Edit tour

Windows Analysis Report
BHP Group Operations sent a new Purchase Order 4517137513.eml

Overview

General Information

Sample name:	BHP Group Operations sent a new Purchase Order 4517137513.eml
Analysis ID:	1666156
MD5:	4a5eae393e5c1b935135a44a7cd1bb65
SHA1:	08809db8f7f7f8114acacaa614d31bb776840c9d
SHA256:	6600cd92afda84860ecb67288fb6fd1bc966c45d6321dac80f18f7842a662fe6
Infos:

Detection

Score:	1
Range:	0 - 100
Confidence:	80%

Signatures

Queries the volume information (name, serial number etc) of a device

Stores large binary data to the registry

Classification

×

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 6348 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\BHP Group Operations sent a new Purchase Order 4517137513.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 6468 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "7C7072AE-E242-4FA3-9A20-AB8BA81026D4" "8C5428C2-C759-4897-9A05-049C1C320CB8" "6348" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6348, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engine

Classification label: clean1.winEML@3/4@0/42

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250416T0418560682-6348.etl

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File read: C:\Users\desktop.ini

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\BHP Group Operations sent a new Purchase Order 4517137513.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "7C7072AE-E242-4FA3-9A20-AB8BA81026D4" "8C5428C2-C759-4897-9A05-049C1C320CB8" "6348" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "7C7072AE-E242-4FA3-9A20-AB8BA81026D4" "8C5428C2-C759-4897-9A05-049C1C320CB8" "6348" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} DeviceTicket

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-0005.dual-s-msedge.net	52.123.128.14	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
184.28.213.193	unknown	United States		16625	AKAMAI-ASUS	false
23.34.82.8	unknown	United States		25019	SAUDINETSTC-ASSA	false
20.189.173.1	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.123.128.14	s-0005.dual-s-msedge.net	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1666156
Start date and time:	2025-04-16 10:18:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	BHP Group Operations sent a new Purchase Order 4517137513.eml
Detection:	CLEAN
Classification:	clean1.winEML@3/4@0/42
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.213.193, 23.34.82.8, 23.34.82.10, 52.123.128.14, 20.190.157.3
Excluded domains from analysis (whitelisted): ecs.office.com, omex.cdn.office.net, dual-s-0005-office.config.skype.com, fs.microsoft.com, login.live.com, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, omex.cdn.office.net.akamaized.net, a1864.dscd.akamai.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250416T0418560682-6348.etl

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	modified
Size (bytes):	106496
Entropy (8bit):	4.489153168648104
Encrypted:	false
SSDEEP:
MD5:	3E44AF40D94DA8A905375BBCA7891A55
SHA1:	D49A73FFAB0D3563D05058E03150AF674D91E76E
SHA-256:	4B5047194048921DA2DAA4C6E1B5E4B4FDDC0EF8811DB2A62F172F94E2ED6593
SHA-512:	C2A089688AEBE86DA141F158C9C3216FCA82509D49999C22922224444C8FA6E9824F814BB8D6B2C3471129B83ADED703D0A03DCAF0559112CC6FFB502F50AAFC
Malicious:	false
Reputation:	unknown
Preview:	............................................................................`...........I;.2....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................7...........I;.2............v.2._.O.U.T.L.O.O.K.:.1.8.c.c.:.e.0.f.3.7.7.b.2.8.2.a.c.4.4.a.a.8.6.b.3.6.b.6.1.6.2.4.4.7.c.d.e...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.4.1.6.T.0.4.1.8.5.6.0.6.8.2.-.6.3.4.8...e.t.l.......P.P.........I;.2............................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\msoA5D0.tmp

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	GIF image data, version 89a, 15 x 15
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.949125862393289
Encrypted:	false
SSDEEP:
MD5:	ED3C1C40B68BA4F40DB15529D5443DEC
SHA1:	831AF99BB64A04617E0A42EA898756F9E0E0BCCA
SHA-256:	039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
SHA-512:	C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
Malicious:	false
Reputation:	unknown
Preview:	GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	5.17694269044196
Encrypted:	false
SSDEEP:
MD5:	71B7478916D3ACEFE21C5128E64EB22C
SHA1:	254BB6404035609A47086C987EA2097A9799CB15
SHA-256:	97028AC35361FFE0BC4C4C3B1B8E0CBD69D553A9DCAFCC1BA2E4264694F94B22
SHA-512:	D1F02A5FB9F3F8634546259DD760C20D577370B728BEC396336C574DDE84A46C5C76407D3296D52167433CDDDAAC792603C245737134950AE99FDA5FFE364909
Malicious:	false
Reputation:	unknown
Preview:	!BDNd...SM......\...e...........M.......b................@...........@...@...................................@...........................................................................$.......D......................L........r......I........D...........................................................................................................................................................................................................................................................................................Cj...o.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	4.672846187964245
Encrypted:	false
SSDEEP:
MD5:	AD0E39DEFCDC2B98AC5DA753D1453815
SHA1:	CFD8DA72D367F6B3B3558C15BE23C8B1E13143ED
SHA-256:	8978F1C795AB0A1CA58058643DB993B9D5A9F1D1A605C147995DD8D5DF618EB8
SHA-512:	8130C20D6BE268A8E74312667171DB639B70A1A6A70439ACF392878FF2EE21BC6DA10C9204633CC81D4D25BCB3333A7A82D04712DA7CFF2DAB51AA754897B513
Malicious:	false
Reputation:	unknown
Preview:	.W..C...u..............2......................#.!BDNd...SM......\...e...........M.......b................@...........@...@...................................@...........................................................................$.......D......................L........r......I........D...........................................................................................................................................................................................................................................................................................Cj...o....2.........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	RFC 822 mail, Unicode text, UTF-8 (with BOM) text, with very long lines (324), with CRLF line terminators
Entropy (8bit):	5.831544009233416
TrID:	Text - UTF-8 encoded (3003/1) 100.00%
File name:	BHP Group Operations sent a new Purchase Order 4517137513.eml
File size:	178'489 bytes
MD5:	4a5eae393e5c1b935135a44a7cd1bb65
SHA1:	08809db8f7f7f8114acacaa614d31bb776840c9d
SHA256:	6600cd92afda84860ecb67288fb6fd1bc966c45d6321dac80f18f7842a662fe6
SHA512:	56f91e2e33e3a6738944ca3c5ef004d7b393414c21fc438ffa1cf1517deeb07aeaa36fdac961e0706554727739a43868466555a843f994b6a8b5131702d1ab5b
SSDEEP:	3072:y7pHUFxrDd8aQWv3aQgH3DRHRiGgUIjPna/xq8GsAKC0Krdw:qUHrDd8aQWfaQgH3viG/IjPnaI8nhKrm
TLSH:	2A041899BE522F58C7D1790DB5AF6CD26F3A778B14A2B068003F46C508F87851EF25E8
File Content Preview:	...Received: from PR3P193MB0489.EURP193.PROD.OUTLOOK.COM (2603:10a6:102:30::20).. by AM0P193MB0660.EURP193.PROD.OUTLOOK.COM with HTTPS; Mon, 28 Oct 2024.. 06:09:43 +0000..Received: from AM0PR02CA0034.eurprd02.prod.outlook.com (2603:10a6:208:3e::47).. by P

Static Mail

General

Subject:	BHP Group Operations sent a new Purchase Order 4517137513
From:	"\"BHP Group Operations\"" <ordersender-prod@ansmtp.ariba.com>
To:	VCAU SalesAdmin <VCAU.SalesAdmin@vossloh.com>
Cc:
BCC:
Date:	Mon, 28 Oct 2024 06:04:04 +0000
Communications:	CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. You can reply to this message. SAP Business Network or other Ariba cloud services will send your reply to the appropriate message recipient(s) and link it to its corresponding document. SAP Ariba stores your contact information (email and name) according to the policy at https://service.ariba.com/w/collab-platform/common/tou/en/MessagingPolicy.html. By replying to this message, you're accepting the terms in the policy. [SAP BUSINESS NETWORK] BHP Group Operations sent a new order If more than one email address is associated with your organization for PO delivery, then the copy of this purchase order would be sent to them as well. Message from your customer BHP Group Operations You are now transacting with BHP using the Ariba Network to provide a more efficient, easy-to-use collaboration platform for its inbound supply chain. Please click "Process order" to login and confirm this purchase order on the Ariba Network. BHP request that you confirm all Purchase Orders PO within 24 hours of receipt. You must confirm a PO before you can create either a Service Entry Sheet or Ship Notice (if applicable) and create the invoice via the Ariba Network (if applicable). NOTE: DO NOT LOSE THIS EMAIL. Save this email and all future purchase order notifications. You will need them to directly access your purchase order within your account and to submit your invoices (use the Process Order button included in the notification) Help and Support: * For Ariba support, click the Help Center link at the bottom of this email * For any matter related to the Purchase Order contact the Purchasing Officer listed on the PO. * For queries related to your BHP account contact bhpsupply_ariba@bhp.com * Training guides from BHP and Ariba can be accessed from Ariba Supplier Education Portal (https://support.ariba.com/item/view/171401) and from the BHP Transacting with BHP page at https://www.bhp.com/info/supplying-to-bhp * If you need support please use the Online Help via Help Center Ariba Exchange User Community [https://service.ariba.com/an/logos/AN01015189973-SCXMLViewerDEV.gif] Process order <https://service.ariba.com/Supplier.aw/ad/laDoc?sc=M2NmZTE3NDUtNGI5OC00M2U3LThlYzYtNDM3M2Y2M2I0NTRjOjE3MDAwMDAwMDAwMDAwMDAwMDAwMDY0MDgwMjQ6MTc%3D&accttype=TElHSFQ%3D> This purchase order was delivered by SAP Business Network. For more information about Ariba and SAP Business Network, visit https://www.ariba.com. From: VOSSLOH COGIFER AUSTRALIA PTY LTD To: VOSSLOH COGIFER AUSTRALIA 361 Barker Street CASTLEMAINE Victoria 3450 Australia Phone: +61 (03) 44111522 Fax: Email: VCAU.SalesAdmin@vossloh.com, Melissa.Jones@vossloh.com Purchase Order (New) 4517137513 Amount: $ 27,518.63 AUD Version: 1 Payment Terms Within 60 days Due net Contact Information Supplier Address VOSSLOH COGIFER AUSTRALIA PTY LTD Email: VCAU.SalesAdmin@vossloh.com Phone: +61 () 0354704800 Fax: +61 () 0354704801 Purchasing Agent WAIO.Port Email: S25@bhp.com Buyer ID: 30134345 Other Information Company Code: FX00 Purchase Group: S25 Purchase Organization: FF10 Customer VAT/Tax ID: 46 008 700 981 Supplier VAT ID: 98118751929 Party Additional ID: 30134345 Transport Terms Information Delivery Terms: Transport Condition Transport Terms: CPT ( Carriage Paid To ) Transport Location: LINFOX Order Type: Goods PO Ship All Items To Perth Main Warehouse 36 Stockyard Lane Hazelmere WA 6055 Australia Ship To Code: FX1A Location Code: FX1A Storage Location ID: 0100 Bill To BHP Iron Ore Pty Ltd St Georges Terrace-125 Perth WA 6000 Australia Phone: Fax: Buyer ID: FX00 Line Items Line # No. Schedule Lines Part # / Description Customer Part # Type Return Revision Level Qty (Unit) Need By Unit Price Subtotal Tax Customer Location Storage Location 10 1 300.B19760V02 11216520 Material 1.000 (EA) 5 Mar 2025 $27,518.63 AUD $27,518.63 AUD $2,751.86 AUD FX1A 0100 TURNOUT,RAILWAY,R320 VCD,1:15,RH,RIGHT H Control Keys Order Confirmation: allowed Ship Notice: allowed Invoice: is not ERS Comments Material PO Text : Turnout,Railway Short Name Turnout,Railway Design type R320 VCD Crossing rate: 1:15 Left or right hand Right hand Turn out hand Right hand turnout Rail size AS68kg Furnished items Right hand curved stock Furnished items Straight switchblade Furnished items Fixed components listed Ship To Perth Main Warehouse 36 Stockyard Lane Hazelmere WA 6055 Australia Ship To Code: FX1A Tax Tax Category Tax Rate (%) Taxable Amount Tax Amount Tax Location Description Exempt Detail GST 10.000 $27,518.63 AUD $2,751.86 AUD Schedule Lines Schedule Line # Delivery Date Ship Date Quantity (Unit) Customer Proposed Qty (Unit) Customer Proposed Delivery Date 1 5 Mar 2025 11:00 pm AEDT 1.000 (EA) Other Information Storage Location: 0100 articleNumber: Z9 Receiving Type: 4 External Line Number: 10 Estimated days for inspection: 8 Classification Domain: unspsc Classification Code: 25121700 Transport Terms Information Delivery Terms: Transport Condition Transport Terms: CPT Transport Location: LINFOX Terms and Conditions: All correspondence, including invoices and packages, must reference the above Purchase Order number. "All commercial enquires relating to this Purchase Order must be addressed with the listed BHP Purchasing contact. For more information regarding our invoicing guidelines and requirements, please visit (https://www.bhp.com/info/supplying-to-bhp)". If unable to meet the specified delivery date, promptly notify the BHP Contact person noted on page one of this document. Values above reflect the calculated taxes (as applicable) based on the Supplier provided unit pricing. Should Supplier identify any discrepancies between the expected taxation of the Goods/ Services and the taxes as calculated herein, you are requested to reach out to the BHP Purchasing contact for this Purchase Order to resolve prior to submittal of any invoices. Failure to do so may result in rejection of invoices, or delays in payment. This order is issued by BHP Iron Ore Pty Ltd (46 008 700 981) pursuant to and subject to the applicable terms and conditions referred to below: (i) where there is an executed written agreement in force between the Supplier and BHP which relates to goods and/or services the subject of this Order, then this Order is issued pursuant to and subject to the terms and conditions of the relevant agreement; (ii) where there is no other written agreement in force between the Supplier and BHP , then this Order is issued subject to the BHP Purchase Order Terms and Conditions in force at the date of this Order.The BHP Purchase Order Terms and Conditions can be accessed from the BHP website (https://www.bhp.com/info/supplying-to-bhp) or alternatively, can be obtained by contacting the BHP contact on this document. By acceptance of this Order, the Supplier accepts the terms and conditions stated herein, the Service and Purchase Order Terms and Conditions and, if applicable, the terms and conditions of any additional agreements with the Supplier relevant to this Order. BHP Iron Ore Pty Ltd Order submitted on: Monday 28 Oct 2024 11:00 pm GMT+11:00 Received by SAP Business Network on: Monday 28 Oct 2024 5:03 pm GMT+11:00 This Purchase Order was sent by BHP Group Operations AN01015189973 and delivered by SAP Business Network. Sub-total: $ 27,518.63 AUD Est. Total Tax: $ 2,751.86 AUD Est. Grand Total: $ 30,270.49 AUD Questions or comments for your customer? Post message <https://service.ariba.com/Supplier.aw/ad/collabPo?sc=M2NmZTE3NDUtNGI5OC00M2U3LThlYzYtNDM3M2Y2M2I0NTRjOjE3MDAwMDAwMDAwMDAwMDAwMDAwMDY0MDgwMjQ6MTc%3D> Process order <https://service.ariba.com/Supplier.aw/ad/laDoc?sc=M2NmZTE3NDUtNGI5OC00M2U3LThlYzYtNDM3M2Y2M2I0NTRjOjE3MDAwMDAwMDAwMDAwMDAwMDAwMDY0MDgwMjQ6MTc%3D&accttype=TElHSFQ%3D> About this email If you have any questions, contact BHP Group Operations. If you're not the correct person to receive this email, forward it to the appropriate person in your company. Note: All transactions relating to your customer's purchase orders are solely between you and your customer and are subject to the terms of your existing agreement(s) with your customer. Ariba is not an agent for your customer, and is not responsible for anything contained in the purchase order submitted on behalf of your customer. [https://service.ariba.com/an/p/Ariba/App-Store-90x31.png] <https://apps.apple.com/us/app/sap-business-network-supplier/id1604643590?ls=1&mt=8> [https://service.ariba.com/an/p/Ariba/Google-Play-90x31.png] <https://play.google.com/store/apps/details?id=com.sap.ariba.mint> Go Mobile Ariba, Inc., 3420 Hillview Ave, Bldg3, Palo Alto, CA 94304, USA SAP Business Network Privacy Statement<https://www.sap.com/agreements-sap-business-network-privacy-statement> \| Ariba Data Policy<https://www.ariba.com/legal/ariba_data_policy.cfm> \| Help Center<https://uex.ariba.com/le/email-light-account-registered>
Attachments:	4517137513.htm

Headers

Key	Value
Received	by mx prod produs-c4-smtp-out-an-s2-z1-2
From	"\"BHP Group Operations\"" <ordersender-prod@ansmtp.ariba.com>
To	VCAU SalesAdmin <VCAU.SalesAdmin@vossloh.com>
Subject	BHP Group Operations sent a new Purchase Order 4517137513
Thread-Topic	BHP Group Operations sent a new Purchase Order 4517137513
Thread-Index	AQHbKP/7Qsqz1zdJ8Uyi8mx93gyu8Q==
X-MS-Exchange-MessageSentRepresentingType	1
Date	Mon, 28 Oct 2024 06:04:04 +0000
Message-ID	<AN-ORD-EID#prod#5xlqhe44igy2sxnuia#17#AN-PO-CLB#OI9DOrpD8zt4yUNOVXH7jGajoRvmGtQxZMhkvWCxjHGN3XhfStUs9B9TRYKT2ovPoSwEJoxQh00iqqGTvu5u8H7LupJ8i2MEopkTcOs7AZ83xgFKcFUJCNexF2oIuWuyBnxmL+S00btg2RqEYw+Azg==#1349872508.1730095443104.JavaMail.anprod@produs-c2-an-s2-z2-1.us2.gcpint.ariba.com>
Reply-To	"\"BHP Group Operations\"" <messaging-prod@smtp-c1.ariba.com>
Content-Language	en-AU
X-MS-Exchange-Organization-AuthAs	Anonymous
X-MS-Exchange-Organization-AuthSource	AM3PEPF0000A790.eurprd04.prod.outlook.com
X-MS-Has-Attach	yes
X-MS-Exchange-Organization-Network-Message-Id	eb2806f4-526e-44b7-4b4b-08dcf716539f
X-MS-TNEF-Correlator
X-MS-Exchange-Organization-RecordReviewCfmType	0
received-spf	Pass (protection.outlook.com: domain of ansmtp.ariba.com designates 104.197.217.166 as permitted sender) receiver=protection.outlook.com; client-ip=104.197.217.166; helo=mx03.us.cloud.ariba.com; pr=C
x-ms-publictraffictype	Email
authentication-results	spf=pass (sender IP is 104.197.217.166) smtp.mailfrom=ansmtp.ariba.com; dkim=pass (signature was verified) header.d=ansmtp.ariba.com;dmarc=pass action=none header.from=ansmtp.ariba.com;compauth=pass reason=100
x-eopattributedmessage	0
x-forefront-antispam-report	CIP:104.197.217.166;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mx03.us.cloud.ariba.com;PTR:mx03.us.cloud.ariba.com;CAT:NONE;SFS:(13230040)(69100299015)(6062899009)(35002699018)(3072899012)(5082899009)(4092899012)(3092899012)(12012899012)(13102899012)(13012899012)(2092899012)(5062899012)(8096899003)(4076899003);DIR:INB;
x-ms-office365-filtering-correlation-id	eb2806f4-526e-44b7-4b4b-08dcf716539f
x-ms-traffictypediagnostic	AM3PEPF0000A790:EE_\|PR3P193MB0489:EE_\|AM0P193MB0660:EE_
x-ms-exchange-transport-endtoendlatency	00:05:39.6126561
x-ms-exchange-crosstenant-id	1790b5b9-9585-4043-a430-926cf37fa9da
x-ms-exchange-crosstenant-fromentityheader	Internet
x-ms-exchange-crosstenant-originalarrivaltime	28 Oct 2024 06:04:04.1557 (UTC)
x-microsoft-antispam	BCL:3;ARA:13230040\|69100299015\|6062899009\|35002699018\|3072899012\|5082899009\|4092899012\|3092899012\|12012899012\|13102899012\|13012899012\|2092899012\|5062899012\|8096899003\|4076899003;
x-ms-exchange-transport-crosstenantheadersstamped	PR3P193MB0489
x-ms-exchange-crosstenant-network-message-id	eb2806f4-526e-44b7-4b4b-08dcf716539f
dkim-signature	v=1; a=rsa-sha256; c=simple/simple; d=ansmtp.ariba.com; s=m1; t=1730095443; bh=VW2STBWkruUUIsCKE0I4vvv7uaO1fMYV+ZZb23Cd2vk=; h=From:Reply-To:To:Subject:From; b=cmGPH994Ta1JND+laXEK6pW/Z087A2hqv4cdKJFUcNxSNx6Vi9ywD6M8qihQURigI lqrpGHeq1g194HI3Zukj2UG3Q2AEXM9BsXlXPbuTCyCujIasupHtaZSEby8ul29PCA ajdODCaZ9W5quKh+pcarxP2XiqHTuUcTr9hbOXKbA0LJkFXLMyZlFxCP/P87X9/80R N35dA1MMzYQ7DP+zqsBntnmbogIpn4aj78HZnRiokwMYMuCWi5P2PK9L+gWVSnsqk9 1pEM0RW+SwG3oYpdSzGoEPJG6K9CQrrJDWELE4fuTW3MPSkwQxNDbdWSJlLi9/wBnJ +908KWa5CpXMw==
x-eoptenantattributedmessage	1790b5b9-9585-4043-a430-926cf37fa9da:0
x-ms-exchange-atpmessageproperties	SA\|SL
x-ms-exchange-processed-by-bccfoldering	15.20.8093.023
x-ms-exchange-crosstenant-authsource	AM3PEPF0000A790.eurprd04.prod.outlook.com
x-ms-exchange-crosstenant-authas	Anonymous
X-Microsoft-Antispam-Mailbox-Delivery	wl:1;pcwl:1;ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(811239)(255002)(410001)(930097)(140003);
X-Microsoft-Antispam-Message-Info	ksyDLGW/QD38UMF5Oc8yPjIlSdlRJSLADX4RaZEUoLZuXNxyH5yX/ftg/z73eMVCTJNiVy0tmS5WmS/DILfvP3jjMLAIvm6vWRxiTUv4poXpL55kUje8XmdIRa1zdbO8Yg0HvO1MMvxC/SQxgSeHWbmk7VhQyg3iXAVA5I0IMwQBFkMXKIHboC97WFPDvhWOcvynGjB6R4sBFuFUGt4xe7NrpSL3vipAJvRhH4Q6hSzmCDCvpbHH51X8VI+HxfWoWrGMSVfLzInR+sPQ3RGyNRcXheCw0m5vijCMNHTpGkK3FhSsQTQCNwwy2K5KYHsVTgQ5GmNz5KHFAZgG2LPlQVDZSXwFo+XreVsBj3JU1/YwgvxxPeAmTPIgjnnWmTCTuvWhnEclcxUY5BHDVRrAlXXIIn80wzHG+oa/l9OqddWXtCe3q3VC4Dn4NO1Cv3y0KyV7dNHWV5K6YTqSmPcsEu6xmvZZV3nnueYMfxt6GvI2eSNveRP/lyjSx+DrmVxiHD6wdiFHlAddVJSK3JknBlFvJCJxCvsmjkcRWSYJsrVuWnkyWg78TQPPuAJYpJW9xbo8nxrxS0xjgi4rMKXRQbENj7OPnGO2lzqRAefSW6klVUhb3Npz7rRTKJFaoOCCCeYV648GFSuvmpllesmV2bgSSriydthPBVkLOAM2bxcfNJ5P9OTchp4CzOgy8wawz3/4WMtSTRgguGPH5evh5KTirxkazOoetHqS+VVwuNg//Lk0zN5I+Li+aZC+YN0sunTACiNpYreG8DwNrxIoVRmLxKplCOA5sIEiMpGhGpx/H/jBUg02TTIzbSdUlLydgQynp2NNsz1MUJUUHlmLvFxTxADyax3xjgH6QTFEIfr6LAQvCd+hSc72lQ8jk+vDHsUHp0YJo/nMvQuXgg9U2Snlbztck1M1V/krLj6hkBIykMZsNtjVI0wDFXa5RTYGt7b0WjpQqPla7l0cyWOTP06zrW7MBmDLwa6PY6etVETw5tYgazol7S1pxKcnzso92dZO1DTyBGhrFILXZTF0cqPMkjyYVlEOIA1U2xLdi5bgGYFpN5Qt45tS+RPQI8Vs2gGQ/gGrWDkTMsamxWQDHFu/GHcNkS5QoeK/PiVc2EdABnGV8LCckOtSJjLzjsbON6yGu/2Ka/EkMoLRff5fhcEvKNa+N6aEx/+tLLWyQoimBra5iZ+8Fw0NBj5CL/KyDVmET62NyOTUh98gDN0dMCL/rQNaBRQq2HwFa6ihL0dbuzkgN6t9tHA38iM8qaOIOerqIW4IplAe/MJ5FG+i9R1dSEYissq174KGuItm5F1mICmI49nsTfPo+rI4MPJSTsg5iIyHBkYJLK3aF1g33gQl/OFTzt5M8GF4PBRYZl5rZ8uHnJOcVUAqM0Ni2lPuGC9lLYgGLi5F+13dzjoaXt8mnsc8utHN6eIRI1IHBrMEscLTYY+iNkqkz8ycd1YvigRxLJ0aB6zOAwWA5Wh1dxkN6Mew/Bmn4/kb+rWxIbTmYhAvWDiSi3Au0qBmJj3lAdypdlNv7THgY4wIdeEVzLStYz/K5vNwoQJXlW2PvEQH8+SwXItezRck8YzhuYRyFtBQkbHbBxJr3qMi60ztV6UA7x3ZIGTXXPJOATz/CZhHVfYUXIg8vTN7iCQwO0tPmyZgudE9VuX6UycWyZ1G8QWyEpdrOkSI0Ks/+5dn7YpJq5XxRiuuvwaF+t1vAAAp00yVtHRRL5Boj4X8lE14GKJ2j5AznpVnDx80UnC6c2Oba625h+FH13/rMDUFGkUBFREjJIvcPKuJIqzmWgQEfHLeBqJlkIfjum2gbwTgsb/0Ah2YKeTy2U6Aza1FEL87Rb0UmVSf7Ry9Qquudy8phKjL94jOipwgGpFPogpuHy56L3KfOIbY/NJZIyrBv23SnUbWebqyqXazBUqrxReLg455OBkUfRhGpqMB1eFm3JVNLjpZ2LDUSIwGSYMBWUY4U1WtISNh/2DNbg9seDvRRQ+dYIuoK2zgraOcL3clKGgJR77SGIK/whqy+2FjRdxWCDFThu4ptUSD/zDRIXzfyA==
Content-Type	multipart/mixed; boundary="_004_ANORDEIDprod5xlqhe44igy2sxnuia17ANPOCLBOI9DOrpD8zt4yUNO_"
MIME-Version	1.0

File Icon


Icon Hash:	46070c0a8e0c67d6