Edit tour

Windows Analysis Report
Invoice#1427743190.eml

Overview

General Information

Sample name:Invoice#1427743190.eml
Analysis ID:1647680
MD5:36fc49527d7c4a4327cd23b5ec47d36c
SHA1:d14990e4b3538bc4197d666a189bb69dd92e33f7
SHA256:1ce989f8801deb9488e7fd1ee49fecdd079ca8a1dd4766bb7d04a2f6335bc727
Infos:

Detection

Score:52
Range:0 - 100
Confidence:100%

Signatures

AI detected suspicious Javascript
AI detected suspicious elements in Email content
AI detected suspicious elements in Email header
Creates files inside the system directory
Deletes files inside the Windows folder
HTML page contains hidden javascript code
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Outlook Security Settings Updated - Registry
Stores large binary data to the registry

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 7068 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Invoice#1427743190.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 4660 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "1BD3D1C1-6621-4DDB-BBD6-2D7BAF0F092D" "7B45B0E3-4C62-4C0F-A278-5FEEEEDABFC4" "7068" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • chrome.exe (PID: 6964 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\33TXKKFF\.svg MD5: E81F54E6C1129887AEA47E7D092680BF)
      • chrome.exe (PID: 6280 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1976,i,9122213256895341260,5005634520328275627,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup
No yara matches
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7068, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
Source: Registry Key setAuthor: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\33TXKKFF\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7068, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

Phishing

barindex
Source: 0.0..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/AppData/Local/Microsoft/Wind... This script exhibits several high-risk behaviors, including dynamic code execution through the use of `atob()` to decode a URL, and the potential for data exfiltration by sending user data to an untrusted domain. The obfuscated code and URL also raise concerns about the script's true intent. While the comments suggest benign content, the overall behavior is highly suspicious and indicative of a potentially malicious script.
Source: EmailJoe Sandbox AI: Detected potential phishing email: Suspicious sender domain 'seytrax.com' appears to be non-standard/unknown. SVG attachment is a high-risk file type commonly used in phishing attacks. Generic invoice subject with random number pattern typical of mass phishing
Source: EmailJoe Sandbox AI: Detected suspicious elements in Email header: Email originated from localhost (127.0.0.1) which is highly suspicious. Contains an SVG attachment which is a common vector for malicious scripts. SendGrid infrastructure is being used but with suspicious routing through localhost. Return path contains multiple redirections and unusual domain (seytrax.com). Despite low SCL and BCL scores, the combination of localhost origin and SVG attachment raises significant concerns. Message appears to be trying to masquerade as legitimate SendGrid traffic while using suspicious routing. The presence of base64 encoding with an SVG file is a common malware delivery technique
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/33TXKKFF/.svgHTTP Parser: Base64 decoded: chris.garner@casa.gov.au
Source: EmailClassification: Invoice Scam
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/33TXKKFF/.svgHTTP Parser: No favicon
Source: unknownHTTPS traffic detected: 142.250.65.228:443 -> 192.168.2.16:49723 version: TLS 1.2
Source: chrome.exeMemory has grown: Private usage: 12MB later: 38MB
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 142.251.40.131
Source: unknownTCP traffic detected without corresponding DNS query: 142.251.40.131
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
Source: global trafficDNS traffic detected: DNS query: inv18993383.cloudfaxservice.de
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownHTTPS traffic detected: 142.250.65.228:443 -> 192.168.2.16:49723 version: TLS 1.2
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir6964_1561580861
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir6964_1561580861
Source: classification engineClassification label: mal52.winEML@23/3@4/101
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250325T0132490997-7068.etl
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.ini
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Invoice#1427743190.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "1BD3D1C1-6621-4DDB-BBD6-2D7BAF0F092D" "7B45B0E3-4C62-4C0F-A278-5FEEEEDABFC4" "7068" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "1BD3D1C1-6621-4DDB-BBD6-2D7BAF0F092D" "7B45B0E3-4C62-4C0F-A278-5FEEEEDABFC4" "7068" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\33TXKKFF\.svg
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1976,i,9122213256895341260,5005634520328275627,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:3
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\33TXKKFF\.svg
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1976,i,9122213256895341260,5005634520328275627,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} DeviceTicket
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation21
Browser Extensions
1
Process Injection
11
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local System2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
1
DLL Side-Loading
1
Modify Registry
LSASS Memory1
File and Directory Discovery
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Extra Window Memory Injection
1
Process Injection
Security Account Manager13
System Information Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
File Deletion
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Extra Window Memory Injection
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/33TXKKFF/.svg0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.250.65.228
truefalse
    high
    s-0005.dual-s-msedge.net
    52.123.129.14
    truefalse
      high
      inv18993383.cloudfaxservice.de
      172.67.158.181
      truefalse
        high
        NameMaliciousAntivirus DetectionReputation
        file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/33TXKKFF/.svgfalse
        • Avira URL Cloud: safe
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        1.1.1.1
        unknownAustralia
        13335CLOUDFLARENETUSfalse
        52.109.4.7
        unknownUnited States
        8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
        142.250.65.163
        unknownUnited States
        15169GOOGLEUSfalse
        52.123.129.14
        s-0005.dual-s-msedge.netUnited States
        8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
        20.189.173.12
        unknownUnited States
        8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
        142.251.40.142
        unknownUnited States
        15169GOOGLEUSfalse
        142.250.65.228
        www.google.comUnited States
        15169GOOGLEUSfalse
        142.250.65.227
        unknownUnited States
        15169GOOGLEUSfalse
        142.251.32.110
        unknownUnited States
        15169GOOGLEUSfalse
        172.217.165.142
        unknownUnited States
        15169GOOGLEUSfalse
        172.253.115.84
        unknownUnited States
        15169GOOGLEUSfalse
        142.251.35.163
        unknownUnited States
        15169GOOGLEUSfalse
        IP
        192.168.2.16
        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1647680
        Start date and time:2025-03-25 06:32:15 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsinteractivecookbook.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:16
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        Analysis Mode:stream
        Analysis stop reason:Timeout
        Sample name:Invoice#1427743190.eml
        Detection:MAL
        Classification:mal52.winEML@23/3@4/101
        Cookbook Comments:
        • Found application associated with file extension: .eml
        • Exclude process from analysis (whitelisted): svchost.exe
        • Excluded IPs from analysis (whitelisted): 52.123.129.14
        • Excluded domains from analysis (whitelisted): ecs.office.com, dual-s-0005-office.config.skype.com, ecs.office.trafficmanager.net
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtOpenFile calls found.
        • Report size getting too big, too many NtQueryAttributesFile calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtSetValueKey calls found.
        • VT rate limit hit for: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/33TXKKFF/.svg
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        File Type:data
        Category:modified
        Size (bytes):106496
        Entropy (8bit):4.514718434632564
        Encrypted:false
        SSDEEP:
        MD5:66B9E1EAEEF2A4ABF26B217668AC2E3B
        SHA1:504BB449572487210FBCF4F965B9119B31B28034
        SHA-256:CE08940E3E1AA49EEC9E2E264B23F1F4564E0F39540273E64260D665E7FDC08D
        SHA-512:D1FF0D89BD3BDF1CC42E43A9B8B63CC07EAFC11A9E0790727804778E4791A7F6BFD7F106585BC9B6176AE33B31BA7E057B1BCE6E1AB93BDF139F9F38FB5E1D94
        Malicious:false
        Reputation:unknown
        Preview:............................................................................`...........8G.YG...................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................(.9...........8G.YG...........v.2._.O.U.T.L.O.O.K.:.1.b.9.c.:.6.2.f.f.b.2.8.8.6.9.d.e.4.0.0.e.b.5.0.d.c.0.3.3.e.d.c.f.7.4.d.3...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.3.2.5.T.0.1.3.2.4.9.0.9.9.7.-.7.0.6.8...e.t.l.......P.P.........8G.YG...........................................................................................................................................................................................................................................................................................................
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        File Type:Microsoft Outlook email folder (>=2003)
        Category:dropped
        Size (bytes):271360
        Entropy (8bit):2.5354741026486476
        Encrypted:false
        SSDEEP:
        MD5:ECC960EBB4B187C04A67762BBB26274E
        SHA1:88ED756F7D53E861BF10CEC6940B5B15887D5EB7
        SHA-256:73D49D2C2E494646A5532FD7DCA8B12FE4B7523721AC2BFFD76BDCB8996C5EA7
        SHA-512:2A9638505199CC15C5046E5A81FC71B2AA913A2C956FC9B04C7C57F149970B163CCE875418EF798321037B9B3034303148F25922FE2DF740CB63F3D3B2F426A1
        Malicious:true
        Reputation:unknown
        Preview:!BDN..R.SM......\...(...........D.......b................@...........@...@...................................@...........................................................................$.......D......................C........p......@........P..................................................................................................................................................................................................................................................................................,...........Q.;.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        File Type:OpenPGP Public Key
        Category:dropped
        Size (bytes):131072
        Entropy (8bit):2.7518749878623554
        Encrypted:false
        SSDEEP:
        MD5:B9EDAFA749D22B6AE32E1BAB1C3036D3
        SHA1:FF71474B29FBFD4A4F814D36DD4239BF91388641
        SHA-256:D8B0CD3F2FC1E48023461E9B11425F277D5947EB0256798D12FCFCA93EBF5DB0
        SHA-512:52A041E3274A601949AC068D408EB961739A837971C0460FEA4EC2E950C7583C985486F19BED0F6CC5F3066720FDDA0BC65AC1C5438A0C3D84F57B48C817F95E
        Malicious:true
        Reputation:unknown
        Preview:.J.C...`...........T^.XG.....................#.!BDN..R.SM......\...(...........D.......b................@...........@...@...................................@...........................................................................$.......D......................C........p......@........P..................................................................................................................................................................................................................................................................................,...........Q.;.T^.XG........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................
        File type:RFC 822 mail, ASCII text, with very long lines (341), with CRLF line terminators
        Entropy (8bit):6.064412685473984
        TrID:
        • E-Mail message (Var. 5) (54515/1) 100.00%
        File name:Invoice#1427743190.eml
        File size:13'330 bytes
        MD5:36fc49527d7c4a4327cd23b5ec47d36c
        SHA1:d14990e4b3538bc4197d666a189bb69dd92e33f7
        SHA256:1ce989f8801deb9488e7fd1ee49fecdd079ca8a1dd4766bb7d04a2f6335bc727
        SHA512:4291ad253cae72452b74ffbb4f17731a35f9ff684026c92fa1b3edeffeb454621c8c0600201b52115c79088a493c6555edd66da552ace35ad4f22e88ddb4df2b
        SSDEEP:384:+v4aoqSFNdCCsapBXUVbIVemUsGDYGcRriBS8C1ec5Yd/:+gawFNdktIVLGDw1U/
        TLSH:0E526B1A5E3B0C319BD015DC1C78BE4FA2DA2F8268BB51E03A5A85D200421EF5BC56DF
        File Content Preview:Received: from ME3PR01MB7342.ausprd01.prod.outlook.com (2603:10c6:220:137::7).. by SY4PR01MB5929.ausprd01.prod.outlook.com with HTTPS; Tue, 11 Mar 2025.. 22:29:57 +0000..Received: from MEWPR01CA0067.ausprd01.prod.outlook.com (2603:10c6:220:1de::12).. by M
        Subject:Invoice#1427743190
        From:sales@seytrax.com
        To:chris.garner@casa.gov.au
        Cc:
        BCC:
        Date:Tue, 11 Mar 2025 22:28:51 +0000
        Communications:
          Attachments:
          • .svg
          Key Value
          Receivedfrom [127.0.0.1] (unknown) by geopod-ismtpd-4 (SG) with ESMTP id KvyYbSq6QMW46YyOeG8rbQ for <chris.garner@casa.gov.au>; Tue, 11 Mar 2025 22:28:51.114 +0000 (UTC)
          Authentication-Resultsspf=pass (sender IP is 149.72.154.232) smtp.mailfrom=em200.seytrax.com; dkim=pass (signature was verified) header.d=seytrax.com;dmarc=bestguesspass action=none header.from=seytrax.com;compauth=pass reason=109
          Received-SPFPass (s5casaseg.secureintellicentre.net.au: domain of bounces+35120025-a98c-chris.garner=casa.gov.au@em200.seytrax.com designates 149.72.154.232 as permitted sender) identity=mailfrom; client-ip=149.72.154.232; receiver=s5casaseg.secureintellicentre.net.au; envelope-from="bounces+35120025-a98c-chris.garner=casa.gov.au@em200.seytrax.com"; x-sender="bounces+35120025-a98c-chris.garner=casa.gov.au@em200.seytrax.com"; x-conformance=spf_only; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:167.89.0.0/17 ip4:208.117.48.0/20 ip4:50.31.32.0/19 ip4:198.37.144.0/20 ip4:198.21.0.0/21 ip4:192.254.112.0/20 ip4:168.245.0.0/17 ip4:149.72.0.0/16 ip4:159.183.0.0/16 include:ab.sendgrid.net ~all"
          X-CSE-ConnectionGUIDxCI/3B/aQpuMVUI/tdxE0Q==
          X-CSE-MsgGUIDhp0LL7ZlQ0ikIa0j/kVaRw==
          Authentication-Results-Originals5casaseg.secureintellicentre.net.au; spf=Pass smtp.mailfrom=bounces+35120025-a98c-chris.garner=casa.gov.au@em200.seytrax.com; dkim=pass (signature verified) header.i=@seytrax.com
          IronPort-SDR67d0b927_4S1JQQT79ioPYOIVOxqTbOIZ/XijD+F/xS81jkL2IZw2MsD el6Tutgm8AM2NGr2mzvotE5ySoFwI6FkgbdXL2w==
          X-SEG-AVNone
          X-SEG-Scanwhitelisted_sender
          X-ThreatScanner-VerdictNegative
          X-IronPort-AVE=Sophos;i="6.14,240,1736773200"; d="svg'217?scan'217,208,217";a="2811629"
          DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=seytrax.com; h=content-type:content-transfer-encoding:from:subject:mime-version:to: cc:content-type:from:subject:to; s=s1; bh=jZpNqmM0DMe2JfBtkpXvOYzJld+EUEb2wmVpHd3UatQ=; b=QS1FcEJDq642Q5G0uzsWn+w173kaFENPG0bVbH617gN6RSOdD52qeCmVls5mwDja3brX StreB0mEN++SZbC3mah9jdC99ZlHqHHF733shQ2xKLBebLdgkw97P7t86tMEm4r5kE8ZET f/UKUtE6FBmiS7h33wg4bo2+TDPnrUuihlhhnom9RGDJOprR3LrQicOIo83+F+8RqoRQ83 52eD/WN6brwjzIgmc2Yx4/6wYsiB83HWLiT06THTPjvOE9ekkmbV7sdF3vsQt16xIkrnaW 4cFDKPk3j8Cz/eYMWjRaDyaRxxsKlYtBaD52pkqD01PgF/d7dOZyjAU3O7uYi4mw==
          Content-Typeimage/svg+xml; name=".svg"
          Content-Transfer-Encodingbase64
          Content-Dispositionattachment; filename=".svg"
          Fromsales@seytrax.com
          SubjectInvoice#1427743190
          Message-ID<a09b5db5-0e14-5a14-3f7b-4fd574d16f45@seytrax.com>
          DateTue, 11 Mar 2025 22:28:51 +0000
          X-SG-EIDu001.oknQl3iCARn/Fw+zmbSPX/ZhO/QXJDb8l91gQs4HxsZoB1gABJsB83GaqoLXDUTQme0m6AXoHOJywYOrXk73DT++gYMgz9DLEFiCFwYy4jyDgkT8pQawhpeHUwpqSDvAVOB4fMd5sxSiEaisWBB0sNcSHWQwIQCnVeXXY0MtmRaYFmBLqi+e3riMKprkkN0Sx5KRPmrHCRRX1L9p/W/RqA==
          Tochris.garner@casa.gov.au
          X-Entity-IDu001.OHwfc4nOvBQp2DzmxLSeww==
          Return-Pathbounces+35120025-a98c-chris.garner=casa.gov.au@em200.seytrax.com
          X-OrganizationHeadersPreservedCBR50EXM04P.casa.local
          X-MS-Exchange-Organization-ExpirationStartTime11 Mar 2025 22:28:55.5766 (UTC)
          X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
          X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
          X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
          X-MS-Exchange-Organization-Network-Message-Id4ed9557f-0974-4e14-eb6e-08dd60ec1c0e
          X-EOPAttributedMessage0
          X-MS-Exchange-Organization-MessageDirectionalityOriginating
          X-MS-Exchange-SkipListedInternetSenderip=[149.72.154.232];domain=s.wrqvwxzv.outbound-mail.sendgrid.net
          X-MS-Exchange-ExternalOriginalInternetSenderip=[149.72.154.232];domain=s.wrqvwxzv.outbound-mail.sendgrid.net
          X-CrossPremisesHeadersPromotedML1PEPF0001130A.ausprd01.prod.outlook.com
          X-CrossPremisesHeadersFilteredML1PEPF0001130A.ausprd01.prod.outlook.com
          X-MS-PublicTrafficTypeEmail
          X-MS-TrafficTypeDiagnosticML1PEPF0001130A:EE_|ME3PR01MB7342:EE_|SY4PR01MB5929:EE_
          X-MS-Exchange-Organization-AuthSourceCBR50EXM03P.casa.local
          X-MS-Exchange-Organization-AuthAsAnonymous
          X-OriginatorOrgcasa.gov.au
          X-MS-Office365-Filtering-Correlation-Id4ed9557f-0974-4e14-eb6e-08dd60ec1c0e
          X-MS-Exchange-AtpMessagePropertiesSA|SL
          X-MS-Exchange-Organization-SCL1
          X-Microsoft-AntispamBCL:0;ARA:13230040|29132699027|3072899012|5062899012|2092899012|12012899012|82310400026|4143399015|3092899012|4053099003|3613699012|43540500003;
          X-Forefront-Antispam-ReportCIP:203.19.118.18;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:s.wrqvwxzv.outbound-mail.sendgrid.net;PTR:s.wrqvwxzv.outbound-mail.sendgrid.net;CAT:NONE;SFS:(13230040)(29132699027)(3072899012)(5062899012)(2092899012)(12012899012)(82310400026)(4143399015)(3092899012)(4053099003)(3613699012)(43540500003);DIR:INB;
          X-MS-Exchange-CrossTenant-OriginalArrivalTime11 Mar 2025 22:28:55.5454 (UTC)
          X-MS-Exchange-CrossTenant-Network-Message-Id4ed9557f-0974-4e14-eb6e-08dd60ec1c0e
          X-MS-Exchange-CrossTenant-Id70a593b6-9064-47f5-9925-39d2dc35261c
          X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIpTenantId=70a593b6-9064-47f5-9925-39d2dc35261c;Ip=[203.19.118.18];Helo=[mail.casa.gov.au]
          X-MS-Exchange-CrossTenant-AuthSourceCBR50EXM03P.casa.local
          X-MS-Exchange-CrossTenant-AuthAsAnonymous
          X-MS-Exchange-CrossTenant-FromEntityHeaderHybridOnPrem
          X-MS-Exchange-Transport-CrossTenantHeadersStampedME3PR01MB7342
          X-MS-Exchange-Transport-EndToEndLatency00:01:01.6410007
          X-MS-Exchange-Processed-By-BccFoldering15.20.8511.025
          X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(4710137)(4712020)(920097)(930097)(140003)(1420198);
          X-Microsoft-Antispam-Message-Info iEau6/2M36GgbZb+zBgx+//bvntoO8U3e8NV+jks9bY+BDHuUxOCFDvlsJPf9Yi1aP3WSj5/F/JI87XfK5poLiWkS2o6HN6koozaAhfMb6Bl418ZJxmAPde68+tge7dDSgr/ykXITOaGkg+9v338TijLZmNV0S8I1nSptXKrat9tCBuZVeiikDkm9efu4G8vF6wYjYZ7Tg/HkeXG1OrALd9MllaL65iDdNnJK34/nKjAbduJobwJzsSAPUMnjDNwW1REFG3DPgq7Nk1pzsEICpVqgHWXPX/5Unu2JLEiJpIwR9ToNxRuoUbjE0UiRIsZ3a6ue1+v+zfVH33zOm7rpXKRfoL/FYRi2R/x1l6f2LjjjaC4orzqy5Kl9tunAXQDLSJuME0xPZaEcD765W0o41nh5kZUgKrtzcLIdcViXIj/yOazYBzkSphY4IBTs2FBzvsnhZ5bcw2DWPJ/4qxEjsDURryXpEdU9H+zviL2PBdCaUEcgIWW/oTifE4gsqWThP1n0gqUx5CBbutH9df2+NA2XH5PULUV3H7W9Mn/uI+D/b5rbGhWjCukPxEQcRLC5wVs+W8YO05nVJ8pZVw5QdyWd0qLE6PvG7bgFD1kqCytSX44lwdNxixdhrVZaIZJr1znEMBXtIP7MNaz5PNh6jZ5QZKB5kl5qKJuoXvzBS0uM915wD6VNQHAYTOgbn1ykC7KMR3vB6UWQCDN8EabPKB+wHvpHaH77ZysYHlpa73kdVI48Fr03CPOI0Ke6CpBJwrHXDNq2HFhvWaGZW3VYoibl/98/D21Uqxfmi8NvYz+g1KpwwSlCKodyPMJ+j6a5lIqi1ZKX3p5Gvocd9AYiRPbPdr5lFY4AtwF40JhJoWCX9rm0PLQz9kbKoHGNgbc1A7cYDw1Nr0QVHmaMO6HokN67TFalFlY4HbmlpNSxXg49yU72g2GE8wXhQw75uSykE5geKUcOYdpmnE2/9PD799pSETcgZ4Sr/HvIWznzsSbXngoD84mlASMWk1Ws6NsMiBx3Wkb+a9Cf6FIvHmHMMm7a5HYxbhqPnm1fPgMXAoTW070z3LxA3kmgtm1wphPgowu2ssSP82DGByEhkRp5wYZGZh3WS5j5ASL3kLzJsV7+mX12YLQ2F5xnSVyVgH/nbzST1qYD+cCYakf2t1P/mJxqB9IfSEkokwAYcFGC8DD14ROTpMzF6OdeUV2esLhuCt9NZRgyA0f8WZBxQQHQ2ZGTH79/jilgeGPrAZ0Oi4seP7PuzqQOLIjX4S1J6Q/Gt+q17BK/qEZI9wk0k92R28HAAsGZVZgD/u/y080WALYEtTQOIWT0awAH1ox7hurtMqJlKr8rnM7c2vuM2e/khuOB+sy3Zq6KF89s0Ep8/BAMsXAvApk2+idGFnX+HUZk6iD0MiIhLtpy10GIKGsK+D3Otrwu4HMAlC48BgOibJ/DAzXeLsYBNoM4sJhMSUBYr4vWYuesPeiRniQEVxptPaVDAkokbXN65UpvQSyvpbin8LxBBwI2BlM6JXXsevBXaRcMf2hmELBSu40/ZVwVJwGc6fEVrr+fjcW6Ej7/y62Jeb682ASbUKO7SCu8QqLt/A8r0G/4pkGR1KcsIhOMeyiQUO/DBBay1sCprDfTHxcHnbTWkflzqsonqJLCx926IbhUhI6U2rTjXkzD32Gpa5IrMONksEqiGonHs8hjGjyl+ekXs75VLqVc8hdwghIwivgnuy5lYh2XLINVVJKnxiMwZgQgMAy1YnpO34UumVyrV+Y3qxnL6ob86707cXmebOAFYXqNAQJQkeUlYuawpjMcJUnM1xYKOpGChnqoSLnOiCr3uqE9Y0b0ljfwyDl96LL831hMaZkxYYkqHmPOU7QpuIHKhaRs3hEzO2BYRV0+dA0t2PNHj5z8cyjAEPfg4xG0GkV3PWaLGRon2vMep6BT0mztZUMR9IZqXEO6U4cotAykk9Xn8iAymUrY3ok
          MIME-Version1.0

          Icon Hash:46070c0a8e0c67d6