phish_alert_sp2_2.0.0.0.eml
|
RFC 822 mail, ASCII text, with very long lines (2137), with CRLF line terminators
|
initial sample
|
|
|
|
Filetype: |
RFC 822 mail, ASCII text, with very long lines (2137), with CRLF line terminators
|
Entropy: |
5.939859836217948
|
Filename: |
phish_alert_sp2_2.0.0.0.eml
|
Filesize: |
14876
|
MD5: |
3ca27d913f217e45f50bab9fc8e0bc73
|
SHA1: |
b3f9509f2aa785bf9d8cb61d59c204dcbd7424a2
|
SHA256: |
d5986e069a8dece2eb00e0137d4414bd1c70c78f864a7412cc2aa32525b8360e
|
SHA512: |
f4d8b825eafde1854fc6e6704adb3bea31edea2ac13282812077c6fc88177268c6cf912e23da9d42dae48fa406c35f150fecb29843e251113605665bda802c55
|
SSDEEP: |
192:sodg2PR65HhpNNIbhQYAgPbhqQx7fCDA5mF+8sKDpfnJdZA/Ro9pR4CRB5dXGyBB:sodg2PR2jmbeSzXjuG18MRWRBrhlKW
|
Preview: |
Received: from DB9P189MB1836.EURP189.PROD.OUTLOOK.COM.. (2603:10a6:10:326::21) by AM8P189MB1316.EURP189.PROD.OUTLOOK.COM with..
HTTPS; Thu, 1 Aug 2024 11:14:37 +0000..Received: from DUZPR01CA0065.eurprd01.prod.exchangelabs.com.. (2603:10a6:10:3c2::8)
by D
|
|
C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
|
Category: |
dropped
|
Dump: |
FRMCACHE.DAT.0.dr
|
ID: |
dr_0
|
Target ID: |
0
|
Process: |
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
|
Type: |
data
|
Entropy: |
4.394529052571661
|
Encrypted: |
false
|
Size: |
231348
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml
|
XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml
|
Category: |
dropped
|
Dump: |
CatalogCacheMetaData.xml.0.dr
|
ID: |
dr_2
|
Target ID: |
0
|
Process: |
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
|
Type: |
XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
|
Entropy: |
5.084805852962181
|
Encrypted: |
false
|
Size: |
1869
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\01D9AD88-24AC-49A4-9EC1-1BB83F814805
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
modified
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\01D9AD88-24AC-49A4-9EC1-1BB83F814805
|
Category: |
modified
|
Dump: |
01D9AD88-24AC-49A4-9EC1-1BB83F814805.0.dr
|
ID: |
dr_3
|
Target ID: |
0
|
Process: |
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
|
Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
Entropy: |
5.288135471356618
|
Encrypted: |
false
|
Size: |
175399
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db
|
SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database
pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db
|
Category: |
dropped
|
Dump: |
outlook.exe.db.0.dr
|
ID: |
dr_11
|
Target ID: |
0
|
Process: |
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
|
Type: |
SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database
pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
|
Entropy: |
0.09304735440217722
|
Encrypted: |
false
|
Size: |
4096
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal
|
SQLite Rollback Journal
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal
|
Category: |
dropped
|
Dump: |
outlook.exe.db-journal.0.dr
|
ID: |
dr_4
|
Target ID: |
0
|
Process: |
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
|
Type: |
SQLite Rollback Journal
|
Entropy: |
0.13784977103055013
|
Encrypted: |
false
|
Size: |
4616
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm
|
Category: |
dropped
|
Dump: |
outlook.exe.db-shm.0.dr
|
ID: |
dr_9
|
Target ID: |
0
|
Process: |
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
|
Type: |
data
|
Entropy: |
0.04347391592914322
|
Encrypted: |
false
|
Size: |
32768
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal
|
SQLite Write-Ahead Log, version 3007000
|
modified
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal
|
Category: |
modified
|
Dump: |
outlook.exe.db-wal.0.dr
|
ID: |
dr_10
|
Target ID: |
0
|
Process: |
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
|
Type: |
SQLite Write-Ahead Log, version 3007000
|
Entropy: |
0.3921331735287203
|
Encrypted: |
false
|
Size: |
45352
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{483B28B5-DC53-44F0-9283-B09A6CF0AB83}.tmp
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{483B28B5-DC53-44F0-9283-B09A6CF0AB83}.tmp
|
Category: |
dropped
|
Dump: |
~WRS{483B28B5-DC53-44F0-9283-B09A6CF0AB83}.tmp.0.dr
|
ID: |
dr_13
|
Target ID: |
0
|
Process: |
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
|
Type: |
data
|
Entropy: |
2.9091984941776894
|
Encrypted: |
false
|
Size: |
2248
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\AppData\Local\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7D731D1C-234D-4693-90A2-D812993FC5DB
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\AppData\Local\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7D731D1C-234D-4693-90A2-D812993FC5DB
|
Category: |
dropped
|
Dump: |
7D731D1C-234D-4693-90A2-D812993FC5DB.12.dr
|
ID: |
dr_5
|
Target ID: |
12
|
Process: |
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe
|
Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
Entropy: |
5.291027210489096
|
Encrypted: |
false
|
Size: |
172159
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxAccountsAlwaysOnLog.etl
|
data
|
modified
|
|
|
|
File: |
C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxAccountsAlwaysOnLog.etl
|
Category: |
modified
|
Dump: |
HxAccountsAlwaysOnLog.etl.16.dr
|
ID: |
dr_6
|
Target ID: |
16
|
Process: |
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe
|
Type: |
data
|
Entropy: |
0.2063416515581793
|
Encrypted: |
false
|
Size: |
131072
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxmAlwaysOnLog.etl
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxmAlwaysOnLog.etl
|
Category: |
dropped
|
Dump: |
HxmAlwaysOnLog.etl.12.dr
|
ID: |
dr_7
|
Target ID: |
12
|
Process: |
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe
|
Type: |
data
|
Entropy: |
0.11973726254482248
|
Encrypted: |
false
|
Size: |
65536
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat
|
MS Windows registry file, NT/2000 or above
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat
|
Category: |
dropped
|
Dump: |
settings.dat.12.dr
|
ID: |
dr_8
|
Target ID: |
12
|
Process: |
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe
|
Type: |
MS Windows registry file, NT/2000 or above
|
Entropy: |
2.5808517128582356
|
Encrypted: |
false
|
Size: |
524288
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1722544357985570900_B73AB043-0867-44D0-83DA-992166307611.log
|
ASCII text, with very long lines (28730), with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1722544357985570900_B73AB043-0867-44D0-83DA-992166307611.log
|
Category: |
dropped
|
Dump: |
App1722544357985570900_B73AB043-0867-44D0-83DA-992166307611.log.0.dr
|
ID: |
dr_17
|
Target ID: |
0
|
Process: |
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
|
Type: |
ASCII text, with very long lines (28730), with CRLF line terminators
|
Entropy: |
0.17668930616489464
|
Encrypted: |
false
|
Size: |
20971520
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1722544357986312000_B73AB043-0867-44D0-83DA-992166307611.log
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1722544357986312000_B73AB043-0867-44D0-83DA-992166307611.log
|
Category: |
dropped
|
Dump: |
App1722544357986312000_B73AB043-0867-44D0-83DA-992166307611.log.0.dr
|
ID: |
dr_16
|
Target ID: |
0
|
Process: |
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
|
Type: |
data
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
20971520
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240801T1632370773-6156.etl
|
data
|
modified
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240801T1632370773-6156.etl
|
Category: |
modified
|
Dump: |
OUTLOOK_16_0_16827_20130-20240801T1632370773-6156.etl.0.dr
|
ID: |
dr_18
|
Target ID: |
0
|
Process: |
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
|
Type: |
data
|
Entropy: |
4.517808270624704
|
Encrypted: |
false
|
Size: |
106496
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates temporary files |
System Summary |
|
|
C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl
|
Category: |
dropped
|
Dump: |
MSO3072.acl.0.dr
|
ID: |
dr_1
|
Target ID: |
0
|
Process: |
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
|
Type: |
data
|
Entropy: |
1.2389205950315936
|
Encrypted: |
false
|
Size: |
30
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs
|
Category: |
dropped
|
Dump: |
NoEmail.srs.0.dr
|
ID: |
dr_12
|
Target ID: |
0
|
Process: |
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
|
Type: |
Composite Document File V2 Document, Cannot read section info
|
Entropy: |
0.6695826288335578
|
Encrypted: |
false
|
Size: |
16384
|
Whitelisted: |
false
|
|
C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst
|
Microsoft Outlook email folder (>=2003)
|
dropped
|
|
|
|
File: |
C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst
|
Category: |
dropped
|
Dump: |
Outlook Data File - NoEmail.pst.0.dr
|
ID: |
dr_15
|
Target ID: |
0
|
Process: |
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
|
Type: |
Microsoft Outlook email folder (>=2003)
|
Entropy: |
2.377777293191977
|
Encrypted: |
false
|
Size: |
271360
|
Whitelisted: |
false
|
|
C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
|
Category: |
dropped
|
Dump: |
~Outlook Data File - NoEmail.pst.tmp.0.dr
|
ID: |
dr_14
|
Target ID: |
0
|
Process: |
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
|
Type: |
data
|
Entropy: |
3.5109511141334333
|
Encrypted: |
false
|
Size: |
131072
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates files inside the user directory |
System Summary |
|
|