Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nested-Please Review%3A].eml

Overview

General Information

Sample name:	nested-Please Review%3A].eml
Analysis ID:	1587889
MD5:	e5466e4b5016030795d0c8210a6a000b
SHA1:	b03b3dadb44190928fc05ab5f16b1d01773d1d41
SHA256:	2b598b1ac9214f44886c121dcff8af09d0ed82745932c81d0aed7642b2edbb15
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected potential phishing Email

Email SPF failed

Queries the volume information (name, serial number etc) of a device

Stores large binary data to the registry

Classification

×

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 1364 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-Please Review%3A].eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 6220 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "B5472C1E-E77D-44F7-9E05-896767431CCB" "B4AC4E65-83AD-487F-BBE9-3777D68B1DF7" "1364" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected potential phishing Email

Source: Email

Joe Sandbox AI: Detected potential phishing email: Mismatched domain in sender email (landcare.com) trying to impersonate esperion.com. Suspicious attachment with deceptive naming pattern (secured File__esperion.com.html). Vague subject line with unusual formatting ('Please Review:]')

Email SPF failed

Source: nested-Please Review%3A].eml

Email attachement header: Authentication-Results: fail (sender IP is 104.219.238.37) smtp.mailfrom=landcare.com

Source: Email

Classification: Credential Stealer

Source: classification engine

Classification label: mal48.winEML@3/5@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250110T1217280469-1364.etl

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-Please Review%3A].eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "B5472C1E-E77D-44F7-9E05-896767431CCB" "B4AC4E65-83AD-487F-BBE9-3777D68B1DF7" "1364" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "B5472C1E-E77D-44F7-9E05-896767431CCB" "B4AC4E65-83AD-487F-BBE9-3777D68B1DF7" "1364" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 0

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	11 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ax-0001.ax-msedge.net	150.171.27.10	true	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587889
Start date and time:	2025-01-10 18:16:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nested-Please Review%3A].eml
Detection:	MAL
Classification:	mal48.winEML@3/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 2.22.50.131, 2.22.50.144, 2.16.168.101, 2.16.168.119, 52.168.117.174, 4.175.87.197, 20.223.35.26, 2.23.227.215, 2.23.242.164, 150.171.27.10, 20.74.47.205, 2.23.227.221
Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, tse1.mm.bing.net, g.bing.com, a767.dspw65.akamai.net, arc.msn.com, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, officeclient.microsoft.com, wu-b-net.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, a1864.dscd.akamai.net, www.bing.com, ecs.office.com, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, s-0005.s-msedge.net, config.officeapps.live.com, ecs.office.trafficmanager.net, onedscolprdeus22.eastus.cloudapp.azure.com, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ax-0001.ax-msedge.net	http://atozpdfbooks.com	Get hash	malicious	Unknown	Browse	150.171.27.10
	http://infarmbureau.com	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://app.planable.io/review/0OPaw36t6M_k	Get hash	malicious	HTMLPhisher	Browse	150.171.28.10
	https://we.tl/t-fnebgmrnYQ	Get hash	malicious	Unknown	Browse	150.171.28.10
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2Bp0zWbjdQ23pm6OHkVsvPYDi1myQ0pU4BHbfSebmhjQAIDDVMgAvG7Znw7Pr8RLFA8HEKUDF6j4JiiZ3slfATgGRu3-2BdlWbffHNdZW8UBc7QW6Nxd08b90zhz6-2FhInZrSp1J-2Fh9yU6gsolKI10c6pp1uA-2FrYRI2h9aMn65O5NvFrP-2Fc-2BjlCyvznYBIXNfkBGEguSmRbREbgogGbx0CjJc9kfZpcF-2F4T3W7floa7RxJ5-2BKjbFDYD7FnGxTCmOAt-2BDLn5J0y5KvJMT3qFWKyQo5DJ5ru0B7ksJyMiI6L18xz5XP2GRtxbC7dwfszL4xopys7uMk6wzOFXTrTU9jYi2ZvQxqCtOzUddy1WGVe8msfQF8x3k3Ejw4p6mGzrKR8wOZXnO3uVw5n8j0tNkc31-2F1y7FsWAGygTmAHNV4DJiUXG3-2Foq61jCXRLG1PMMCZ97ToDeMjE9XjfX-2Bb4NXrzqR3tgw-3D-3DwyWG_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcLQ6-2Bsxhj60Ehn0XDEyVD6MCEZ1gioYU2lwgwkCuP2dHRX-2FYdZnQ31dEdwKW37GtXYj9HmZ1F0YrZWwSELmaO5K7noqwYAhu2QGcGqOtQYdjShoJMVTWOe6BTzZXQxib8Y6rd4SX-2BUwZMt-2BbgPIpal6PcS8i4PCSiFy8RF-2Ftt22Wpj713n23BIU6an4375YDP3	Get hash	malicious	Unknown	Browse	150.171.28.10
	http://api.myuhchvision.com/	Get hash	malicious	Unknown	Browse	150.171.27.10
	http://www.oneroguereporter.com/gks	Get hash	malicious	Unknown	Browse	150.171.27.10
	colleague[1].htm	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxsYmJ5tlN1JIFNOQtoSEGkLgECYxMchW4UXMllXUALJmesTsjgTR1H-2FvUTVSSAEe4R1GQy-2Bvbd8Zmmy4leDYmh9UNV6oDPX-2BT4wzcyKrfAdXvv6hKSBoru3q77depPs43qOB1DgUqmMdQP-2BNz7H62jYGp-2BH9nmpPKVjXmtKn9w5STVYGL4aqMBL65ruXSYeXZw-3D-3Didct_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419OCcA-2Bhorh4noX10R0htjc0oQD2shNvY2qd7sBvACS4ZxcOvRGqgf-2FzJzWjtjVb7R-2Fc1EPJdReLV-2BtujCvON-2Bc7V1MBDoLDS-2FjF655eEyLK512HQYbp-2FAbQ3P7q3sD01OmQtuWrJdDi7i9EqNYnB7vGsmi9YvC3tf2fi-2F59j5CgE2Yo8KxAbs4pwwxMvCRmFfOK49lsAVAfn3guJ7HTuaWX	Get hash	malicious	Unknown	Browse	150.171.28.10
	1.png	Get hash	malicious	Unknown	Browse	150.171.28.10

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250110T1217280469-1364.etl

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	102400
Entropy (8bit):	4.476399162339858
Encrypted:	false
SSDEEP:	768:AZHO5WtW2idagTUe4bAJCu1RPyY9wAFflfcYZXGAVZvj4S:ek4c9wATlXNVZvj4S
MD5:	9CA0CFB9EE413494A4626916E95ECE3D
SHA1:	F99A04162CAFA835A3E8F8482F68572589BF17A0
SHA-256:	BA651BEFF83220FB968A462CEC3F8C9D55E4BD86ACA9076548F44C98EEC1FE1E
SHA-512:	72AED543E31EF354FB11486F2433C3E050D4BC5825D67BD4C17891126FA133A75BE50E0CCB9EA812D9A56D273A4C590FB8DCFFBAC2DF2380C22EB07327DA251C
Malicious:	false
Reputation:	low
Preview:	............................................................................f...d...T...W.l..c..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................!.CH...........W.l..c..........v.2._.O.U.T.L.O.O.K.:.5.5.4.:.9.d.c.4.f.e.1.2.0.f.4.f.4.3.f.d.8.7.f.d.b.7.2.6.6.e.0.0.1.e.f.b...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.1.1.0.T.1.2.1.7.2.8.0.4.6.9.-.1.3.6.4...e.t.l.........P.P.d...T.....o..c..................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF092F9833D7B0D4D0.TMP

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.3613836054883338
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	679672A5004E0AF50529F33DB5469699
SHA1:	427A4EC3281C9C4FAEB47A22FFBE7CA3E928AFB0
SHA-256:	205D000AA762F3A96AC3AD4B25D791B5F7FC8EFB9056B78F299F671A02B9FD21
SHA-512:	F8615C5E5CF768A94E06961C7C8BEF99BEB43E004A882A4E384F5DD56E047CA59B963A59971F78DCF4C35D1BB92D3A9BC7055BFA3A0D597635DE1A9CE06A3476
Malicious:	false
Reputation:	high, very likely benign file
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF2A0BB2BDC6AA264A.TMP

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	2.715098418761207
Encrypted:	false
SSDEEP:	1536:pnGqL62Ak3mHhm4VGzF3xfh3nW53jEpEHP4qQZ0PAwrAQp0hW53jEpEHP4qQZ0Pn:tqHKfhZp9Lp9
MD5:	032CC33D93D81610B04D1EF54B65EFF8
SHA1:	F3C532E28BC1F25C6412EC59F64E969DD2C22526
SHA-256:	13776E22403D1C30D615D3D9EA057A12176FC08692F1817DA5E1DD1605720221
SHA-512:	7E486339DD973333AFBCA3F7C5828EB390A3993C3D454C6C29489CC20E3263F4200C39A4B975C1720FC4802B5E91DAD8177DF979F3A57669438ED52CEA4E0E28
Malicious:	true
Reputation:	low
Preview:	!BDN1C.uSM......\....=..@&..............Q................@...........@...@...................................@...........................................................................$.......D.......K..........................................................................................................................................................................................................................................................................................................................@..........K\|^......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	3.0722334549590116
Encrypted:	false
SSDEEP:	1536:FbjGXLbxfXW53jEpEHP4qQZ0PAwrBfaPJ:Qf5p97
MD5:	2F8AE02B6265A7B7066A069CAFCF867B
SHA1:	B1D77F9253E74F19FD2B813226680D5683F0058F
SHA-256:	D66FBA681F6018667483B6886468F18777FD85F7A87023FDB3AA42CC99DF3CB2
SHA-512:	0BDD4B6AA15097563D309C30DC22993E9C60400613950B1625A1F3727AA3B0186300D05897D92531260CFBD1301753B78920861265F4ED2B873B2F8CDE436BDD
Malicious:	true
Reputation:	low
Preview:	>..SC...........T......c....................#.!BDN1C.uSM......\....=..@&..............Q................@...........@...@...................................@...........................................................................$.......D.......K..........................................................................................................................................................................................................................................................................................................................@..........K\|^.....c....................#./............................Kx.#.......d..............."....Kx.&..............................c'............................Kx.0.......\|....................Kx.C......................."...`...F..............................cG...........................`...P...........................`...c....... ..............."...`...f..............................cg.......8...................`...p.......

Static File Info

General

File type:	ASCII text, with very long lines (517), with CRLF line terminators
Entropy (8bit):	5.856394996151251
TrID:
File name:	nested-Please Review%3A].eml
File size:	23'970 bytes
MD5:	e5466e4b5016030795d0c8210a6a000b
SHA1:	b03b3dadb44190928fc05ab5f16b1d01773d1d41
SHA256:	2b598b1ac9214f44886c121dcff8af09d0ed82745932c81d0aed7642b2edbb15
SHA512:	8d3f3f6c44b8cbbe250ae2df54b04fbf63f957655f987241a1befe047a2c666e820f41694ba87e83a65bde63af0c8b08746d68237c5d4453eb76e03f5d787e8a
SSDEEP:	384:Cm1GF37HhxJdyQLaHRFV21Gr2WrgRiN/MUfpuSJtdxFeJqOXVgQOzmrabrxaZ0IS:ChhxJCHR32WrrkSJto4OXVgQOzmWc0IS
TLSH:	04B286898F6B41B0C9C276E90D11BD0B59B61DBAE47370813E781957084F9EE5B0A78F
File Content Preview:	X-MS-Exchange-Organization-InternalOrgSender: False..Received: from SJ0PR03CA0031.namprd03.prod.outlook.com (2603:10b6:a03:33e::6).. by MN0P221MB1556.NAMP221.PROD.OUTLOOK.COM (2603:10b6:208:4bd::12) with.. Microsoft SMTP Server (version=TLS1_2,.. cipher=T

Static Mail

General

Subject:	Please Review:]
From:	"first quarter esperion.com" <kaitlyn.overton@landcare.com>
To:	aandison@esperion.com
Cc:
BCC:
Date:	Wed, 08 Jan 2025 11:50:02 +0000
Communications:
Attachments:	secured File__esperion.com.html

Headers

Key	Value
X-MS-Exchange-Organization-InternalOrgSender	False
Received	from [127.0.0.1] (104.219.238.37) by SJ1PEPF0000231F.mail.protection.outlook.com (10.167.242.235) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8335.7 via Frontend Transport; Wed, 8 Jan 2025 11:50:03 +0000
Authentication-Results	spf=fail (sender IP is 104.219.238.37) smtp.mailfrom=landcare.com; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=landcare.com;
Received-SPF	Fail (protection.outlook.com: domain of landcare.com does not designate 104.219.238.37 as permitted sender) receiver=protection.outlook.com; client-ip=104.219.238.37; helo=[127.0.0.1];
Content-Type	application/octet-stream; name="secured File__esperion.com.html"
Content-Transfer-Encoding	base64
Content-Disposition	attachment; filename="secured File__esperion.com.html"
From	"first quarter esperion.com" <kaitlyn.overton@landcare.com>
To	aandison@esperion.com
Subject	Please Review:]
Message-ID	<765a849b-09dc-3c01-bf5f-059829827023@landcare.com>
Date	Wed, 08 Jan 2025 11:50:02 +0000
MIME-Version	1.0
Return-Path	kaitlyn.overton@landcare.com
X-MS-Exchange-Organization-OriginalArrivalTime	08 Jan 2025 11:50:03.3845 (UTC)
X-MS-Exchange-Organization-ExpirationStartTime	08 Jan 2025 11:50:03.8846 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id	8e8175c1-5020-411e-6244-08dd2fda96fa
X-MS-Exchange-Organization-OriginalClientIPAddress	104.219.238.37
X-MS-Exchange-Organization-OriginalServerIPAddress	10.167.242.235
X-EOPAttributedMessage	0
X-EOPTenantAttributedMessage	2a27e3bf-2378-4998-8a6c-4d5e0c7d2362:0
X-MS-Exchange-Organization-TargetResourceForest	namp221.prod.outlook.com
X-MS-Exchange-Organization-OrgEopForest	NAM11
X-MS-Exchange-Organization-MessageDirectionality	Incoming
X-MS-Exchange-Organization-Id	2a27e3bf-2378-4998-8a6c-4d5e0c7d2362
X-MS-Exchange-Organization-FFO-ServiceTag	NAM11B
X-MS-Exchange-Organization-Cross-Premises-Headers-Processed	SJ1PEPF0000231F.namprd03.prod.outlook.com
X-MS-Exchange-Organization-ConnectingIP	104.219.238.37
X-MS-Exchange-Organization-ConnectingEHLO	[127.0.0.1]
X-MS-Exchange-Organization-AS-LastExternalIp	104.219.238.37
X-MS-Exchange-Organization-IsS500Tenant	true
X-MS-Exchange-Organization-IsBipIncludedAtpTenant	true
X-MS-Exchange-Organization-IsAtpTenant	true
X-MS-Exchange-Organization-Originating-Country	US
X-MS-Exchange-Organization-OriginalEnvelopeRecipients	aandison@esperion.com
X-MS-Exchange-Organization-PtrDomains	brf-secure01-ether0-0.tm.net.my
X-MS-Exchange-Organization-EhloAndPtrDomain	[127.0.0.1];brf-secure01-ether0-0.tm.net.my
X-MS-Exchange-Organization-MxPointsToUs	false
X-MS-Exchange-Organization-RecipientDomainMxRecord-PFAFD	esperion.com#d98218a.ess.barracudanetworks.com
X-MS-Exchange-Organization-RecipientDomainMxInfo	esperion.com#Barracuda#d98218a.ess.barracudanetworks.com
X-MS-Exchange-Organization-CompAuthRes	none
X-MS-Exchange-Organization-CompAuthReason	300
X-MS-Exchange-Organization-SpoofDetection-Frontdoor-DisplayDomainName	landcare.com
X-MS-Exchange-Organization-SenderRep-Score	5
X-MS-Exchange-Organization-SenderRep-Data	IpClassSmallGrayOther_SmallGrayOther_GrayOther
X-MS-Exchange-Organization-VBR-Class	SmallGrayOther
X-MS-Exchange-Organization-HMATPModel-Spf	4
X-MS-Exchange-Organization-HMATPModel-Recipient	<PII:H100055(7ylUWHJKY6BKJTyqLa2QJO8U01c+pDxXLem+YHEDW30=)>@esperion.com
X-MS-Exchange-Organization-TransportTrafficType	Email
X-MS-PublicTrafficType	Email
X-MS-TrafficTypeDiagnostic	SJ1PEPF0000231F:EE_\|MN0P221MB1556:EE_
X-MS-Exchange-Organization-OrderedPrecisionLatencyInProgress	LSRV=SJ0PR03CA0031.namprd03.prod.outlook.com:TOTAL-FE=0.025\|SMR-PEN=0.026(RENV=0.023);2025-01-08T11:50:04.105Z
X-MS-Exchange-Organization-MessageLatency	SRV=SJ0PR03CA0031.namprd03.prod.outlook.com:TOTAL-FE=0.208\|SMR-PEN=0.026(RENV=0.023)\|SMS=0.183(SMSC=0.144)
X-MS-Exchange-Forest-ArrivalHubServer	MN0P221MB1556.NAMP221.PROD.OUTLOOK.COM
X-MS-Exchange-Organization-AuthSource	SJ1PEPF0000231F.namprd03.prod.outlook.com
X-MS-Exchange-Organization-AuthAs	Anonymous
X-MS-Exchange-Organization-FromEntityHeader	Internet
X-MS-Exchange-Organization-MessageScope	19caec26-3e7f-462d-a377-d809492acd1e
X-MS-Exchange-Forest-MessageScope	19caec26-3e7f-462d-a377-d809492acd1e
X-MS-Exchange-Organization-Antispam-ProtocolFilterHub-ScanContext	ProtocolFilterHub:SmtpOnEndOfData;
X-MS-Office365-Filtering-Correlation-Id	8e8175c1-5020-411e-6244-08dd2fda96fa
X-MS-Exchange-Organization-P2SenderDisplayNamePII	H100055(GYJTtH9EdBDxJg6TvGwOqFFV0q35ytO+o0RdkBD7M/0=)
X-MS-Exchange-Organization-P2SenderPII	<PII:H100055(CEuMlBOnD08zLuW/bk6Oc0c7hvUh0/qD/s0ArPA6jRo=)>@landcare.com
X-MS-Exchange-Organization-Antispam-AuthResults	{"SpfDomain":"landcare.com","SpfAuthStatus":"Fail","DkimAuthStatus":"None","DkimSubStatus":"None","DmarcAuthStatus":"None","DmarcAction":"None","ArcAuthStatus":"0","ArcSubStatus":"0"}
X-MS-Exchange-Organization-PFAHub-Total-Message-Size	7249
X-MS-Exchange-Organization-OriginalSize	7249
X-MS-Exchange-Organization-HygienePolicy	Premium
X-MS-Exchange-Organization-ReplicationInfo	ReplicaId=6d6887bf-5c4d-d004-3b12-3897da2fdd08;ReplicatingServerFqdn=CH3P221MB1536.NAMP221.PROD.OUTLOOK.COM
X-MS-Exchange-Forest-Language	en
X-MS-Exchange-Forest-IndexAgent-0	AQ0CZW4BH/wBW3sNCiAgImluZGV4IjogMCwNCiAgIkF0dGFjaG1lbn RQcm9wZXJ0aWVzIjogew0KICAgICJleHRlbnNpb24iOiAiaHRtbCIs DQogICAgInVybHMiOiBbXSwNCiAgICAiaW5uZXJGaWxlcyI6IFtdLA 0KICAgICJkZXRlY3RlZEZvcm1hdCI6ICJodG1sIiwNCiAgICAibmFt ZSI6ICJzZWN1cmVkIEZpbGVfX2VzcGVyaW9uLmNvbSIsDQogICAgIn R5cGUiOiAiU3RyZWFtQXR0YWNobWVudCIsDQogICAgImZyb21DYWNo ZSI6IGZhbHNlDQogIH0NCn1dAAEfAAAADwAAAx+LCAAAAAAAAApiAA AAAP//AwCN7wLSAQAAAA==
X-MS-Exchange-Forest-IndexAgent	1 298
X-MS-Exchange-Forest-EmailMessageHash	00000000,2D5003C6
X-MS-Exchange-Organization-PhishSim-Rules-Execution-History	2db7c2d7-59aa-4900-859f-b77b45ca05b8
X-MS-Exchange-Organization-Antispam-PreContentFilter-PolicyLoadTime	PSOSUB:131;PSOSUBLOAD:128;PSOSUBRUN:1;PSOSUBCOUNT:1;SMORES:42;SMORESLOAD:42;SMORESRUN:0;SMORESCOUNT:0;SAORES:172;SAORESLOAD:41;SLORES:43;APORES:43;APORESLOAD:42;APORESRUN:0;APORESCOUNT:1;RSORES:42;SLORESLOAD:42;SLORESRUN:0;SLORESCOUNT:2;
X-MS-Exchange-Organization-MessageFingerprint
X-MS-Exchange-Organization-AttachmentDetailsInfo-ChunkCount	1
X-MS-Exchange-Organization-AttachmentDetailsInfo-0	[{"ID":0,"FS":218,"SHA256":"a81c7d76a919d950da92325d9a8daa7a720887d8168209aa18e8d8488539e266","HFH":"qBx9dqkZ2VDakjJdmo2qenIIh9gWggmqGOjYSIU54mY=","FE":"html","AF":2560,"AFT":"{784:\"secured File__esperion.com.html\",789:\"html\"}","AFT2":"{784:\"secured File__esperion.com.html\",789:\"html\",2934:\"html\",2943:\"Markup\"}"}]
X-MS-Exchange-Organization-FeatureTable	{1010:0,1011:"F0EB79A1;ECC1CDC7;E55ED68D;",1028:11687,1029:9842,1030:37,1031:1844,1032:11687,1033:9842,1034:37,1035:1844}
X-MS-Exchange-Organization-Antispam-PreContentFilter-ScanContext	CategorizerOnSubmitted;CategorizerOnResolved;
X-MS-Exchange-Organization-AVScannedByV2	true
X-MS-Exchange-Organization-AVScanComplete	true
X-MS-Exchange-Organization-IsAnyAttachmentAtpSupported	true
X-MS-Exchange-Organization-OffboxClassificationInfo	{"EndpointId":"DCS","OperationIds":{},"OperationStates":{},"Classifiers":[],"RuleInfos":[],"CorrelationId":"d61c2a4c-988a-46b8-a7b1-1a78c3b2f3d0","TotalClassificationLatency":"00:00:00"}
X-MS-Exchange-Organization-ExternalRoutingTopologyAnalysis
X-MS-Exchange-Organization-Recipient-Limit-Verified	True
X-MS-Exchange-Organization-TotalRecipientCount	1
X-MS-Exchange-Organization-ExternalRecipientCount	0
X-MS-Exchange-Organization-IsSingleRepresentative	True
X-MS-Exchange-Organization-ASDirectionalityType	1
X-MS-Exchange-Organization-HVERecipientsForked	1.0
X-MS-Exchange-Organization-SafeLinksPolicy-BIP	Built-In Protection Policy
X-MS-Exchange-Organization-SafeAttachmentPolicy-BIP	Built-In Protection Policy
X-MS-Exchange-Organization-SafeAttachmentPolicy	Built-In Protection Policy
X-MS-Exchange-Organization-SafeLinksPolicy	Safe Links Off
X-MS-Exchange-Organization-SafeAttachmentPolicy-Enable	1
X-MS-Exchange-Organization-SafeLinksPolicy-EnableSafeLinksForEmail	0
X-MS-Exchange-Organization-SafeLinksPolicy-EnableSafeLinksForInternalSenders	0
X-MS-Exchange-Organization-SenderRecipientCommunicationState	NEI
X-MS-Exchange-Organization-Boomerang-Verdict	None
X-MS-Exchange-AtpMessageProperties	SA
X-MS-Exchange-Organization-CommunicationStateSummary	NEI
X-MS-Exchange-Organization-FirstContactSummary	ST=2;MRG=0;EXT=0;UN=1;ORCT=1;EV=1;FC=0;NESI=1;NES=0;ESTI=0;EST=0;INS=0;MP=0;UD=0;QE=0;ERR=0
X-MS-Exchange-Organization-IsKnownDomain	1
X-MS-Exchange-Organization-SenderIntelligence-P2Sender	{"stringProperties":{"Watermark":"2025/01/06","FirstSeen_30D":"2024-12-09","LastSeen_30D":"2025-01-05","AvgInbound_1D":"3212.03","AvgOutbound_1D":"55.13","ListDisplayNames_30D":"","VolumeBucket":"","_STATUS":"Success"},"numericProperties":{"SenderFlagRatio":74,"SenderForwardRatio":173,"SenderMarkAsJunkRatio":185,"SenderMarkAsPhishRatio":2293,"SenderMarkAsUnReadRatio":111,"SenderMoveToJunkRatio":296,"SenderReadRatio":2466,"SenderReplyRatio":259,"TDNA_050Count_AuthPassed":10,"TDNA_050_90Count_AuthPassed":10,"TDNA_100Count_AuthPassed":5,"TDNA_100_90Count_AuthPassed":5,"MaxLenZero_AuthPassed":125,"MaxMailsSent_AuthPassed":1343,"TotalDaysSentLast135_AuthPassed":8,"TotalDaysSentLast14_AuthPassed":0,"TotalDaysSentLast180_AuthPassed":8,"TotalDaysSentLast7_AuthPassed":0,"TotalDaysSentLast90_AuthPassed":8,"TotalMailsSentLast135_AuthPassed":3777,"TotalMailsSentLast14_AuthPassed":0,"TotalMailsSentLast180_AuthPassed":3777,"TotalMailsSentLast7_AuthPassed":0,"TotalMailsSentLast90_AuthPassed":3777,"MedianMailsSent_AuthPassed":0,"MedianMailsSentLast45Days_AuthPassed":0,"MedianMailsSentLast90Days_AuthPassed":0,"FirstQ_AuthPassed":0,"SecondQ_AuthPassed":0,"ThirdQ_AuthPassed":0,"AvgMailSentPerDayLast1Week_AuthPassed":0,"AvgMailSentPerDayLast2Week_AuthPassed":0,"AvgMailSentPerDayLast45Days_AuthPassed":4276,"Avg_Rcpt_Ratio_AuthPassed":28939,"Bin1_Mailcount_Ratio_Avg_AuthPassed":10796,"Dkim_Mailcount_Ratio_Avg_AuthPassed":316,"Ip_Mailcount_Ratio_Avg_AuthPassed":23455,"Spf_Mailcount_Ratio_Avg_AuthPassed":291,"TDNA_050Count_AuthNotPassed":25,"TDNA_050_90Count_AuthNotPassed":25,"TDNA_100Count_AuthNotPassed":14,"TDNA_100_90Count_AuthNotPassed":14,"MaxLenZero_AuthNotPassed":125,"MaxMailsSent_AuthNotPassed":76074,"TotalDaysSentLast135_AuthNotPassed":15,"TotalDaysSentLast14_AuthNotPassed":2,"TotalDaysSentLast180_AuthNotPassed":15,"TotalDaysSentLast7_AuthNotPassed":0,"TotalDaysSentLast90_AuthNotPassed":15,"TotalMailsSentLast135_AuthNotPassed":288771,"TotalMailsSentLast14_AuthNotPassed":54,"TotalMailsSentLast180_AuthNotPassed":288771,"TotalMailsSentLast7_AuthNotPassed":0,"TotalMailsSentLast90_AuthNotPassed":288771,"MedianMailsSent_AuthNotPassed":0,"MedianMailsSentLast45Days_AuthNotPassed":0,"MedianMailsSentLast90Days_AuthNotPassed":0,"FirstQ_AuthNotPassed":0,"SecondQ_AuthNotPassed":0,"ThirdQ_AuthNotPassed":0,"AvgMailSentPerDayLast1Week_AuthNotPassed":0,"AvgMailSentPerDayLast2Week_AuthNotPassed":386,"AvgMailSentPerDayLast45Days_AuthNotPassed":229291,"Avg_Rcpt_Ratio_AuthNotPassed":65069,"Bin1_Mailcount_Ratio_Avg_AuthNotPassed":8114,"Dkim_Mailcount_Ratio_Avg_AuthNotPassed":1588,"Ip_Mailcount_Ratio_Avg_AuthNotPassed":2650,"Spf_Mailcount_Ratio_Avg_AuthNotPassed":1719,"TotalEmailsSent_30D":98015,"TotalDaysSent_30D":18,"SenderScore":109,"MoveToJunkCount":58,"P2SenderReputation":937,"AvgTotalUnsubscribeHeaderRatio_AuthNotPassed":0,"AvgTotalUnsubscribeBodyRatio_AuthNotPassed":80,"AvgEnterpriseBodyRatio_AuthNotPassed":70,"TotalCountSum24h":72,"TotalCountSum1h":60,"EntityFound":1}}
X-MS-Exchange-Organization-SenderIntelligence-P2SenderOrgDomainTenantId	{"stringProperties":{"_STATUS":"Success"},"numericProperties":{"EntityFound":0}}
X-MS-Exchange-Organization-EmailFingerprintsDetailsInfo-ChunkCount	1
X-MS-Exchange-Organization-EmailFingerprintsDetailsInfo-0	[{"Type":"VA6","Val":"VA6_29AF5D24C1FA6FE023A113E0EC7D1EE462202C2DFEAD9E590144FF2769577431","Func":"SHA256","FF":0,"PD":{}},{"Type":"VA5","Val":"VA5_DD1746DA57E7F0D9332A680C2BA977377A38C62C27D8D7292D3D286842471417","Func":"SHA256","FF":0,"PD":{}},{"Type":"VA4","Val":"VA4_8F8FB874946404B86D443C748E0252B45F27B7FFCA94EAA19D86F6D3866A0F92","Func":"SHA256","FF":0,"PD":{}},{"Type":"VA11","Val":"VA11_A7BF4CBDD00B8B2128B61AA9A05D33BCFFE0B32522186D7EDA104D3235223196","Func":"SHA256","FF":0,"PD":{}},{"Type":"VA10","Val":"VA10_E5E430E4551EB40DEA7AE74BA06594D80FDFB2B14C532352A97D669A1C6449D8","Func":"SHA256","FF":0,"PD":{}},{"Type":"VA61","Val":"VA61_5846DEFCA54349ED3E57035837299A4C44BAF08E0441C8EF46616C302D3042C9","Func":"SHA256","FF":0,"PD":{}},{"Type":"VA60","Val":"VA60_C83628C7041043925F27583A77AFAB2CABE0E9D17DA97A74A019F2AEB32A03FA","Func":"SHA256","FF":0,"PD":{}},{"Type":"VA2","Val":"VA2_5DC4DE2CEA0CDAA2FCDAD3AA5D9E3799B06E1CCE3C1093A868DB337BE099AD31","Func":"SHA256","FF":0,"PD":{}},{"Type":"VA1","Val":"VA1_CEF16BE42A27E5026C3BC5D3D5BBA39E342C789678BA54EDC7A2E78B02D8190F","Func":"SHA256","FF":0,"PD":{}},{"Type":"VA0","Val":"VA0_29AF5D24C1FA6FE023A113E0EC7D1EE462202C2DFEAD9E590144FF2769577431","Func":"SHA256","FF":0,"PD":{}}]
X-MS-Exchange-Organization-FeatureTableV2	{384:"landcare.com",385:"landcare.com",386:"True",387:"True",452:1,453:1,454:"1A6E9F98@esperion.com",455:"NEI",501:4,502:7,503:4,504:7,506:4,507:4,508:"none",509:"landcare.com",510:"landcare.com",651:2,653:1,656:1,743:1,744:1,749:"Latn",756:0,757:0,1010:0,1011:"F0EB79A1;ECC1CDC7;E55ED68D;",1028:11687,1029:9842,1030:37,1031:1844,1032:11687,1033:9842,1034:37,1035:1844,1036:"27176",2501:0,2502:0,2503:0,2504:0,2505:0,2506:0,2507:0,2508:0,2509:0,2510:0,2511:0,2512:0,2513:0,2514:0,2515:0,2516:0,2517:0,2518:0,2519:0,2520:0,2521:0,2522:0,2523:0,2524:0,2525:0,2526:0,2527:0,2528:0,2529:0,2530:0,2531:0,2532:0,2533:0,2534:0,2535:0,2536:0,2537:0,2538:0,2539:0,2683:576,2684:511,2685:582,2686:511,2687:582,2688:"2024-12-09",2689:"2025-01-05",2690:"3212.03",2691:"55.13",2692:98015,2693:18,2694:74,2695:173,2696:185,2697:2293,2698:111,2699:296,2700:2466,2701:259,2702:25,2703:25,2704:14,2705:14,2706:125,2707:76074,2708:15,2709:2,2710:15,2711:0,2712:15,2713:288771,2714:54,2715:288771,2716:0,2717:288771,2718:0,2719:0,2720:0,2721:0,2722:0,2723:0,2724:0,2725:386,2726:229291,2727:65069,2728:8114,2729:1588,2730:2650,2731:1719,2732:0,2733:80,2737:70,2739:14184,2740:5740,2741:115,2742:1341,2743:11184,2744:180,2745:209924,2746:189012,2747:5,2749:1,2750:1,2757:1,2758:1,2760:1,2924:"None",3084:"0",3099:1,3100:31,3155:3744,3156:3744}
X-MS-Exchange-Organization-Antispam-AnalystFeatureFilter-ScanContext	CategorizerOnResolved;
X-MS-Exchange-Organization-Cross-Session-Cache	01ure=0;PReRC=1;ATCHC=1;IMGC_AE=0;PreCFAV2BFDone=1;IsAnyAttachmentAtpSupported=true;URLC_BE=0;URLC_BEC=0;URLC_AE=0;URLC_BA=0;FPR=;TDNA=;UCEPV_CFG=COOEV3\;2\;0\;0\;0\;0\;0\;0\;0\;0;UCEPV_FP=-1;UCEPV=-1;SLP=7774fe22-a9d7-4cbe-b675-edaf22f60f3f;SLPC=F:000000;SAP=71114ad6-3cc7-4fd5-b201-9e6f463b33f4;SAPC=F:1\|A:0;BIPLT=1;DIR=1;NoDLx=1;CGDLxSupported=1;CGPreCFA=1;GWS_Read=V2;GUIMP_SUM=R1S1;SRCS=NEI;BR_V=None;PTRO=tm.net.my;P2O=landcare.com;P_CAUTH=none;P_CAUTHR=300;P_CAuthOSLookupFailed=false;P_CAuthOSLookupPerformed=true;P_OSCAUTH=none;P_OSCAUTHR=300;KWND=1;SIP2BCLAP=-1;SIP2BCLAF=-1;BULKF_DBG=V3\|P2SNA;BIMPPreCFATrainingCache=true;RT=SA;BMEPV_CFG=BPMV3\;1\;9\;11\;11\;12;BMESV_CFG=BSMV3\;1\;5\;5\;5\;6;BMHPV_CFG=BMHPV3\;2\;10\;10\;10\;10;M3HPV_CFG=M3HPV3\;2\;20\;20\;20\;20;SRESV_CFG=SDREB\;1\;3\;3\;3\;4;M3EPV_CFG=M3EPV4\;3\;8\;9\;10\;15\;8\;9\;10\;15;M3ESV_CFG=M3ESV4\;3\;19\;20\;20\;20\;47\;50\;50\;50;M3EIV_CFG=M3EIV4\;1\;14\;20\;22\;29\;30\;37\;49\;60;M3HSV_CFG=M3HSV4\;1\;45\;45\;45\;45\;53\;53\;53\;53;BKEMB_CFG=EOPUnwantedBulkV2\;3\;20\;120\;20;OMESV_CFG=OMESV1\;1\;-1\;-1\;13;CLEPV_CFG=M3ECV4\;3\;26\;42;SAEPV_CFG=SAEPV\;1\;TBD;SUEPV_CFG=SUEPV\;1\;TBD;UESELV3_CFG=UESELV3\;3\;TBD;UMEPV_CFG=UESELV3\;3\;TBD;SPESV_CFG=SESPIV0\;1\;45\;30
X-MS-Exchange-Organization-Rules-Execution-History	cbc67492-b040-4958-afe4-be9de75ee915%%%e04629ed-f207-43d5-b5b0-8d9898ec7bc6%%%af03253a-bb49-41e6-a0cf-ba0934607751%%%67813f1c-e13b-4b0b-8342-8000eafb9ebe%%%1fb7776c-63b7-4cce-9649-37f6430f96b8%%%beb0ebf9-a4ce-4467-8362-06d4bf5e0105%%%ef8e1672-5cd6-4438-88c5-9d5c27e39d19%%%577e018e-53d3-46b1-98f8-1cbd32eb8957%%%e8393bc1-4148-4abf-97a0-06430356f402%%%30638d93-c886-4641-8652-2cb44557f9a4%%%34ff6e41-6e26-422c-8e18-45feaba35425%%%6579bc4c-c820-4202-9648-dd358c9889a9
x-ms-reactions	disallow
X-MS-Exchange-Organization-Rules-Execution-Log	30638d93-c886-4641-8652-2cb44557f9a4
X-MS-Exchange-Organization-RuleName-Execution-Log	RGlzYWxsb3cgUmVhY3Rpb25zIG9uIEVtYWls

File Icon


Icon Hash:	46070c0a8e0c67d6

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 18:18:20.716598988 CET	1.1.1.1	192.168.2.6	0x2edd	No error (0)	g-bing-com.ax-0001.ax-msedge.net	ax-0001.ax-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 18:18:20.716598988 CET	1.1.1.1	192.168.2.6	0x2edd	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:18:20.716598988 CET	1.1.1.1	192.168.2.6	0x2edd	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: OUTLOOK.EXEPID: 1364, Parent PID: 4004

General

Target ID:	2
Start time:	12:17:25
Start date:	10/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-Please Review%3A].eml"
Imagebase:	0x4a0000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: ai.exePID: 6220, Parent PID: 1364

General

Target ID:	13
Start time:	12:18:09
Start date:	10/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "B5472C1E-E77D-44F7-9E05-896767431CCB" "B4AC4E65-83AD-487F-BBE9-3777D68B1DF7" "1364" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff7a93b0000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly