Create Interactive Tour

Windows Analysis Report
email.eml

Overview

General Information

Sample name:	email.eml
Analysis ID:	1672166
MD5:	6bd82d0f02a339be4e0a2afb74710326
SHA1:	29c0b32e83300985e6f62637c9f0c718e7311ab6
SHA256:	70dd2183a4aa21a18ca2d0d8703641e1e3072548ee7a5da2453a8cc344fb40c8
Infos:

Detection

Score:	21
Range:	0 - 100
Confidence:	80%

Signatures

AI detected suspicious elements in Email content

Queries the volume information (name, serial number etc) of a device

Stores large binary data to the registry

Classification

×

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 6188 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\email.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 4496 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6B10B03D-F4C8-4E27-BFA0-FAC3BC200DB3" "3A8C9721-9E17-44E0-8AD4-C3FE028E6537" "6188" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6188, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Phishing
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Phishing

AI detected suspicious elements in Email content

Source: email.eml

Joe Sandbox AI: Detected potential phishing email: The email appears to be duplicated multiple times in the content, suggesting potential manipulation or technical issues. While the sender appears to be from Google, the repetitive nature and formatting issues are suspicious and not typical of legitimate Google communications. The URL structure contains multiple redirects and unusual parameters, which is different from typical direct Google account links

Source: Email

Classification: Credential Stealer

Source: classification engine

Classification label: sus21.winEML@3/3@0/49

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250423T1039540510-6188.etl

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\email.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6B10B03D-F4C8-4E27-BFA0-FAC3BC200DB3" "3A8C9721-9E17-44E0-8AD4-C3FE028E6537" "6188" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6B10B03D-F4C8-4E27-BFA0-FAC3BC200DB3" "3A8C9721-9E17-44E0-8AD4-C3FE028E6537" "6188" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} DeviceTicket

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	11 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
email.eml	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-0005.dual-s-msedge.net	52.123.129.14	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.209.84.39	unknown	United States		16625	AKAMAI-ASUS	false
52.182.143.214	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.123.129.14	s-0005.dual-s-msedge.net	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.20.39	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
184.29.183.29	unknown	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1672166
Start date and time:	2025-04-23 16:38:54 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	email.eml
Detection:	SUS
Classification:	sus21.winEML@3/3@0/49
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.29.183.29, 52.109.20.39, 23.209.84.39, 23.209.84.26, 52.182.143.214, 52.123.129.14, 20.190.151.67, 4.245.163.56
Excluded domains from analysis (whitelisted): ecs.office.com, omex.cdn.office.net, fs.microsoft.com, slscr.update.microsoft.com, us2.roaming1.live.com.akadns.net, ctldl.windowsupdate.com, scus-azsc-000.roaming.officeapps.live.com, prod.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, login.live.com, onedscolprdcus19.centralus.cloudapp.azure.com, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net, osiprod-scus-buff-azsc-000.southcentralus.cloudapp.azure.com, c.pki.goog, omex.cdn.office.net.akamaized.net, mobile.events.data.trafficmanager.net, a1864.dscd.akamai.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250423T1039540510-6188.etl

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	modified
Size (bytes):	102400
Entropy (8bit):	4.467589557230667
Encrypted:	false
SSDEEP:
MD5:	045CFE542EA8923458B3825E2B0D0E87
SHA1:	9F694EFA6C5925E126C89D48F9D85C0D86BCECBE
SHA-256:	8E9FD3B36BE4CDE7C4CA7DFF3CF78DEA7C2A00D8D25B91883C29A73774F711B3
SHA-512:	94602DCB5B4942165D1662D9519F4D861088E5B988374074344FBA1547B23E37524860F9CE1BCB89D248E878E149F4B95F4F25C355D32CD89B2A109D381379C2
Malicious:	false
Reputation:	unknown
Preview:	............................................................................`...,...,......]...................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................N8..............]...........v.2._.O.U.T.L.O.O.K.:.1.8.2.c.:.a.a.a.3.5.2.5.b.7.a.8.7.4.2.b.1.9.4.0.d.a.a.1.a.2.1.b.a.4.4.3.c...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.4.2.3.T.1.0.3.9.5.4.0.5.1.0.-.6.1.8.8...e.t.l.......P.P.,...,......]...........................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	2.9579964542295065
Encrypted:	false
SSDEEP:
MD5:	4DB36B2D9626EDF870F111DCB841E124
SHA1:	94B0A9FD46D414713405DE4D32208B5CC29F8F1C
SHA-256:	4EE354CC9A3E7DA0D745E86E0099A4DDFAE3459116423613F2C8363E5621A4B1
SHA-512:	B3C1B42DD4DC7ADC788FC96DB435802A6436203D2DFEF3A3A205DAEFA8308F77F6FB4793CB2E5CC55DB6C0D6B1FC45B6F832A2D92BDF8BE8EDA2EFC1EB85D18F
Malicious:	false
Reputation:	unknown
Preview:	!BDN./>-SM......\...6...........A......._................@...........@...@...................................@...........................................................................$.......D.......y..............@...............=...................................................................................................................................................................................................................................................................................................77.o.s.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	3.5182506187652876
Encrypted:	false
SSDEEP:
MD5:	6618564E4458BA02748EA4E48AC91688
SHA1:	6DF5376BE2479A4DD9BF610AD3E1BC571C33F7C9
SHA-256:	CDF7F5A3863A3B1BB76338D6EBB91A37A0F908B1327D3B2E801E07B6633D631A
SHA-512:	A6C54E135A63D16F9582D17664B113563C814D5FA1F96CD088844AAB13B8A2A015D07B967BB08700DC39EBB8F74D93235A8E9BB608F5DB06E903BECEC550A8B4
Malicious:	false
Reputation:	unknown
Preview:	.sS.C..._.......,.....].....................#.!BDN./>-SM......\...6...........A......._................@...........@...@...................................@...........................................................................$.......D.......y..............@...............=...................................................................................................................................................................................................................................................................................................77.o.s...]........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	RFC 822 mail, ASCII text, with very long lines (2221), with CRLF line terminators
Entropy (8bit):	5.729504017344136
TrID:	E-Mail message (Var. 5) (54515/1) 100.00%
File name:	email.eml
File size:	26'056 bytes
MD5:	6bd82d0f02a339be4e0a2afb74710326
SHA1:	29c0b32e83300985e6f62637c9f0c718e7311ab6
SHA256:	70dd2183a4aa21a18ca2d0d8703641e1e3072548ee7a5da2453a8cc344fb40c8
SHA512:	37ad39e56b434691a516d4e851e87e3a68049c578e30fc73f841f3461200c7bd8c135e81ceb8a60df77dd822e3748d32f85186eaacecee37f4921fb50e3fbddc
SSDEEP:	384:0x8OcXRIgQOwS4O+O59fIB9HlW9/edyIVnB9gg3kbcWCkE57u:HOchIgQOX4O+O59wB9Hw/tSawwj
TLSH:	4CC24D57F1D4189211EB86D4A403367C7F7909D98BB25EB8B89E3BFC5BA8CD3060426D
File Content Preview:	Received: from BN0P221MB0654.NAMP221.PROD.OUTLOOK.COM.. (2603:10b6:408:149::11) by SJ5PPF480573606.NAMP221.PROD.OUTLOOK.COM with.. HTTPS; Tue, 22 Apr 2025 22:45:22 +0000..Received: from DS7PR07CA0010.namprd07.prod.outlook.com.. (2603:10b6:5:3af::29) by BN

Static Mail

General

Subject:	Help strengthen the security of your Google Account
From:	Google <no-reply@accounts.google.com>
To:	Cliff True <ctrue@jmark.com>
Cc:
BCC:
Date:	Tue, 22 Apr 2025 12:55:14 +0000
Communications:	You don't often get email from no-reply@accounts.google.com. Learn why this is important CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Verify ctrue@jmark.com as your recovery emailctrue@jmark.comVerifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity.Take actionYou can also go directly to:https://myaccount.google.com/recovery/emailYou received this email to let you know about important changes to your Google Account and services. 2025 Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA <!-- .awl a {color:#FFFFFF; text-decoration:none} .abml a {color:#000000; font-family:Roboto-Medium,Helvetica,Arial,sans-serif; font-weight:bold; text-decoration:none} .adgl a {color:rgba(0,0,0,0.87); text-decoration:none} .afal a {color:#b0b0b0; text-decoration:none} @media screen and (min-width: 600px) { .v2sp {padding:6px 30px 0px} .v2rsp {padding:0px 10px} } --> You don't often get email from no-reply@accounts.google.com. Learn why this is important CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Verify ctrue@jmark.com as your recovery emailctrue@jmark.comVerifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity.Take actionYou can also go directly to:https://myaccount.google.com/recovery/emailYou received this email to let you know about important changes to your Google Account and services. 2025 Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA You don't often get email from no-reply@accounts.google.com. Learn why this is important You don't often get email from no-reply@accounts.google.com. Learn why this is important You don't often get email from no-reply@accounts.google.com. Learn why this is important You don't often get email from no-reply@accounts.google.com. Learn why this is important You don't often get email from no-reply@accounts.google.com. Learn why this is important Learn why this is important https://aka.ms/LearnAboutSenderIdentification CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Verify ctrue@jmark.com as your recovery emailctrue@jmark.comVerifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity.Take actionYou can also go directly to:https://myaccount.google.com/recovery/emailYou received this email to let you know about important changes to your Google Account and services. 2025 Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. CAUTION: Verify ctrue@jmark.com as your recovery emailctrue@jmark.comVerifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity.Take actionYou can also go directly to:https://myaccount.google.com/recovery/emailYou received this email to let you know about important changes to your Google Account and services. 2025 Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA Verify ctrue@jmark.com as your recovery emailctrue@jmark.comVerifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity.Take actionYou can also go directly to:https://myaccount.google.com/recovery/emailYou received this email to let you know about important changes to your Google Account and services. 2025 Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA Verify ctrue@jmark.com as your recovery emailctrue@jmark.comVerifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity.Take actionYou can also go directly to:https://myaccount.google.com/recovery/emailYou received this email to let you know about important changes to your Google Account and services. 2025 Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA Verify ctrue@jmark.com as your recovery emailctrue@jmark.comVerifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity.Take actionYou can also go directly to:https://myaccount.google.com/recovery/emailYou received this email to let you know about important changes to your Google Account and services. 2025 Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA Verify ctrue@jmark.com as your recovery emailctrue@jmark.comVerifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity.Take actionYou can also go directly to:https://myaccount.google.com/recovery/emailYou received this email to let you know about important changes to your Google Account and services. 2025 Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA Verify ctrue@jmark.com as your recovery emailctrue@jmark.comVerifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity.Take actionYou can also go directly to:https://myaccount.google.com/recovery/emailYou received this email to let you know about important changes to your Google Account and services. 2025 Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA Verify ctrue@jmark.com as your recovery emailctrue@jmark.comVerifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity.Take actionYou can also go directly to:https://myaccount.google.com/recovery/emailYou received this email to let you know about important changes to your Google Account and services. 2025 Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA Verify ctrue@jmark.com as your recovery emailctrue@jmark.comVerifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity.Take actionYou can also go directly to:https://myaccount.google.com/recovery/emailYou received this email to let you know about important changes to your Google Account and services. 2025 Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA Verify ctrue@jmark.com as your recovery emailctrue@jmark.comVerifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity.Take actionYou can also go directly to:https://myaccount.google.com/recovery/emailYou received this email to let you know about important changes to your Google Account and services. 2025 Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA Verify ctrue@jmark.com as your recovery emailctrue@jmark.comVerifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity.Take actionYou can also go directly to:https://myaccount.google.com/recovery/email Verify ctrue@jmark.com as your recovery emailctrue@jmark.com Verify ctrue@jmark.com as your recovery email Verify ctrue@jmark.com as your recovery email Verify ctrue@jmark.com as your recovery email Verify ctrue@jmark.com as your recovery email Verify ctrue@jmark.com as your recovery email ctrue@jmark.com ctrue@jmark.com ctrue@jmark.com ctrue@jmark.com ctrue@jmark.com Verifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity.Take actionYou can also go directly to:https://myaccount.google.com/recovery/email Verifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity.Take actionYou can also go directly to:https://myaccount.google.com/recovery/email Verifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity.Take actionYou can also go directly to:https://myaccount.google.com/recovery/email Verifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity. Verifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity. Verifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity. Verifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity. Verifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity. Verifying your recovery email will confirm its an active email that belongs to you. Google can use your recovery email to contact you if you ever need help signing in or if we notice suspicious activity. Take action Take action Take action https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccounts.google.com%2FAccountChooser%3FEmail%3Dctrue%40jmark.com%26continue%3Dhttps%3A%2F%2Fmyaccount.google.com%2Femail%3Futm_source%253Dgoogle%2526utm_medium%253Demail%2526utm_campaign%253Dsap%2526aneid%253D-528857284082752409%2526sea%253D28%2526rfn%253D1745326514055%2526anexp%253Dsapef-a12--saprfsm-const&data=05%7C02%7Cctrue%40jmark.com%7Ce649c4e08f1f4e66340108dd81ef5a6c%7C1fa8a682acc74025abff5f8878e1d105%7C1%7C0%7C638809587225175179%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=44g%2BUyk4k9NjmuWTUTefBtDhueyg0eJnmK6G7J9rUKc%3D&reserved=0 You can also go directly to:https://myaccount.google.com/recovery/email You can also go directly to:https://myaccount.google.com/recovery/email https://myaccount.google.com/recovery/email You received this email to let you know about important changes to your Google Account and services. 2025 Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA You received this email to let you know about important changes to your Google Account and services. 2025 Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA You received this email to let you know about important changes to your Google Account and services. 2025 Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Attachments:

Headers

Key	Value
Received	by mail-pg1-f202.google.com with SMTP id 41be03b00d2f7-b0e6b7ea77dso4252004a12.3 for <ctrue@jmark.com>; Tue, 22 Apr 2025 15:45:16 -0700 (PDT)
Authentication-Results	spf=softfail (sender IP is 209.222.82.239) smtp.mailfrom=gaia.bounces.google.com; dkim=pass (signature was verified) header.d=accounts.google.com;dmarc=pass action=none header.from=accounts.google.com;compauth=pass reason=100
Received-Spf	SoftFail (protection.outlook.com: domain of transitioning gaia.bounces.google.com discourages use of 209.222.82.239 as permitted sender)
Dkim-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=accounts.google.com; s=20230601; t=1745361915; x=1745966715; darn=jmark.com; h=to:from:subject:message-id:feedback-id:date:mime-version:from:to:cc :subject:date:message-id:reply-to; bh=VuypU+BPjCkyOGPMVBi5vNvtCJ/OGSEgf3csacFbeWk=; b=STDKmW1rBVwXdRV0A68Q2TUQMIpw7O3kvcvhnwqKkoCXxmEvjta9iusP3DZnPTDrFI x8yAs6FD9XFIeS3DZIXBg+fet07GEOotuHaB7YZq2rIrpaVZaawkm7iwiaZNu5hsAy3S gnY3l8t702emC+dP+H2Q8J6Hm8KTJbZmwE74FVUAPkKIWXBBeRvJqznF2F3106eOcfiE jF85BSaPQeHghpLIA86VTG/QorRrFTZ1jmVrdSwbVRxARPkFxGHNwseWjU0RKyQp936b 3C4CXDeCImrBf/jPzykyqUL28CxtAu0qmH+XisrHVArMFmPPnThGWqvHQSqDOwM/IXal QKFw==
X-Google-Dkim-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745361915; x=1745966715; h=to:from:subject:message-id:feedback-id:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VuypU+BPjCkyOGPMVBi5vNvtCJ/OGSEgf3csacFbeWk=; b=IpU/9VPAyUSw5K83aF6Tvg7sPM4B4474XnDy9dBlJF+0We6XiUyQnPLgZkqWmJqgQn 7Bf3QHBR3miay+ORkvjVTKPdvrN8QlVSwEAtfXv+y5W+j6UVXxvsqp10ZWugBpH/PPqD vLqm4AD9mKhz0z9O89nQNPHqxxmcYQAA4Pz8q1+pa0H9TrQIM6jz29M7appMR/S5Sb29 dullejw1vuZKW0N3FJ7qYuTIzEA2yFFdUbNsBQ2r2qW4ES4hPSqPjb05hl4wtyqD/MaJ FiYUCdPu7PU5YMDtZBrox03qN/4Oe4k0HmQnZ89c0C61Tz6KE3XX2s6ZQI5rH8QHuNmW AaKA==
X-Gm-Message-State	AOJu0YxHGK9onB52xNdAPqQ4ta0jgyvhky66LRihM63kgFOUt4cSNIGw dfje2yAHM8AU9zlP5DmYS6sqLqdChdH97+54+j9BcuqR9ex4v3WPB99iRtQaPc1ni1PNsQDM1FL +0VSAKS42Dtkkmqs1zEctRhXcdapDDxMthj8=
X-Google-Smtp-Source	AGHT+IFAVyIa9HlvUWp/TjbR/X7qjSIxj0Lbq8iz8n6FTGbBA+/E6BLnIsIpOe0SAc1vL5bQbxzLdkDl6l8i0pCdmNnX7w==
MIME-Version	1.0
X-Received	by 2002:a17:90a:d60b:b0:2ff:64c3:3bd4 with SMTP id 98e67ed59e1d1-3087bcc8ff1mr22274944a91.31.1745361915550; Tue, 22 Apr 2025 15:45:15 -0700 (PDT)
Date	Tue, 22 Apr 2025 12:55:14 +0000
X-Account-Notification-Type	188-anexp#sapef-a12--saprfsm-const
Feedback-Id	188-anexp#sapef-a12--saprfsm-const:account-notifier
X-Notifications	c046c6d8cb8a0000
X-Notifications-Bounce-Info	Ab2lIHWO-T9xU3YmvlQPDNtAgetpZVTw0PSc033oWP9EHSj2ivIkafWEaX4U-weQKDiPqD0MeNanDlX4DXVDClUmOm0GoHJ1xWPQ5gXzTHRZUueb2GGOqXwwh76L5NIRZEUIzsNhkQOplZuIoPpGtqCojhFkOmQ66IaGBYI54WR8rNqOdR7eUN5jWzOBCArWb4nrfNbaQ1MNjAwNjA0MDQxNTM1NTk2OTMzMg
Message-Id	<5gQpUQQbioKwTvzr_3nl6g@notifications.google.com>
Subject	Help strengthen the security of your Google Account
From	Google <no-reply@accounts.google.com>
To	Cliff True <ctrue@jmark.com>
Content-Type	multipart/mixed; boundary="----sinikael-?=_1-17453620856050.2185007325211037"
X-Bess-Id	1745361915-110351-7713-3803-1
X-Bess-Ver	2019.1_20250422.2023
X-Bess-Apparent-Source-Ip	209.85.215.202
X-Bess-Parts	H4sIAAAAAAACAzXLsQ6DMAyE4XfxzEAS20d4lapD4hixIIZmqFTx7s0Ay+nXSd /rR/7ttFIfO9H5oXWJOmIfH4uoz6lqjeqIhpYThE2cscFA1/TwvR83l8x4fAhmzRTBub BnFA3VvLQZabG60fX+A7eiopmAAAAA
X-Bess-Info	H4sIAAAAAAACA6tWSslMUbIyNDA2NzfQUUrJU7JSyspNLMrWS87PVaoFAM40WQw fAAAA
Return-Path	3-xsIaAgTBZoHI-L8JFS466IOHNM.AIIAF8.6IG6NLO8DG4LE.6IG@gaia.bounces.google.com
X-Ms-Exchange-Organization-Expirationstarttime	22 Apr 2025 22:45:17.0685 (UTC)
X-Ms-Exchange-Organization-Expirationstarttimereason	OriginalSubmit
X-Ms-Exchange-Organization-Expirationinterval	1:00:00:00.0000000
X-Ms-Exchange-Organization-Expirationintervalreason	OriginalSubmit
X-Ms-Exchange-Organization-Network-Message-Id	e649c4e0-8f1f-4e66-3401-08dd81ef5a6c
X-Eopattributedmessage	0
X-Eoptenantattributedmessage	1fa8a682-acc7-4025-abff-5f8878e1d105:0
X-Ms-Exchange-Organization-Messagedirectionality	Incoming
X-Ms-Publictraffictype	Email
X-Ms-Traffictypediagnostic	CY4PEPF0000EDD7:EE_\|BN0P221MB0654:EE_\|SJ5PPF480573606:EE_
X-Ms-Exchange-Organization-Authsource	CY4PEPF0000EDD7.namprd03.prod.outlook.com
X-Ms-Exchange-Organization-Authas	Anonymous
X-Ms-Office365-Filtering-Correlation-Id	e649c4e0-8f1f-4e66-3401-08dd81ef5a6c
X-Ms-Exchange-Atpmessageproperties	SA\|SL
X-Ms-Exchange-Organization-Scl	1
X-Microsoft-Antispam	BCL:3;ARA:13230040\|5083199021\|30052699003\|5082899009\|5073199012\|7093399015\|69100299015\|3072899012\|5062899012\|3092899012\|43022699015\|4092899012\|13102899012\|13012899012\|12012899012\|2092899012\|13003099007\|8096899003\|7053199007;
X-Forefront-Antispam-Report	CIP:209.222.82.239;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:outbound-ip62b.ess.barracuda.com;PTR:outbound-ip62b.ess.barracuda.com;CAT:NONE;SFTY:9.25;SFS:(13230040)(5083199021)(30052699003)(5082899009)(5073199012)(7093399015)(69100299015)(3072899012)(5062899012)(3092899012)(43022699015)(4092899012)(13102899012)(13012899012)(12012899012)(2092899012)(13003099007)(8096899003)(7053199007);DIR:INB;SFTY:9.25;
X-Ms-Exchange-Crosstenant-Originalarrivaltime	22 Apr 2025 22:45:16.8029 (UTC)
X-Ms-Exchange-Crosstenant-Network-Message-Id	e649c4e0-8f1f-4e66-3401-08dd81ef5a6c
X-Ms-Exchange-Crosstenant-Id	1fa8a682-acc7-4025-abff-5f8878e1d105
X-Ms-Exchange-Crosstenant-Authsource	CY4PEPF0000EDD7.namprd03.prod.outlook.com
X-Ms-Exchange-Crosstenant-Authas	Anonymous
X-Ms-Exchange-Crosstenant-Fromentityheader	Internet
X-Ms-Exchange-Transport-Crosstenantheadersstamped	BN0P221MB0654
X-Ms-Exchange-Transport-Endtoendlatency	00:00:05.5172563
X-Ms-Exchange-Processed-By-Bccfoldering	15.20.8678.006
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(4710137)(4713078)(4714097)(4999068)(920097)(930097)(140003)(1420198);
X-Microsoft-Antispam-Message-Info	UmmPJLPzpcaeumbGX5qhoUCzU4U8lAXSRxnnpENyD1AHtXtKJFj7GLcSFNLK1Sia0p0E2bb83DTqqhKfOoaRszh5bnzmVgwQLXrHLBRivad+YHr/0KbyxtWJBTnULxsW3KwbCoi0NqUKi+Vp4MZGyl/7GFcX0/QrPeYJ3pBOpuXmOOsTN8l66GPi43vm7OtEbvzWRFSbZGuUZrnPq/G0inxmfsAHynLdldWwXwS13Yke7FjIldeD0JemP+yDsKldMAzD0yyiHo9CJvKigjyeva3SjqzFXio+HbHJGIjefw4pY8XRBaVvzctz4S5RDHQ2ezc4R15+BWn9dFUbtE/PnX9isHSHAb3AvydhsM+P3qopq+OhxAv5gEo+peOT88em4G0wssT1ltIehT8+3cQG2kCJoV0TElHaAqkU4gaPkBbyN/ejRXWn60mUAnIsyZs8KM/wcC0MVZBU2zURwRtSTDVCzM5Hc8kLNd9AzStb2Wqf7A5hhd1LFN/HJrYueTV+dykiHv4I7OhvtR1ahadLuFpkCm8V4XPf8Lrml2ah7VqtrZLbt3mB3kifAscLPl5B6dgOfElndXk/TSfrvVHTH4LdRsurRgfUjHeM3GE5zsmfY3GdLbIsg4eWu3/bn/cniYjMLvzMRlidNZCSCIXdYUfcu6cXxmmL9SSK8L3H8wZtzX+IiyOarx2241E0NRz4/gkYZc1Nc2MTHxj+NqraqE3Eq3OpBdf7zIqeD6Lc5aydrfc9h/faLK/yDTc0OnZUhHOFN2fa35YqY2QYUzpik4KSjciUV7PIhX1+EXoMnXmzXIqlcGORWEGcw6BNzmKQh8KrcOAr5ax84ax6JhCPn1Mgn6RcA0/u19Qp4seD3ry76MX5AZyUgtsTI/mgH/JckF2pcXGz/Y57SjwKm93W7Vxs6MlkO20k0xEg9Yk4QfBTmyjeuGvmVeJHJksQjJNd8pzpP6b9HYR/BchadLiXt8GkPbIz4vVzQI6xxJN/Kl4vQHOaV5eQrZfPhlKDsWJC9gzDLqW8NZC8jumyWNTxDWVUAMUJJXlSccrzc6QOguLIHZ08t9FpoEP77z4O/mFaglRzdrbwBaXYBjHYh5XH+TqMjzePihmK+TrDWpJYzNHTAtqTHE1qlh1b1zyPPBZJHb2Nh9/bLYnWTgrq2Kj53VS3Iih6ortbeYrhALnQwboLieOJTwd5ksIJtsqBT7H9Ue06YQHH3FGAqsXxUeYeN12r01l/7p1C2J6dhu8E4wepQoMM8jt72+AT5dbgbys6F/m4JrU0bDNPR1AtYtwtSFPC/QpL3KC+1TGTZ59g04AKx1RFYXzdVRCCxyzGaMdiDR9N7XdvIVQfcoH30VP7pLd+LNlRxJtCngfjwosXzN+XAJfoH03qdjbMcHpFQqs72fkKemxzV7XgoBp+krBzpDJqOmHfmJvN4lfyhR82xBglKTTDTaTHlk8BywxiPzKtmKGXQKTzNFt8WZQzaT/3FCoYomgkTbdSM8nG7qfwXzyRHfMWy2LCYTI4u6QSq1dvO7lRJd2nWJvfkyftaBK/fuFa0bTB5VTZBj/0kzozdTIaUMOI2Aw/yv9PdthLRVMxr+1C4Nh/WDyxR97AVdb7EahouptyCjyN0xjPS6zwqmG00LjSBJT2z6wKjXf6A5h1BrvvJUObSCp/O+q6FQu0IYdBJPVteZb07bLdoZbBz3+5y736SSxvZAa63jiggPtUVDZaKEs2XquV1U28bzIVYo4cAs1QheDHRUwRo/ClGK7VT/svG++tC7NoZc/GFd8sVDrQmPZwH1pmqe1aJluHKISYiD2fTgDb5A88Y+auJqOFqq6vuHf2i1zBNf8kilQdbyLImcU2agk9unNq/u8XDcaww/2UW4dI13IieQscpIAL6Qa7/AeWSPFpg1/NsfMariZhGlPxD5blk9gNctkv6rsNGYG7rYEcwytBETIhn+hZulEX8UGLaGqMvrnfzMvzURr8ET2R0pUS7revjPjm5eYYYpmqSa9eqDEx4UmWz8u1LIfCr1ZlGIoUNrz1iHTpadpTcoYR1vO3pSF9a80NQNPLZWXTcIvYN6I4aOp9QCG1llGXH1FeCX3D1kBAGOCI5S8OSV1U+5cMRyFhMuZlF4WsQh9rJzZAMp+GrKQU81y2Tx586eaDUMUQlyPddSVBX8NI4E4+qzEssiqo/YyQKdVxS1OqPglJMmw1YKCbTLo=
Content-Transfer-Encoding	7bit

File Icon


Icon Hash:	46070c0a8e0c67d6