Lure-Based Attack
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: augloop.office.com
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow created: window name: CLIPBRDWNDCLASS
Source: classification engineClassification label: mal48.winEML@3/9@1/74
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250115T0604460612-7028.etl
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.ini
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\email.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "4511DD87-94CA-4A9B-9E00-EBDD1CDE456E" "E528932F-66C6-4B54-AFB3-40B585684DB4" "7028" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "4511DD87-94CA-4A9B-9E00-EBDD1CDE456E" "E528932F-66C6-4B54-AFB3-40B585684DB4" "7028" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: email.emlStatic file information: File size 22191363 > 1048576
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation11
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote Services1
Clipboard Data		1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager13
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
augloop.office.com
unknown
unknownfalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    52.113.194.132
    		unknownUnited States
    		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    2.16.168.119
    		unknownEuropean Union
    		20940AKAMAI-ASN1EUfalse
    52.109.28.47
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    52.109.32.97
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    20.189.173.4
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    52.109.89.119
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    52.111.231.21
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    2.23.242.162
    		unknownEuropean Union
    		8781QA-ISPQAfalse

    General Information

    Joe Sandbox version:42.0.0 Malachite
    Analysis ID:1591756
    Start date and time:2025-01-15 12:04:16 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsinteractivecookbook.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:22
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    Analysis Mode:stream
    Analysis stop reason:Timeout
    Sample name:email.eml
    Detection:MAL
    Classification:mal48.winEML@3/9@1/74
    Cookbook Comments:
    • Found application associated with file extension: .eml

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
    • Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 52.109.28.47, 2.16.168.119, 2.16.168.101, 20.189.173.4
    • Excluded domains from analysis (whitelisted): ecs.office.com, omex.cdn.office.net, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, eur.roaming1.live.com.akadns.net, osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, onedscolprdwus03.westus.cloudapp.azure.com, uks-azsc-000.roaming.officeapps.live.com, ocsp.digicert.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, ukw-azsc-config.officeapps.live.com, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, a1864.dscd.akamai.net
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtCreateKey calls found.
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtSetInformationFile calls found.
    • Report size getting too big, too many NtSetValueKey calls found.

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250115T0604460612-7028.etl

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:modified
    Size (bytes):110592
    Entropy (8bit):4.44716164069578
    Encrypted:false
    SSDEEP:
    MD5:CBABF19B393041445DCE7E1A51A785C8
    SHA1:5F6728AE5D3D185B2AE18385957E2FEB316DFFCD
    SHA-256:E0FD7176A3FA0BBC33461BF6AE45D0FE8755AB68D99DB0533F710234D84E88FD
    SHA-512:027486F8629FC5687C23C7CD8F3A2FF69A5DAB1694398B34A6C4ACAF2DFECCF97B6FA3603FA26AD20F7CB81EA64DF3BC9A54135BF1ACFE038F37D844BBD15916
    Malicious:false
    Reputation:unknown
    Preview:............................................................................d...x...t......I=g..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................2..Y.............I=g..........v.2._.O.U.T.L.O.O.K.:.1.b.7.4.:.0.5.3.1.6.8.6.5.0.3.3.2.4.3.0.c.a.5.e.5.5.5.8.8.c.f.c.7.7.c.1.b...C.:.\.U.s.e.r.s.\.t.o.r.r.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.1.1.5.T.0.6.0.4.4.6.0.6.1.2.-.7.0.2.8...e.t.l...........P.P.x...t......I=g..................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\olk964F.tmp

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):452018
    Entropy (8bit):7.970420654053246
    Encrypted:false
    SSDEEP:
    MD5:C4E7EC5B6119D477D24575BA4E3B0EB0
    SHA1:CB884164EB9D41FBEFE0AEB7F2FFA93320EF6049
    SHA-256:16D29D2F7E7219F21CA64C3D712F78723D543B37955C0891F9B8DA1A6F18B89A
    SHA-512:EAE6EA8EC07CABC3B8FC33D1632FA40E24438B3A8D62E9991C586EA8B0A78B9083248A19F251EA667FBF9BCEDC0FD1ECD5A2A1BF65E5C7564C11CC246580A21E
    Malicious:false
    Reputation:unknown
    Preview:...%[...n..a+J..J.T.*...F..]b.R.3.y`......NZ^..ycSe.,..."~...V..3....h.N.....n.... b)....|..... .,J......Z........*..w....j.. .*N....)..,./...r.M.<.YH.,.......2.!....U..l.k..%.B....7.../...Q...\...[ky(CH[.I.'L...b.L.Y~.....B~'3x....Z&T..)Ga.%).W....k7x...g.....L..6..=.........w..|<..l.....QH..+..`.z..2.X.......HBA.....i...m.|>...J...^.t..,......>z.W.. .GJ.,.k..-Y..F.....?..$..../....O......@'P..~...7.3.......{.&...r....+..h.....yOd..+I.r.XP3%.....m. .v.qJ.e,.......@.#.....j3'z..-&..d$..pv.........9d..SE.%*....wd.uo#....'..\mY..........n..I .q..W-.s.Sr..9o....C.....}.w.m...H/%;D...J..Y.....aw9..0.e.B....ee.'.....Q.A....-..s..q......U...8M......u....V....*m-......[..k;...d.NM.....x....W`[.....|..W"8..|.$..L...G.......jPt..""...C.p......m..X.M.yW.....-..._.......F.5.A.$.=$.2/..@2"J.3Na.s8.w->..M.*....k)......o>x'n.L...V...l..K.l...K.*.J.j.f1..Iga...y....i..k.~..<..Vg.u....np...r...Z...9jU..oV...qB...C.m.........-!....IH.

    C:\Users\user\AppData\Local\Temp\olk96AE.tmp

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):3763153
    Entropy (8bit):7.939076019191649
    Encrypted:false
    SSDEEP:
    MD5:ED1A1D5077341178FD0ABFD594A6FC17
    SHA1:BB36E1104E477B52678B543C5166968E3E2A426B
    SHA-256:B69868A636744497067A9304F42625D32BAC1D0BAFC4F90221D50A6BF5B127BD
    SHA-512:0FE61DCED006FC06DC152738826B5812BA156511457DA44231CB89146232B9E8EDA818321B876157B40B28C36E11C7697B5FF0CBCA56264B2D4C0495A0B6DDEB
    Malicious:false
    Reputation:unknown
    Preview:..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................-..J..@...,...........................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\olk975B.tmp

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):3679466
    Entropy (8bit):7.9228037591196605
    Encrypted:false
    SSDEEP:
    MD5:85164A8A3B6DF735C341697BCA550236
    SHA1:A1974E613C16F71F4A6BF7D64A5409AA7FD494A8
    SHA-256:20E9F34D648DE2E256F9BE0C0B2A43530F49AB0021BBD7E5590081C90CDC0223
    SHA-512:2A4A27977F09F88FD13A04DB572527C42C516DDABFA30517E564933529812A86A671B04EAFDE4F79587F7BDBCFE3AA44F38B9BA7EA537F852CCC8F0A78E87632
    Malicious:false
    Reputation:unknown
    Preview:.....9.$h.K..@...,......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\olk9808.tmp

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:Common Data Format (Version 2.5 or earlier) data
    Category:dropped
    Size (bytes):3722936
    Entropy (8bit):7.91442938187225
    Encrypted:false
    SSDEEP:
    MD5:EA34253A01E6507827AAAF00339A1DD6
    SHA1:2D0B3655A12F1E389A4E30E74BDFF706C745AE5F
    SHA-256:1E0F2243E3BA8087114D4897280432D5C91E2761385BB72F55D5D45073CCB3FE
    SHA-512:372AE1B76653CF8FFE3ABA5D14AB8A52DE4C5675EAA447D8107B7079D635686F60D09EE9C2982BAE095F94225E5C6F85067F2EC60571AD9B43D1BE8C058FF63F
    Malicious:false
    Reputation:unknown
    Preview:..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................,. ..R..@...,.........................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\olk98C4.tmp

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):3929067
    Entropy (8bit):7.927536208760258
    Encrypted:false
    SSDEEP:
    MD5:C5C73CE56504F593DA725BF322563ABE
    SHA1:FE194ED055CD6E9BD1CC7ABA5227405B4B9C440D
    SHA-256:FA4A7E8469DF468D2169D49FFE5248DF43F7985D03DE58A2CE6F69BAD67E05C4
    SHA-512:94C0B92C3162EF6D9E614A9AE17A78B791FE6EAF36609B531E5EF643E1624525D3A8FF40595893D9E4A0A3FC7BD140D84ACDAD0A20CDF3D87D47655D82309335
    Malicious:false
    Reputation:unknown
    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................6.....@...,............................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\prep_ram Files (x86)_Microsoft Office_root_Office16_AugLoop_bundle_js_V8_perf.cache

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):538875
    Entropy (8bit):5.98656921049607
    Encrypted:false
    SSDEEP:
    MD5:F91E302BCF2D42D7B2093A3C908A4519
    SHA1:6ACD79EF862FD5B64A04EB5FF4AC0A2C6B675DF1
    SHA-256:0B37396AF8857584DF3572CBE1E7039C1631C957021039ABED3ECAAF6616EDD4
    SHA-512:0C809339AD2086B04D6B8C28E917F17FD28827B199E144A2A3556FFC614A3BDE52BA85CB52017726E77B5375EE531DD47C83349293DB2B9F141F2A73213564FF
    Malicious:false
    Reputation:unknown
    Preview:RNWPREP...A..<.l.........8.......,.C*...p..N..........X._...o. @...P.Q.....uY|.8.......$S.,..`......L`.....$S...`VY.....L`.....M.Rb.................c.@........... ...D..Qb...-....Oc..`b....D..Qb".nj....yv..`0....D..Qb6..2....Pp..`$.....Qb:@......Ja..``....D..Qb6@.k....i_..`J....D..QbJ@....._k..`@.....QbJ@.@....VS..`$.....QbR@......xo..`.....D..r..`......Qb^.CH....vT..`,....D..Qbn@.!....IC..`.....D..Qbz.^.....Lm..`.....D..Qb.@......rs..`.....D..Qb........tx..`.....D..Qb.@zB....Wu..`......Qb..7.....Vr..`......Qb..Wb....cv..`......Qb........$a..`......Qb..=.....Ay..`(.....Qb.@.....Kh..`......Qb...O....wc..`:.....D..Qb......Bo..`.....D..Qb..!.....dy..`.....D..Qb...E....Na..`D....D..Qb&A~.....Ur..`.....D..Qb:.......CC..`.....D..QbF.|R....pR..`.....D..Qbj..[....Ew..`.....D..Qb~.......Oh..`|....D..Qb.A......rn..`*....D..Qb.A.e....fy..`......Qb...t....qe..`H.....D..Qb..X.....yC..`v....D..Qb.#.....Zv..`......Qb.A.@....VA..`......Qb..{.....sC..`......Qb...'....Yy..`.....D..Qb.A/.....jc..

    C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:Microsoft Outlook email folder (>=2003)
    Category:dropped
    Size (bytes):18555904
    Entropy (8bit):7.463257330047167
    Encrypted:false
    SSDEEP:
    MD5:362F2AF0F348EA03AD6D0C6B116EABB0
    SHA1:77B8C6F7484E5A6706B80BE90104066590A0A168
    SHA-256:730DB78BA051D9FBD080D30F3CB460F18922289C7A48823BAE1878EFE0642B44
    SHA-512:3FF7EBB9ECC32893FF106D7724868C55D742E7D1E5E4794829DB0512B0DECEFB197A9A5F16F6651F96AA02CCE794852128BC055D22D48D0E64F8B5F6297B113D
    Malicious:true
    Reputation:unknown
    Preview:!BDN.m..SM......\........!...............................@...........@...@...................................@...........................................................................$.......D.......@...........................................................................................................................................................................................................................................................................................................................(.........,EN......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):3407872
    Entropy (8bit):7.801835716482729
    Encrypted:false
    SSDEEP:
    MD5:DDDED788C959378C93A08758949150C8
    SHA1:AF8C824D0AA742675EED657D18C5FDA1180FE7AA
    SHA-256:C1C510DE058800FA63FAD8901E13D3A1C644EDD83CFF65B4128317358201AAFE
    SHA-512:920EFA5A749F0BC435EC2CA7925BD02F4E4559EA17EEB039A181C5ABADAE4B82549111EB70085819437E1126BE5D7DFA6D8D381E444AE3D6A9CCE10C0C914A93
    Malicious:true
    Reputation:unknown
    Preview:..Q.0...5.......t....;.I=g....................#...................................................................................................................................................................................................................................................................................................................................................................................~.................................................................................................................................c..S.........32.0...6.......t....;.I=g.......B............#.....B...C...D...E...F...G...H...H...H...................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:RFC 822 mail, ASCII text, with CRLF line terminators
    Entropy (8bit):5.993984067350163
    TrID:
    • E-Mail message (Var. 5) (54515/1) 100.00%
    File name:email.eml
    File size:22'191'363 bytes
    MD5:81f3056af0caf20e4332b2b267469693
    SHA1:e111e9306afab985d93b0785d2661ad7720942a9
    SHA256:3fcd78d78b482596897b6492e1235c7dcdd268b4cd87fa5b9a6d8398871c3f41
    SHA512:ff4a223a31ac801ca1a150f056cce8c707b1de6d2264096e867e8997a3a5827e018e37e68acc3d02de14e8e628812858723f62ecdc5d2616e72a7f528286ec6d
    SSDEEP:49152:QwnsVoxTOsyp0CtttsdaNASujh+DGE2yY9Wt1goDZzr6xLVNL4Kw+ORIYbwvaiw3:c
    TLSH:C52722B28A9B6AEA0E306861920C7F24AC9D6BC78504421B974CFEF475DD4349F7EC35
    File Content Preview:Received: from CWXP265MB3333.GBRP265.PROD.OUTLOOK.COM (::1) by.. LO2P265MB1503.GBRP265.PROD.OUTLOOK.COM with HTTPS; Tue, 14 Jan 2025 18:23:08.. +0000..Received: from LO2P265CA0251.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:8a::23).. by CWXP265MB3333.GBRP265.

    Static Mail

    General

    Subject:[External] Jade Cox, sex trafficking abuse victim since age three to current.
    From:Henry Samueli <henrysamueli565@gmail.com>
    To:John Cross <john.cross@quilter.com>, Lloyd Nunn <lloyd.nunn@quilter.com>, Jessica Badminton <jessica.badminton@quilter.com>, Tosin Odukoya <tosin.james-odukoya@quilter.com>, Roddy Munro <roddy.munro@quilter.com>, Kerry Moll <kerry.moll@quilter.com>, Warren Bevis <warren.bevis@quilter.com>, Steven Levin <steven.levin@quilter.com>, Andrea Crawford <andrea.crawford@quilter.com>, Michelle Brodie <michelle.brodie@quilter.com>, Matthew White <matthew.white@quilter.com>, Sian Romsey <sian.romsey@quilter.com>, Martin Taylor <martin.taylor@quilter.com>, David Thompson <david.thompson@quilter.com>, Chris Matcham <chris.matcham@quilter.com>, John Crutchley <john-paul.crutchley@quilter.com>, Jonathan Greer <jonathan.greer@quilter.com>, Rajat Sharma <rajat.sharma@quilter.com>, Nina Broome <nina.broome@quilter.com>, Graham Folley <graham.folley@quilter.com>, Gareth Jones <gareth.jones@quilter.com>, Uzma Majid <uzma.majid@quilter.com>, Wendy Gell <wendy.gell@quilter.com>, Gareth Davies <gareth.davies@quilter.com>, Sian Lendon <sian.lendon@quilter.com>, Anna Branch <anna.branch@quilter.com>, Luke Lawton <luke.lawton@quilter.com>, Paul Spencer <paul@quilter.com>, Martin Digweed <martin.digweed@quilter.com>, Stephen Mcmanus <stephen.mcmanus@quilter.com>, William Sharp <william.sharp@quilter.com>, Gregor Davidson <gregor.davidson@quilter.com>, Daniel Terrot <daniel.terrot@quilter.com>, Darren Diplock <darren.diplock@quilter.com>, Adrian Fisher <adrian.fisher@quilter.com>, Tertius Coetzee <tertius.coetzee@quilter.com>, Alex Berry <alex.berry@quilter.com>, Peter Mahony <peter.mahony@quilter.com>, Rachael Jewett <rachael.jewett@quilter.com>, Karen Potter <karen.potter@quilter.com>, Francesca Collman <francesca.collman@quilter.com>, Martin Ryan <martin.ryan@quilter.com>, Alice Donald <alice.donald@quilter.com>, Emily Murchison <emily.murchison@quilter.com>, Peter Wallace <peter.wallace@quilter.com>, Sam Hillman <sam.hillman@quilter.com>, Laura Smith <laura.smith@quilter.com>, Sarah Litton <sarah.litton@quilter.com>, Claire Jasper <claire.jasper@quilter.com>, Karen Reeds <karen.reeds@quilter.com>, Craig Ro <craig.ross@quilter.com>, Tony Devitt <tony.devitt@quilter.com>, Jason Buick <jason.buick@quilter.com>, Andrew Roberts <andrew.roberts@quilter.com>, Jamie Clark <jamie.clark@quilter.com>, Matthew Evans <matthew.evans@quilter.com>, Louise Leigh <louise.leigh@quilter.com>, Katherine Griffiths <katherine.griffiths@quilter.com>, Katrina Haynes <katrina.haynes@quilter.com>, Andy Miller <andy.miller@quilter.com>, Stewart McAlpine <stewart.mcalpine@quilter.com>, Kat Vine <kat.vine@quilter.com>, Nigel Jeffries <nigel.jeffries@quilter.com>, Matthew Elson <matthew.elson@quilter.com>, Heidi Dilk <heidi.dilk@quilter.com>, Nick Lane <nick.lane@quilter.com>, Bethan Lloyd <bethan.lloyd@quilter.com>, Andrew Redding <andrew.redding@quilter.com>, Christian Searle <christian.searle@quilter.com>, Anthony Scammell <anthony.scammell@quilter.com>, Ross Clarkson <ross.clarkson@quilter.com>, Clare Lang <clare.lang@quilter.com>, Tim Skelton-Smith <tim.skelton-smith@quilter.com>, Jenny Davidson <jenny.davidson@quilter.com>, Chris Deakin <chris.deakin@quilter.com>, Claudia Wellner <claudia.wellner@quilter.com>, Barry Cook <barry.cook@quilter.com>, Kevin Lee-Crossett <kevin.lee-crossett@quilter.com>, Sam Taylor <sam.taylor@quilter.com>, Shane Squibb <shane.squibb@quilter.com>, Leanne Knight <leanne.knight@quilter.com>, Sally Beety <sally.beety@quilter.com>, Andy Iszatt <andy.iszatt@quilter.com>, Paul Boichat <paul.boichat@quilter.com>, Jeremy Mugridge <jeremy.mugridge@quilter.com>, James Cox <james.cox@quilter.com>, Marketa Dunn <marketa.dunn@quilter.com>, Heather Roberts <heather.roberts@quilter.com>, Celine Tournette <celine.tournette@quilter.com>, Carris Harris <carris.harris@quilter.com>, Penny Cole <penny.cole@quilter.com>, Jennifer Piper <jennifer.piper@quilter.com>
    Cc:
    BCC:
    Date:Tue, 14 Jan 2025 13:22:24 -0500
    Communications:
    Attachments:
    • IMG_20220202_122959514_HDR~2.jpg
    • IMG_20220228_084645911_HDR.jpg
    • IMG_20220228_085110977.jpg
    • IMG_20220201_163142094.jpg
    • IMG_20220131_163344195.jpg

    Headers

    Key Value
    Receivedby mail-ej1-f54.google.com with SMTP id a640c23a62f3a-aaf8f0ea963so1131572866b.3; Tue, 14 Jan 2025 10:22:45 -0800 (PST)
    Authentication-Resultsspf=softfail (sender IP is 185.132.181.78) smtp.mailfrom=gmail.com; dkim=fail (signature did not verify) header.d=gmail.com;dmarc=fail action=none header.from=gmail.com;compauth=none reason=405
    Received-SPFSoftFail (protection.outlook.com: domain of transitioning gmail.com discourages use of 185.132.181.78 as permitted sender)
    Authentication-Results-Originalppops.net; spf=pass smtp.mailfrom=henrysamueli565@gmail.com; dkim=pass header.d=gmail.com header.s=20230601; dmarc=pass header.from=gmail.com
    DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1736878965; x=1737483765; darn=quilter.com; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=geftkU1ZiyyvdUoApgL2vFpDquKVDRF0iCvfXWtZwsU=; b=FqX6fwbHGh7QdJdPD2kNFFGkm3slvPRCjfvj9nG4q6cxKHYW8m2vr+yD+rpDZ38DIZ +mrXgN6n8TTCQrG+VlSodmfGWV1ThceuQK+0wOcZM89zqEONxpXK+lu1e52d7RvMjpTi O9yEtS05kPTimQH8WqBJXr0zBC2PZQejxiUCMbHK3eW7qWiQpAuLYftpvFMkHoqNk74L 1p1pigm6hkGnCithKUFsjxrs4NZdHSBw1a4hI5HOyYYLtERVdBhj77ToUKBb9tnM6ARY Elrdft5QvrdnvTekQ6J8qY6mt3L3mqhU/4DYeQ7KQP2pp2Qx/TgQ2nQ4K4B0m9kDkch1 vdSw==
    X-Google-DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736878965; x=1737483765; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=geftkU1ZiyyvdUoApgL2vFpDquKVDRF0iCvfXWtZwsU=; b=IagiSHQ48lFI/PDcDfgdmtGjP5eLHIv4RqFRHiV7Qw+hO/oI37KKRGSuCFu4JTg8qH yQgx2Uk3HkQZWe8ChppoFGumO1qgXTZtlrDWNEIPJpS+DON+tl6lR7t8Pt+yrjYdUHeJ A4lynKyNbkmfvvKLtCHM1jaY3Q/gvS9MpLPoE9XykWVS/C7eXGPffzj/shh0joD1MSMv aazxTtKSAQmzythlcBCkZ0si6awEdI7AYEo0kxh3Q/O0ggZHw9vNA9iGeyok/YRy9w/o PzqzMhsPqMpYXVe3Unq2spgX8CYc6peZR7Vn/YViwVe83A2hSngGZZyv026o5ENSiH0C pSiA==
    X-Forwarded-Encryptedi=1; AJvYcCU+G+2GRK1JQXA3b8J2/LMa/KKBQqIto+c8t9v0Wi3WeIPN7hMVyv1IbAzY2m+NubRqnKQ3WKr5/I9Pp9Slkc85@quilter.com, AJvYcCUQTT8q1/6G1Zva7jZb4+ZatMkPjgvl0sANc9WJ/2vz4nRrIh8k2/p20vq0FLF5N3hUmLV1+Wt1tM50l9lI/MeS@quilter.com, AJvYcCUTE3PNM8GBR2u9OMEEKHtnnnakLUd2kJv6ZLQ96oRp/SDlhyk8slqkCxyIrXfXWCn0luiE3AXGriSg8w==@quilter.com, AJvYcCUafLW/zK5e6d64ZXgqS6gWfY3MKy6I0dJyuBRar0AVptAW2Vo6hG8HArfvMAyOXV4fcKrwED6owY6+BggO@quilter.com, AJvYcCUglk4g+Qp+OaapeCHJJwwTDYIVVqLVuqz4Ipdc30KzX9DClYPGviwF628qGiYaSMYop4oonH1/3yFDfPeU@quilter.com, AJvYcCV5btvZ5+J1L/RdFG8KuwfICWLibHnvv6kZCxc/wNXsMvSrX69KqtlDVGKScyur57p+23bW9z4FvIq0C44Z@quilter.com, AJvYcCVERZ1w8w2Dm4wBbMIHHJNJWIYiFQvV+WxdweKNz9Ws9vEQRPJhOMdvI6Oc/G72Ac9VCWj5ssic0wGD7g==@quilter.com, AJvYcCVjn7EaJ8+ZIHFbq+3mc/+Wd/settk46aZLLMaW5HUC6do+DEnxSh/regBRzz2nNvaAApef5zffZAdmpnPh2w==@quilter.com, AJvYcCVnR/wk6ucuZ0BUwtQU7/jRm6RztxXbzPiuZ3MoLQOaIZabk4khhv0jf+lWy4my+ZtxQhz+XMNKFRWVelo=@quilter.com, AJvYcCVrFLUe8EFMZiyIDrb4FGeaIsy3TjORdN81+OYLM8OJtGblb62Ydsl+5/zHjQfGdOxrKr+V0FAtz8qK/0JB2ik=@quilter.com, AJvYcCW9MjV+jtUqh9HxMll/jWi3ds4tcpoawmM699/mZNtRvAABWObvXrFsVhC698Ks7EHo8nJJ8jxboisott1QQQ==@quilter.com, AJvYcCWZMm89By20AZfEGj5i9d9rbyZ4yQRqV7kYQDazxjwkbyKBv5weJRrjnQBFCMmF4N/2ndWCBN3VE2VQh8iIPUNl@quilter.com, AJvYcCX196MxVM1y10DRiAj5XRhaYDENg6YgBWWGJUH5MIDwF6GIxFyA8PJ6JudjI0/VuMOvL7atjFOX810EYKo2FZG8Gpl+@quilter.com, AJvYcCXMqwoAGSppLyzZ2OidICyMngSyqq0eYhEq7Aso6JUSeM4GEAd6fEEHw0MrRPOjIAF2IyEcKZCaSWeVMA==@quilter.com, AJvYcCXuG6ux/IJAdJZP4vuxwCaEU6xOenJja+OD5lJLvixH+eydOKfbR/X1kvjEmH5gvzmRL2s79dhLf+tAlA==@quilter.com, AJvYcCXvyQCH3vXbsJK0yzwDq5SRPBcbYWLeGMG5dS1xvW8QWxsCalmZeliVumHs1s25cDkO0SfkkqVBWym0L5THFZPmSw==@quilter.com, AJvYcCXz3xdXCow0eP8xFtl5DxYqq8lHbA0gzDhvqFosI+SqzBygq8N9ZmiXLPucYoPE7qyjq54L9rneDHcq@quilter.com
    X-Gm-Message-StateAOJu0YyenyI6PyXyuhSewzGBVXZVMZitI4T+83c7pJFBoZgAYS2j0EoF 2HBxypYhcjD+ScnYJlN7YuDYbSXnd2CdXkYoL1D/Jlbw9iVC+xL+vLVVxBNd4dFPIYAqACfwYMc 0QQwPNQEz5oRZvxdoWo1z1WZsw4Qu5A==
    X-Gm-GgASbGncuUUkT0Ashlw2EqR9VfYw53D3FHfJjvka5hsb9RwsWw+WZr6IvDO/JbDF76UCf LroT1iYdNgLVf7EqbFpFeooIz2XjXHKOxOfA=
    X-Google-Smtp-SourceAGHT+IGeyXg+KlzHZ5nGb80CuYHpLaE0+qF/e8BIjwKM/xcaKdiqEtO4Jz1AfZMn6Authjw3rUHHCkvrCEJwqXWdZnY=
    X-Receivedby 2002:a17:907:c0c:b0:aae:8490:9429 with SMTP id a640c23a62f3a-ab2ab6fd4c3mr2383491066b.34.1736878962716; Tue, 14 Jan 2025 10:22:42 -0800 (PST)
    FromHenry Samueli <henrysamueli565@gmail.com>
    DateTue, 14 Jan 2025 13:22:24 -0500
    X-Gm-FeaturesAbW1kvZVPt9RiK0jmwk1P7NTAY3Xdy_jDgyT8Fjlxvv-fKUGQ0A450Oyv1L1vxI
    Message-ID<CAFnk97MqZwGDo8L8ftPbeNBkpLosmiiqAzaAQTb0ub8-im494Q@mail.gmail.com>
    ToJohn Cross <john.cross@quilter.com>, Lloyd Nunn <lloyd.nunn@quilter.com>, Jessica Badminton <jessica.badminton@quilter.com>, Tosin Odukoya <tosin.james-odukoya@quilter.com>, Roddy Munro <roddy.munro@quilter.com>, Kerry Moll <kerry.moll@quilter.com>, Warren Bevis <warren.bevis@quilter.com>, Steven Levin <steven.levin@quilter.com>, Andrea Crawford <andrea.crawford@quilter.com>, Michelle Brodie <michelle.brodie@quilter.com>, Matthew White <matthew.white@quilter.com>, Sian Romsey <sian.romsey@quilter.com>, Martin Taylor <martin.taylor@quilter.com>, David Thompson <david.thompson@quilter.com>, Chris Matcham <chris.matcham@quilter.com>, John Crutchley <john-paul.crutchley@quilter.com>, Jonathan Greer <jonathan.greer@quilter.com>, Rajat Sharma <rajat.sharma@quilter.com>, Nina Broome <nina.broome@quilter.com>, Graham Folley <graham.folley@quilter.com>, Gareth Jones <gareth.jones@quilter.com>, Uzma Majid <uzma.majid@quilter.com>, Wendy Gell <wendy.gell@quilter.com>, Gareth Davies <gareth.davies@quilter.com>, Sian Lendon <sian.lendon@quilter.com>, Anna Branch <anna.branch@quilter.com>, Luke Lawton <luke.lawton@quilter.com>, Paul Spencer <paul@quilter.com>, Martin Digweed <martin.digweed@quilter.com>, Stephen Mcmanus <stephen.mcmanus@quilter.com>, William Sharp <william.sharp@quilter.com>, Gregor Davidson <gregor.davidson@quilter.com>, Daniel Terrot <daniel.terrot@quilter.com>, Darren Diplock <darren.diplock@quilter.com>, Adrian Fisher <adrian.fisher@quilter.com>, Tertius Coetzee <tertius.coetzee@quilter.com>, Alex Berry <alex.berry@quilter.com>, Peter Mahony <peter.mahony@quilter.com>, Rachael Jewett <rachael.jewett@quilter.com>, Karen Potter <karen.potter@quilter.com>, Francesca Collman <francesca.collman@quilter.com>, Martin Ryan <martin.ryan@quilter.com>, Alice Donald <alice.donald@quilter.com>, Emily Murchison <emily.murchison@quilter.com>, Peter Wallace <peter.wallace@quilter.com>, Sam Hillman <sam.hillman@quilter.com>, Laura Smith <laura.smith@quilter.com>, Sarah Litton <sarah.litton@quilter.com>, Claire Jasper <claire.jasper@quilter.com>, Karen Reeds <karen.reeds@quilter.com>, Craig Ro <craig.ross@quilter.com>, Tony Devitt <tony.devitt@quilter.com>, Jason Buick <jason.buick@quilter.com>, Andrew Roberts <andrew.roberts@quilter.com>, Jamie Clark <jamie.clark@quilter.com>, Matthew Evans <matthew.evans@quilter.com>, Louise Leigh <louise.leigh@quilter.com>, Katherine Griffiths <katherine.griffiths@quilter.com>, Katrina Haynes <katrina.haynes@quilter.com>, Andy Miller <andy.miller@quilter.com>, Stewart McAlpine <stewart.mcalpine@quilter.com>, Kat Vine <kat.vine@quilter.com>, Nigel Jeffries <nigel.jeffries@quilter.com>, Matthew Elson <matthew.elson@quilter.com>, Heidi Dilk <heidi.dilk@quilter.com>, Nick Lane <nick.lane@quilter.com>, Bethan Lloyd <bethan.lloyd@quilter.com>, Andrew Redding <andrew.redding@quilter.com>, Christian Searle <christian.searle@quilter.com>, Anthony Scammell <anthony.scammell@quilter.com>, Ross Clarkson <ross.clarkson@quilter.com>, Clare Lang <clare.lang@quilter.com>, Tim Skelton-Smith <tim.skelton-smith@quilter.com>, Jenny Davidson <jenny.davidson@quilter.com>, Chris Deakin <chris.deakin@quilter.com>, Claudia Wellner <claudia.wellner@quilter.com>, Barry Cook <barry.cook@quilter.com>, Kevin Lee-Crossett <kevin.lee-crossett@quilter.com>, Sam Taylor <sam.taylor@quilter.com>, Shane Squibb <shane.squibb@quilter.com>, Leanne Knight <leanne.knight@quilter.com>, Sally Beety <sally.beety@quilter.com>, Andy Iszatt <andy.iszatt@quilter.com>, Paul Boichat <paul.boichat@quilter.com>, Jeremy Mugridge <jeremy.mugridge@quilter.com>, James Cox <james.cox@quilter.com>, Marketa Dunn <marketa.dunn@quilter.com>, Heather Roberts <heather.roberts@quilter.com>, Celine Tournette <celine.tournette@quilter.com>, Carris Harris <carris.harris@quilter.com>, Penny Cole <penny.cole@quilter.com>, Jennifer Piper <jennifer.piper@quilter.com>
    Content-Typemultipart/mixed; boundary="00000000000099d29b062baea544"
    X-Proofpoint-ORIG-GUIDXiVMiDyIvtylFWBMqFdX41PHl7cRKbEq
    X-Proofpoint-GUIDN36c1ulyg7-w5MgQ05s5_9ajAX8X4KUa
    X-CLX-Response1TFkXBx8bHhEKWUQXbx5tHVwcHxwaaVIRClhYF2d7Qk5QU21gRGFQEQp4Thd jU2NrexNYfhpfXhEKeUwXbUloZGxtXHJcQGMRCkNIFxMaEQpDWRcHGBkbEQpDSRcaBBoaGhEKWU 0XYF9EQREKWUkXBxkfHXETGAYHHRt3BhseGAYaBgccGkAGEgYHGxMdcRoQExh3BhoGBx8aBhoGG gYaBhpxGhAadwYaEQpZXhdsbHkRCklGF1tfQ0ZeT1hFR111QkVZXk9OEQpJRxd4T00RCkNOF3JD fGdDblNjXF5TRmx9aGdbbE5yHht6YkYdSXhhSG9bEQpYXBcfBBoEGRIdBRsaBB0aBBsZHgQZHhA bHhofGhEKXlkXT1xsa3MRCk1cFxscEQpMWhdoZG5gWEIRCk1OF2gRCkxGF29ra2traxEKQk8XZX 5cWVtbR2NTYWwRCkNaFxgaEwQSHwQYGxIEHx4RCkJeFxsRCkRYFxsfEQpEXhcTGBEKQlwXGxEKX k4XGxEKQksXY1Nja3sTWH4aX14RCkJJF2NTY2t7E1h+Gl9eEQpCRRdlWHxAbFtsUxlNRxEKQk4X Y1Nja3sTWH4aX14RCkJMF2d7Qk5QU21gRGFQEQpCbBdgQ3pJYx1eXV1OZhEKQkAXY1sST2lucGl rHmIRClpYFxkRCnlDF258HEcbeE9GW29iEQpZSxcbGh0eHREKcGgXbEhQREdta3h6S20QEhsRCn BjF2BmXn8bbkxhWRxcEBoRCnBsF25fT3BGTF1HYVhEEAcZGhEKcEwXZGh/YEQbS01LR24QBxkaE QptfhcaEQpYTRdLESA=
    X-CLX-ShadesJunk
    Subject[External] Jade Cox, sex trafficking abuse victim since age three to current.
    X-Proofpoint-Virus-Versionvendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-06_09,2024-09-06_01,2024-09-02_01
    X-Proofpoint-Spam-Reasonorgsafe
    Return-Pathhenrysamueli565@gmail.com
    X-MS-Exchange-Organization-ExpirationStartTime14 Jan 2025 18:22:55.9100 (UTC)
    X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
    X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
    X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
    X-MS-Exchange-Organization-Network-Message-Id954b0492-2309-4a55-8590-08dd34c8777a
    X-EOPAttributedMessage0
    X-EOPTenantAttributedMessage0c5bd621-4db2-45d4-92c6-94708f93fa6e:0
    X-MS-Exchange-Organization-MessageDirectionalityIncoming
    X-MS-PublicTrafficTypeEmail
    X-MS-TrafficTypeDiagnosticLO1PEPF000022FF:EE_|CWXP265MB3333:EE_|LO2P265MB1503:EE_
    X-MS-Exchange-Organization-AuthSourceLO1PEPF000022FF.GBRP265.PROD.OUTLOOK.COM
    X-MS-Exchange-Organization-AuthAsAnonymous
    X-MS-Office365-Filtering-Correlation-Id954b0492-2309-4a55-8590-08dd34c8777a
    X-MS-Exchange-Organization-SCL-1
    X-Microsoft-AntispamBCL:0;ARA:13230040|2092899012|7093399012|12012899012|3072899012|82310400026|921020|8096899003;
    X-Forefront-Antispam-ReportCIP:185.132.181.78;CTRY:DE;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:mx07-0036ff01.pphosted.com;PTR:mx07-0036ff01.pphosted.com;CAT:NONE;SFS:(13230040)(2092899012)(7093399012)(12012899012)(3072899012)(82310400026)(921020)(8096899003);DIR:INB;
    X-MS-Exchange-CrossTenant-OriginalArrivalTime14 Jan 2025 18:22:55.8006 (UTC)
    X-MS-Exchange-CrossTenant-Network-Message-Id954b0492-2309-4a55-8590-08dd34c8777a
    X-MS-Exchange-CrossTenant-Id0c5bd621-4db2-45d4-92c6-94708f93fa6e
    X-MS-Exchange-CrossTenant-AuthSourceLO1PEPF000022FF.GBRP265.PROD.OUTLOOK.COM
    X-MS-Exchange-CrossTenant-AuthAsAnonymous
    X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
    X-MS-Exchange-Transport-CrossTenantHeadersStampedCWXP265MB3333
    X-MS-Exchange-Transport-EndToEndLatency00:00:12.8834374
    X-MS-Exchange-Processed-By-BccFoldering15.20.8335.015
    X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
    X-Microsoft-Antispam-Message-Info wkyBngwU4ecT+afG3E8swFSemJYvXDSIcacUVSXmZMr6qdRUjNG5xgb1jIqeyK3HIBCR6vYt//cE43Ak+VjZp9f7Vq+HtAhlvDUEQZ9AjG9+irXAv9rTKfcqXQmbBnhX4kcYPdc7jDbiGb5UXDx8pzMfueeIW5aJ4l5K9xn5bvxLAcMM9SLluphF9w7w3uhQCSCSwNSsA5ECgYI6TCkDuVmdU4yIPzjtE7hMyZe/Jt/E39WxsKf6lvgQqRMUvaXCkXca4aF1vCGKCZyPVXlnAFUKgPuvwBa23M5+5ovqgO7hZlN1Yx+9nPv7YoKhUcNCvgnWHgH7ZR4JWiYbmHRev7f6tbd11S3F4ZV8t7H6OJe0obzE5kZSC6ZU7iE/blfEPo0B49RcG+Qnd7qz6lwinVqR7z/ziDJCDovdMkRGGQoa7opd4D5W/TC9hMq2LF06X5K4pjLPQ2Z745+7uw6w6Pmt7o+DeEHNu3FPq+Noh2haXBbXM49GYi/YN8w36d3wra1c2nR/XRZaNaRSLkH+Y7fFkA2TegcMX8NkxMMoCb8CjxKcDFxK0OQjvg4FR8OZ0FOeltNoNy/58RaixIAIy+MBfiVLb1Kvek/Pyu2Aga6hfUZhCgcudMmPpTptpZ/swZS5rqe1NL4OfIrP8k8Avm3zwV5WGhttWUrpdjsxlleFO22hoSZYIqNyQqCfmuD/74Ny1w86ewBXY1S6U+qscz7N8bGuqQV0LGVaJ/II5WjS2Oa36cSaYvBFqgpSdD14zSXg7v9mTPQFba1yC3+/zIVSL1MbnJEpeSJ2cPNiJAj/tfhPexI3dhENhHGfCycruMKwZHWdPwW54gttHNhBO2KfOYaAVqOGNKPMkseadE1NNpYlMr12zj4SNxTp6FraOi0eJvLEonjLT/KSgUSPGHEC3JT9cilYiyuT6K1/x0MacbxqTS7dLLsrjzPN3F3YlVuVTGiK8qUoYuDGpcQxYjhlxoYvop+jRVxB6oKlv09P7gXsf+H2v2zgtctZ+mqqfiUoFgQcjUHQ4WbpiCRm8KnP1N0uj0OsGIp5GPd4GOvqfdMDiCLFprWVUNJ3SN7EryEeAC8ZamVMhfqa1QNmNQHBklokhE3xCLrDtKbXf1hYYOdOTyXGOqtH78s/PwAR1PKj3uLRpykFxFw3PqoabkiFxzYmdykzJuot3Sd3H/ex/0zOBjXr7btN2AEAc1Dx1caFD5w7CDO/4ysVwAT8lCB/HuRaM8wnbuMqzM16GzFFl4pPf/b1+GwESBjsI3KO+9tJ3SdDcLB3ZWznFnp1Xav195bF97vRZwHwymJ3lHBGb2KbQEWsr+GIbJsvDFgUp5u8uRHaksbjtxg8iNUute5inDyP7BfZH/YK4Jb+wjuYgfA4jv6S1bnDM5odM8Z45yKPUUsgtFyOYeqTrHxvjlPgMlXvpZdMq9SLEoobop31FwUNmIRJpZW6HWxqWyQV9go5loyHChREX4tcXeymIU1VQgjbypJG6PpoYKlgQJll06C3ycl5uwCQ+U+N50SDgxLGLRwLtgzfbnfm2PbD6n0y33rw1q3nONs3+LGd5jfEHol7KCeWgUUu40WcAt44iEOBU8b98bYJkda9hT7YFlaH4n+e/+kB9DYf5r/rHJtmPPBpSGu8wCp+DlmgXhV5DJOUwotXl5B8yznwFYQqmLghrudRIkyd3LMlOxti21YDHamAG462WSCTspw+cIpHmv7WX4Rxd2kWY2cD+HtcW7CfcOFWtA7lpffRJ3uesxkPeSAevz47bosckL6zV0gH7mIIwDXwbNRtrfb7SCcNm96oP8u34VOKusTgtlEr0Lzi1N+69vad93dUnLtwWdoE4QLb5iqCBeA/1ZnRcps5ynMYdD6d/Z1Wtx15wQjqEwmHD41adssyZB5hDF4lTW5ebyngxaOWZFW7/wyjpT7ZYqmfEIAekLb/ocdsVokuYYs5A4RO3faMVXLYONp6sej7X8Z2oCdlW5sg+hTfQ5q4RLAWEOTcaE1+mZdMuR07oPF79BRGoPzGSl6Ni9h/jMDbu+1SslPjC2NgHMX6OcmC4m4FIBzXP5Bq8RSOLLUYp/4C0igdkAN1/D66frhWY84rLolbK5BspVkjJ/E7opEeGujJeDCRQqfNfPzDa5v3scA=
    MIME-Version1.0

    File Icon

    Icon Hash:46070c0a8e0c67d6