Edit tour

Windows Analysis Report
Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg

Overview

General Information

Sample name:	Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg
Analysis ID:	1554530
MD5:	b5e25430991c44614f50c1267b6366e4
SHA1:	69ac0a240ed47174c682e460bbf9d987fd61f9ea
SHA256:	83f78538fab1dcfcc682b9c13b890335ea699d2f70e9e051a9af5f478162a4e2
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected landing page (webpage, office document or email)

AI detected potential phishing Email

JA3 SSL client fingerprint seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Sigma detected: Suspicious Office Outbound Connections

Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 7504 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 7880 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BA78306B-BE8B-4ADC-AFC1-E0C5491E75CB" "C7638F03-C93A-432E-8AF2-87C9199972B1" "7504" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7504, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DesusertionIp: 192.168.2.9, DesusertionIsIpv6: false, DesusertionPort: 49725, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, Initiated: true, ProcessId: 7504, Protocol: tcp, SourceIp: 52.123.255.64, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T16:22:07.947755+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.9	49724	TCP
2024-11-12T16:22:50.574442+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.9	49731	TCP

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T16:22:08.813461+0100	2028371	3	Unknown Traffic	192.168.2.9	49725	52.123.255.64	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown

HTTPS traffic detected: 52.123.255.64:443 -> 192.168.2.9:49725 version: TLS 1.2

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49725 -> 52.123.255.64:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.9:49724
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.9:49731

Source: global traffic

HTTP traffic detected: GET /config/v2/Office/outlook/16.0.16827.20130/Production/CC?&EcsCanary=1&Clientid=%7b9962C6B6-1E82-43E1-A3AC-0545D7C341CB%7d&Application=outlook&Platform=win32&Version=16.0.16827.20130&MsoVersion=16.0.16827.20130&ProcessName=outlook.exe&Audience=Production&Build=ship&Architecture=x86&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=7&LicenseSKU=ProPlus2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bFE390A80-FDE1-426A-82E9-5E77BEC4B996%7d&LabMachine=false HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipIf-None-Match: "1RF1//od8140xbOlEQ6ne2KyO35ZCBm2MWx6tQf7JXg="User-Agent: Microsoft Office 2014DisableExperiments: falseX-ECS-Client-Last-Telemetry-Events: ecs_client_library_name=MSO,ecs_client_app_name=Office,ecs_client_version=16.0.16827.20130Host: ecs.office.com

Source: Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg	String found in binary or memory: "url": "https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2F%40posicooagency&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881567850%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=ijUil%2FR1ZTq0E1QHulE6KZzX005%2F8rWV75rma27g0jg%3D&reserved=0", equals www.youtube.com (Youtube)
Source: Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg	String found in binary or memory: <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkedin.com%2Fcompany%2Fposicooagency&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881517315%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=mZoKhMr%2BbZCqVkNH5gaYokeYPIt80HxelrLkgyFL6TE%3D&reserved=0> <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finstagram.com%2Fposicooagency&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881534498%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=J%2BKa94Dag6GNTNPFUEu4ymaSrvNsJLLhj7EG6Am0ndI%3D&reserved=0> <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffacebook.com%2Fposicooagency&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881551514%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=tA7eEXWTpsDYTm5VAskGgJl2u2Ot7k%2FDAmA3R8FOq4A%3D&reserved=0> <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2F%40posicooagency&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881567850%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=ijUil%2FR1ZTq0E1QHulE6KZzX005%2F8rWV75rma27g0jg%3D&reserved=0> equals www.youtube.com (Youtube)
Source: ~WRS{49F181D0-82B8-4585-B962-3A7802D9F2BB}.tmp.0.dr	String found in binary or memory: HYPERLINK "https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2F%40posicooagency&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881567850%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=ijUil%2FR1ZTq0E1QHulE6KZzX005%2F8rWV75rma27g0jg%3D&reserved=0" \t "_blank" equals www.youtube.com (Youtube)

Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg	String found in binary or memory: http://schema.org
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg, ~WRS{49F181D0-82B8-4585-B962-3A7802D9F2BB}.tmp.0.dr	String found in binary or memory: https://aka.ms/LearnAboutSenderIdentification
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.office.net
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://api.scheduler.
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://app.powerbi.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://augloop.office.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://canary.designerapp.
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://cdn.entity.
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://clients.config.office.net
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://cortana.ai
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://cr.office.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://d.docs.live.net
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://designerapp.azurewebsites.net
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://designerappservice.officeapps.live.com
Source: Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg, ~WRS{49F181D0-82B8-4585-B962-3A7802D9F2BB}.tmp.0.dr	String found in binary or memory: https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fconfirmation.mailerlite.io%2Fsubsc
Source: Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg, ~WRS{49F181D0-82B8-4585-B962-3A7802D9F2BB}.tmp.0.dr	String found in binary or memory: https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finstagram.com%2Fposicooagency&data
Source: Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg, ~WRS{49F181D0-82B8-4585-B962-3A7802D9F2BB}.tmp.0.dr	String found in binary or memory: https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkedin.com%2Fcompany%2Fposicooag
Source: ~WRS{49F181D0-82B8-4585-B962-3A7802D9F2BB}.tmp.0.dr	String found in binary or memory: https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fposicoo.com%2F&data=05%7C02%7Ctilo
Source: Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg, ~WRS{49F181D0-82B8-4585-B962-3A7802D9F2BB}.tmp.0.dr	String found in binary or memory: https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.google.pl%2Furl%3Furl%3Dhttp%3
Source: Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg, ~WRS{49F181D0-82B8-4585-B962-3A7802D9F2BB}.tmp.0.dr	String found in binary or memory: https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2F%40posicooagency
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://directory.services.
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://ecs.office.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://graph.windows.net
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://ic3.teams.office.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://invites.office.com/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://login.windows.local
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://management.azure.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://management.azure.com/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://mss.office.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://notification.m365.svc.cloud.microsoft/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Register
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://outlook.office.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://res.cdn.office.net
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://service.powerapps.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-1
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-2
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-100
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-150
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-200
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-light-
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://substrate.office.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://tasks.office.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: 4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	String found in binary or memory: https://www.yammer.com

Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown

HTTPS traffic detected: 52.123.255.64:443 -> 192.168.2.9:49725 version: TLS 1.2

Source: classification engine

Classification label: mal48.winMSG@3/16@0/1

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241112T1022030539-7504.etl

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BA78306B-BE8B-4ADC-AFC1-E0C5491E75CB" "C7638F03-C93A-432E-8AF2-87C9199972B1" "7504" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BA78306B-BE8B-4ADC-AFC1-E0C5491E75CB" "C7638F03-C93A-432E-8AF2-87C9199972B1" "7504" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Persistence and Installation Behavior

AI detected landing page (webpage, office document or email)

Source: Email	LLM: Page contains button: 'Open' Source: 'Email'
Source: Email	LLM: Email contains prominent button: 'open'

AI detected potential phishing Email

Source: Email

LLM: Detected potential phishing email: The sender's email domain 'rupturafer.org' is suspicious and attempts to impersonate Viridium-gruppe

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	2 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Antivirus Detection	Reputation
svc.ms-acdc-teams.office.com	52.123.255.64	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.diagnosticssdf.office.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://login.microsoftonline.com/	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://shell.suite.office.com:1443	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://designerapp.azurewebsites.net	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://autodiscover-s.outlook.com/	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://useraudit.o365auditrealtimeingestion.manage.office.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://outlook.office365.com/connectors	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://cdn.entity.	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://api.addins.omex.office.net/appinfo/query	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://clients.config.office.net/user/v1.0/tenantassociationkey	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fposicoo.com%2F&data=05%7C02%7Ctilo	~WRS{49F181D0-82B8-4585-B962-3A7802D9F2BB}.tmp.0.dr	false	high
https://powerlift.acompli.net	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://rpsticket.partnerservices.getmicrosoftkey.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://lookup.onenote.com/lookup/geolocation/v1	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://cortana.ai	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://api.powerbi.com/v1.0/myorg/imports	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://notification.m365.svc.cloud.microsoft/	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://cloudfiles.onenote.com/upload.aspx	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://entitlement.diagnosticssdf.office.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://api.aadrm.com/	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://ofcrecsvcapi-int.azurewebsites.net/	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://canary.designerapp.	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://ic3.teams.office.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkedin.com%2Fcompany%2Fposicooag	Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg, ~WRS{49F181D0-82B8-4585-B962-3A7802D9F2BB}.tmp.0.dr	false	high
https://www.yammer.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://api.microsoftstream.com/api/	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://cr.office.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2F%40posicooagency	Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg, ~WRS{49F181D0-82B8-4585-B962-3A7802D9F2BB}.tmp.0.dr	false	high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://messagebroker.mobile.m365.svc.cloud.microsoft	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://otelrules.svc.static.microsoft	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://portal.office.com/account/?ref=ClientMeControl	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://edge.skype.com/registrar/prod	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://graph.ppe.windows.net	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://res.getmicrosoftkey.com/api/redemptionevents	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://powerlift-frontdesk.acompli.net	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://tasks.office.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://officeci.azurewebsites.net/api/	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://api.scheduler.	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://my.microsoftpersonalcontent.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://store.office.cn/addinstemplate	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://api.aadrm.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fconfirmation.mailerlite.io%2Fsubsc	Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg, ~WRS{49F181D0-82B8-4585-B962-3A7802D9F2BB}.tmp.0.dr	false	high
https://edge.skype.com/rps	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://outlook.office.com/autosuggest/api/v1/init?cvid=	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://globaldisco.crm.dynamics.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://messaging.engagement.office.com/	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://dev0-api.acompli.net/autodetect	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://www.odwebp.svc.ms	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://api.diagnosticssdf.office.com/v2/feedback	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://api.powerbi.com/v1.0/myorg/groups	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://web.microsoftstream.com/video/	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://api.addins.store.officeppe.com/addinstemplate	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://graph.windows.net	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://dataservice.o365filtering.com/	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://officesetup.getmicrosoftkey.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://analysis.windows.net/powerbi/api	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://aka.ms/LearnAboutSenderIdentification	Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg, ~WRS{49F181D0-82B8-4585-B962-3A7802D9F2BB}.tmp.0.dr	false	high
https://prod-global-autodetect.acompli.net/autodetect	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://substrate.office.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://outlook.office365.com/autodiscover/autodiscover.json	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://consent.config.office.com/consentcheckin/v1.0/consents	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.google.pl%2Furl%3Furl%3Dhttp%3	Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg, ~WRS{49F181D0-82B8-4585-B962-3A7802D9F2BB}.tmp.0.dr	false	high
https://notification.m365.svc.cloud.microsoft/PushNotifications.Register	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://d.docs.live.net	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://safelinks.protection.outlook.com/api/GetPolicy	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://ncus.contentsync.	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
http://weather.service.msn.com/data.aspx	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://apis.live.net/v5.0/	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://officepyservice.office.net/service.functionality	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://templatesmetadata.office.net/	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://messaging.lifecycle.office.com/	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://mss.office.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://pushchannel.1drv.ms	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://management.azure.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://outlook.office365.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://wus2.contentsync.	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://incidents.diagnostics.office.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://clients.config.office.net/user/v1.0/ios	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://make.powerautomate.com	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high
https://api.addins.omex.office.net/api/addins/search	4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.123.255.64	svc.ms-acdc-teams.office.com	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554530
Start date and time:	2024-11-12 16:20:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg
Detection:	MAL
Classification:	mal48.winMSG@3/16@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msg

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 40.79.167.8
Excluded domains from analysis (whitelisted): ecs.office.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, onedscolprdaue02.australiaeast.cloudapp.azure.com, ctldl.windowsupdate.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com, mira.config.skype.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg

Input	Output
URL: Model: claude-3-5-sonnet-latest	{ "explanation": [ "The sender's email domain 'rupturafer.org' is suspicious and attempts to impersonate Viridium-gruppe", "Contains suspicious encoded/obfuscated URLs with random characters and unusual domains like 'klxnahobxjvlvmzhzykhxy.com'", "Uses a mix of languages (German/Spanish) and contains a suspicious confirmation link, typical phishing tactics" ], "phishing": true, "confidence": 9 }
{ "date": "Tue, 12 Nov 2024 09:41:42 +0100", "subject": "Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''", "communications": [ "\tSie erhalten nicht hufig E-Mails von viridium-gruppe.document.499158612@shared.servfile749160512.rupturafer.org. Erfahren Sie, warum dies wichtig ist <https://aka.ms/LearnAboutSenderIdentification> \n\t\n__________ \n \n <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.google.pl%2Furl%3Furl%3Dhttp%3A%2F%2Fklxnahobxjvlvmzhzykhxy.com%26qfi%3Dgoqmwgj%26ouicjb%3Donj%26bnfjs%3Ddhggvc%26eki%3Dlbpnlux%26q%3Damp%2Ftixqfjm.p%25C2%25ADq%25C2%25ADq%25C2%25ADy%25C2%25ADdi%25C2%25ADwh%25C2%25ADk%25C2%25ADhl%25C2%25ADn%25C2%25ADr%25C2%25ADf%25C2%25ADv%25C2%25ADug%25C2%25ADf.com%2F0bemd8rf5%26stcu%3Dxdodkmv%26nznlcec%3Dhjwyxcpt%26gifz%3Deovcujc%26yvwvfzf%3Dbzdsbulv%26kwlu%3Dfswwqlh%26qblcmgj%3Dqehistht%26kniv%3Dupevmgc%26tmohvdy%3Djtmiuqjg%26dbzy%3Dqaliksq%26naww%3Dquswryt%26ngurxjy%3Djywdmfqd%26pqro%3Dnqhfwwk%26hisqfzh%3Drrysknad%26sbwu%3Dvyujlbh%26istebsu%3Dfxeeghdm%26djjx%3Dprzmwzt%26ioqdsej%3Dwofftlol&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881062084%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=%2FHDXuB0sc6XThUkx1h4HKaXQhk5sLitkytCcXDesBYw%3D&reserved=0> \n \n \n\t\nConfirma tu correo para recibir las mejores estrategias. \t\n\t\n\t\n\t\n <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fposicoo.com%2F&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881087940%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=Y7CG721SGQIERYALCRpZXWq0ykkPU3nOKvXy9SE91Jc%3D&reserved=0> \t\n\t\n\t\n\t\n\nConfirmar que oFLWT@wUWjLcy.oFLWT.com te pertenece, es ms fcil que decir Growth Marketing 3 veces rpido \n\n\t\nRecibirs las mejores estrategias de marketing y comunicaciones , pero antes, necesitamos confirmar que oFLWT@wUWjLcy.oFLWT.com eres t (y no un robot loco de internet ). \n\n\t\n\t\nConfirmar mi correo <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fconfirmation.mailerlite.io%2Fsubscribe%2F733707%2F133358466470249633%3Fsignature%3D4b6ab7bbba7e08ac595eeda8c302b3d4970feb0a773d1050e3849d98f4124b5f&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881305807%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=vX2pHE%2FNvx4N35v3CghOIiTX27Q6bcNeP8Nb2C1VY%2F8%3D&reserved=0> \t\n\t\n\t\n\t\n\t\nSi no llenaste un formulario en Posicoo o IndigoPR, solo elimina este correo. No recibirs mas mensajes de nuestra parte, si no confirmas el correo. \n\n\t\n\t\n <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fposicoo.com%2F&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881499450%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=Tx9ZLrZd%2Fn%2BfwjpWZej%2BoGcnAvFUCrHn8nrQwzXGFu0%3D&reserved=0> \t\n\t\n <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkedin.com%2Fcompany%2Fposicooagency&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881517315%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=mZoKhMr%2BbZCqVkNH5gaYokeYPIt80HxelrLkgyFL6TE%3D&reserved=0> \t <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finstagram.com%2Fposicooagency&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881534498%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=J%2BKa94Dag6GNTNPFUEu4ymaSrvNsJLLhj7EG6Am0ndI%3D&reserved=0> \t <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffacebook.com%2Fposicooagency&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881551514%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=tA7eEXWTpsDYTm5VAskGgJl2u2Ot7k%2FDAmA3R8FOq4A%3D&reserved=0> \t <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2F%40posicooagency&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881567850%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=ijUil%2FR1ZTq0E1QHulE6KZzX005%2F8rWV75rma27g0jg%3D&reserved=0> \t\n\t\nPosicoo \n\nPasin por el marketing, experiencia en ventas y comunicaciones con resultados. Encuntranos en Santiago, Chile y en Lima, Per. \n\n\t\n\t\n\t\n" ], "from": "viridium-gruppe.document.499158612@shared.servfile749160512.rupturafer.org", "to": "tilo.dresig@viridium-gruppe.com", "attachements": [ "img-3832008001.jpg", "img-1415883832.jpg", "hjtBdQYvtvSuc.jpg", "img-2497148771.jpg", "img-1462339407.jpg", "img-1092747358.jpg" ] }
URL: Email Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "You've received a do", "prominent_button_name": "Open", "text_input_field_labels": [ "v_iridium-grupp" ], "pdf_icon_visible": true, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: Email Model: claude-3-haiku-20240307	```json { "brands": [ "Microsoft" ] }
	```json { "brands": [ "Microsoft" ] }

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
svc.ms-acdc-teams.office.com	rPO3799039985.exe	Get hash	malicious	Remcos, GuLoader	Browse	52.123.251.14
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	52.123.242.159
	SecuriteInfo.com.Trojan.GenericKD.74442994.24259.8937.exe	Get hash	malicious	Unknown	Browse	52.123.243.92
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	52.123.243.94
	Seeking Assistance for Legal Assistance in a Medical Matter.msg	Get hash	malicious	Unknown	Browse	52.123.243.81
	https://1drv.ms/b/c/7bab8803aa446446/EVRHiu8efYZAkD-YFD5xQmIBzT5hMnGkyiNpwrnOj-mH_g	Get hash	malicious	HTMLPhisher	Browse	52.123.224.72
	file.exe	Get hash	malicious	Unknown	Browse	52.123.243.83
	Inspection Notice.msg	Get hash	malicious	HTMLPhisher	Browse	52.123.243.74
	file.exe	Get hash	malicious	Unknown	Browse	52.123.243.199
	Order_ 039924.docx.doc	Get hash	malicious	Unknown	Browse	52.123.243.78

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	specifications and technical requirements.pdf	Get hash	malicious	HTMLPhisher	Browse	20.190.159.2
	https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.ca	Get hash	malicious	Captcha Phish	Browse	150.171.28.10
	https://funpresc.pe.gov.br/976823/secure-redirect/index.html#Francois.barbeau+staples.ca%20%20https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.ca	Get hash	malicious	Captcha Phish	Browse	150.171.28.10
	https://cx.surveysensum.com/d6xqqwvx	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	http://track.reviewmgr.com/ls/click?upn=u001.W5y-2Fhe84rCuLxXDO470nfuKD2Iz98QeQpE-2BkxRR0H-2BqB5cDKklujIJ5FLru7QrAASOSa17vR-2FSCLVAx4lWyy5Q-3D-3DkaP7_Yp4ydSxZWNatis3HtI6bBrJjg57JYwT6kbyY2f89Z-2FBhxNJZyCBl9w6yXNV0YfiKUAGjaILaAN0mF43Ydvv3aAXjCPBMrYvHXhqj-2F90M8IWSluK-2FDr0h4-2FIbAXpExZIWOjtRSKBCrpvm-2BHKZd6Q2itOPvvv8Wh8uHJq1rbQgzA8HMkQB3GP7mtgLvWqf-2F2SUC5eKSSwLqPZnnofRHoc7cSU1xfupfl4il6cb3-2BSKrTYe1odI0Jq1F3XJEtoagDhZ-2B0poPJjuweCyekPO2Y39xfy8FdwLLvVUma4NgVhDhlM-3D	Get hash	malicious	Unknown	Browse	52.123.129.14
	WFT9070Y689_0PF57682456_HTVC789378909789.exe	Get hash	malicious	MassLogger RAT	Browse	20.42.65.92
	botnet.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	20.255.117.170
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	94.245.104.56
	sora.arm.elf	Get hash	malicious	Mirai	Browse	20.45.5.185
	DEMASI-24-12B DOC. SCAN.exe	Get hash	malicious	GuLoader, Remcos	Browse	13.107.246.57

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	52.123.255.64
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	52.123.255.64
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	52.123.255.64
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	52.123.255.64
	Booking_0731520.vbe	Get hash	malicious	AgentTesla	Browse	52.123.255.64
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	52.123.255.64
	Payment advice_USD75,230.18.xls	Get hash	malicious	Unknown	Browse	52.123.255.64
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	52.123.255.64
	file.exe	Get hash	malicious	LummaC	Browse	52.123.255.64
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	52.123.255.64

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.393542768020975
Encrypted:	false
SSDEEP:	1536:HxYLW9gsGYemXvO28gsjqNcAz79ysQqt2AV9lGqoQl5rcm0Fv2nlyJwTGvY/g1t+:Wwgof0gZmiGu2bqoQDrt0FvV6Lqsj5Ht
MD5:	0260C8D4A318543A534E527FDBD77EDB
SHA1:	111472A2DB0B38936F6C3061C8BEC74AF9D89509
SHA-256:	3B70588B0AFE1780498D7EC628F16CA2A0AAC86FF1045989D0EB913D060FB8BD
SHA-512:	9C5372E565764F735BB1915F92A94A0CD2A00EE76FC4FEC3AAA35BEF8CFA551080F6295E0F0452D1165A8852973A1F4C3662598DB791291ECB3E7EBB0381B118
Malicious:	false
Reputation:	low
Preview:	TH02...... .....5......SM01X...,... ....5..........IPM.Activity...........h...............h............H..h.......r....h........ ..H..h\tin ...pDat...hpv..0...H......h.v.............h........_`3k...h.w..@...I.Rw...h....H...8.8k...0....T...............d.........2h...............k..D...........!h.............. h.F......`.....#h....8.........$h ......8....."h..............'h..............1h.v..<.........0h....4....8k../h....h.....8kH..h.)..p.......-h .............+h.v........................ ..............F7..............FIPM.Activity.st.Form.e..Standard.tanJournal Entry.pdIPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.000Microsoft.ofThis form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

File type:	CDFV2 Microsoft Outlook Message
Entropy (8bit):	5.754886419090607
TrID:	Outlook Message (71009/1) 45.36% Outlook Form Template (41509/1) 26.51% ClickyMouse macro set (36024/1) 23.01% Generic OLE2 / Multistream Compound File (8008/1) 5.12%
File name:	Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg
File size:	306'176 bytes
MD5:	b5e25430991c44614f50c1267b6366e4
SHA1:	69ac0a240ed47174c682e460bbf9d987fd61f9ea
SHA256:	83f78538fab1dcfcc682b9c13b890335ea699d2f70e9e051a9af5f478162a4e2
SHA512:	3c83faf969c415ed65cb49ce8e719fe91ac9ebdf406417dd658ddfba0e6d9016edf43cb418ac31c7c92af60cae3671d93e7086fa5633246f4019097eaa5b09c6
SSDEEP:	6144:rb8izM9Y6DtBEnxeXqfRoFbxRRBAGQgvddg/hR:X8izM9Y6DtBEnxeXqfRieJsKR
TLSH:	6954D92729EA0316F3739B709FE3549B4A27BC566C25994F2086270F1A33A11DC56B3F
File Content Preview:	........................>.......................................................p..............................................................................................................................................................................

Subject:	Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''
From:	viridium-gruppe.document.499158612@shared.servfile749160512.rupturafer.org
To:	tilo.dresig@viridium-gruppe.com
Cc:
BCC:
Date:	Tue, 12 Nov 2024 09:41:42 +0100
Communications:	Sie erhalten nicht hufig E-Mails von viridium-gruppe.document.499158612@shared.servfile749160512.rupturafer.org. Erfahren Sie, warum dies wichtig ist <https://aka.ms/LearnAboutSenderIdentification> __________ <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.google.pl%2Furl%3Furl%3Dhttp%3A%2F%2Fklxnahobxjvlvmzhzykhxy.com%26qfi%3Dgoqmwgj%26ouicjb%3Donj%26bnfjs%3Ddhggvc%26eki%3Dlbpnlux%26q%3Damp%2Ftixqfjm.p%25C2%25ADq%25C2%25ADq%25C2%25ADy%25C2%25ADdi%25C2%25ADwh%25C2%25ADk%25C2%25ADhl%25C2%25ADn%25C2%25ADr%25C2%25ADf%25C2%25ADv%25C2%25ADug%25C2%25ADf.com%2F0bemd8rf5%26stcu%3Dxdodkmv%26nznlcec%3Dhjwyxcpt%26gifz%3Deovcujc%26yvwvfzf%3Dbzdsbulv%26kwlu%3Dfswwqlh%26qblcmgj%3Dqehistht%26kniv%3Dupevmgc%26tmohvdy%3Djtmiuqjg%26dbzy%3Dqaliksq%26naww%3Dquswryt%26ngurxjy%3Djywdmfqd%26pqro%3Dnqhfwwk%26hisqfzh%3Drrysknad%26sbwu%3Dvyujlbh%26istebsu%3Dfxeeghdm%26djjx%3Dprzmwzt%26ioqdsej%3Dwofftlol&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881062084%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=%2FHDXuB0sc6XThUkx1h4HKaXQhk5sLitkytCcXDesBYw%3D&reserved=0> Confirma tu correo para recibir las mejores estrategias. <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fposicoo.com%2F&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881087940%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=Y7CG721SGQIERYALCRpZXWq0ykkPU3nOKvXy9SE91Jc%3D&reserved=0> Confirmar que oFLWT@wUWjLcy.oFLWT.com te pertenece, es ms fcil que decir Growth Marketing 3 veces rpido Recibirs las mejores estrategias de marketing y comunicaciones , pero antes, necesitamos confirmar que oFLWT@wUWjLcy.oFLWT.com eres t (y no un robot loco de internet ). Confirmar mi correo <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fconfirmation.mailerlite.io%2Fsubscribe%2F733707%2F133358466470249633%3Fsignature%3D4b6ab7bbba7e08ac595eeda8c302b3d4970feb0a773d1050e3849d98f4124b5f&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881305807%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=vX2pHE%2FNvx4N35v3CghOIiTX27Q6bcNeP8Nb2C1VY%2F8%3D&reserved=0> Si no llenaste un formulario en Posicoo o IndigoPR, solo elimina este correo. No recibirs mas mensajes de nuestra parte, si no confirmas el correo. <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fposicoo.com%2F&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881499450%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=Tx9ZLrZd%2Fn%2BfwjpWZej%2BoGcnAvFUCrHn8nrQwzXGFu0%3D&reserved=0> <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkedin.com%2Fcompany%2Fposicooagency&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881517315%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=mZoKhMr%2BbZCqVkNH5gaYokeYPIt80HxelrLkgyFL6TE%3D&reserved=0> <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finstagram.com%2Fposicooagency&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881534498%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=J%2BKa94Dag6GNTNPFUEu4ymaSrvNsJLLhj7EG6Am0ndI%3D&reserved=0> <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffacebook.com%2Fposicooagency&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881551514%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=tA7eEXWTpsDYTm5VAskGgJl2u2Ot7k%2FDAmA3R8FOq4A%3D&reserved=0> <https://deu01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2F%40posicooagency&data=05%7C02%7Ctilo.dresig%40viridium-gruppe.com%7Cff3592f435144c63850708dd02f5de70%7C7262225ef96d41a8b3c6739c32b1a9c9%7C0%7C0%7C638669978881567850%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=ijUil%2FR1ZTq0E1QHulE6KZzX005%2F8rWV75rma27g0jg%3D&reserved=0> Posicoo Pasin por el marketing, experiencia en ventas y comunicaciones con resultados. Encuntranos en Santiago, Chile y en Lima, Per.
Attachments:	img-3832008001.jpg img-1415883832.jpg hjtBdQYvtvSuc.jpg img-2497148771.jpg img-1462339407.jpg img-1092747358.jpg

Key	Value
Received	from shpfnyobsy ([103.114.218.218])
FR3P281MB3197.DEUP281.PROD.OUTLOOK.COM with HTTPS; Tue, 12 Nov 2024 08	44:47
BE1P281MB1457.DEUP281.PROD.OUTLOOK.COM (2603	10a6:b10:17::8) with Microsoft
15.20.8137.29; Tue, 12 Nov 2024 08	41:58 +0000
(2603	10a6:d10:9e::18) with Microsoft SMTP Server (version=TLS1_2,
Transport; Tue, 12 Nov 2024 08	41:49 +0000
Authentication-Results	spf=softfail (sender IP is 20.61.161.88)
Received-SPF	Pass (protection.outlook.com: domain of
via Frontend Transport; Tue, 12 Nov 2024 08	41:49 +0000
for <tilo.dresig@viridium-gruppe.com>; Tue, 12 Nov 2024 09	41:56 +0100 (CET)
ARC-Authentication-Results	i=1; seg-azure-cl01-node01.de.cancom-mase.com;
ARC-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=
viridium-gruppe.com; h=content-transfer-encoding	subject:from:to
	content-language:user-agent:mime-version:date:message-id; s=vg;
ARC-Seal	i=1; a=rsa-sha256; cv=none; d=viridium-gruppe.com; s=vg; t=
Authentication-Results-Original	spf=pass (sender IP is 209.85.160.230)
by BE1PPFA37683A28.DEUP281.PROD.OUTLOOK.COM (2603	10a6:b18::67f) with
2024 08	41:49 +0000
for <tilo.dresig@viridium-gruppe.com>; Tue, 12 Nov 2024 00	41:48 -0800 (PST)
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed;
h=message-id	reply-to:from:subject:to:date:mime-version
	x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
X-Google-DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed;
X-Gm-Message-State	AOJu0YyZGVw6gYWvpSE7Vn+aN+HJGL5H3rzThQkQrdDWMd/PUWAMszPX
X-Google-Smtp-Source	AGHT+IHrJCfX3T36op5N6rk9Dqh0003basqxxBH1CyZ1bRT9DjF2XP9nOJwhSJ8iJSmZYujHQeVvBDhwaJE9
X-Received	by 2002:a05:622a:1989:b0:461:2f3:c52f with SMTP id d75a77b69052e-46309a1ee26mr271958341cf.2.1731400905417;
Tue, 12 Nov 2024 00	41:45 -0800 (PST)
X-Relaying-Domain	sisc.org.uk
MIME-Version	1.0
Date	Tue, 12 Nov 2024 08:41:42 +0000
To	tilo.dresig@viridium-gruppe.com
Subject	Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''
From	viridium-gruppe.document.499158612@shared.servfile749160512.rupturafer.org
Reply-To	viridium-gruppe.document.499158612@shared.servfile749160512.rupturafer.org
Message-ID	<8f44b37e-b54a-4d7a-af3b-370cab609fa7@shared.servfile749160512.rupturafer.org>
Content-Type	multipart/related;
X-EOPAttributedMessage	1
X-MS-TrafficTypeDiagnostic	FR2PEPF000004F0:EE_\|BE1PPFA37683A28:EE_\|BE1PEPF0000056E:EE_\|BE1P281MB1457:EE_\|FR3P281MB3197:EE_
X-MS-Office365-Filtering-Correlation-Id	ff3592f4-3514-4c63-8507-08dd02f5de70
X-MS-Exchange-AtpMessageProperties	SA\|SL
X-Microsoft-Antispam-Untrusted	BCL:0;ARA:13230040\|22003199012\|43022699015\|5063199012\|5073199012\|4073199012\|8096899003\|43540500003;
X-Microsoft-Antispam-Message-Info-Original	=?us-ascii?Q?rf8ccyFjbBwUWHKnz+gjTG9824yaZFSFwPD/PVx88QyIgzSggE1ykzPQJnxO?=
X-Forefront-Antispam-Report-Untrusted	CIP:209.85.160.230;CTRY:US;LANG:es;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail-qt1-f230.google.com;PTR:mail-qt1-f230.google.com;CAT:NONE;SFTY:9.25;SFS:(13230040)(22003199012)(43022699015)(5063199012)(5073199012)(4073199012)(8096899003)(43540500003);DIR:INB;SFTY:9.25;
X-MS-Exchange-Transport-CrossTenantHeadersStamped	BE1P281MB1457
X-OrganizationHeadersPreserved	BE1PPFA37683A28.DEUP281.PROD.OUTLOOK.COM
X-SM-incoming	yes
Return-Path	viridium-gruppe.document.499158612@shared.servfile749160512.rupturafer.org
X-MS-Exchange-Organization-ExpirationStartTime	12 Nov 2024 08:41:57.8637
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id	ff3592f4-3514-4c63-8507-08dd02f5de70
X-MS-Exchange-Organization-MessageDirectionality	Originating
X-MS-Exchange-Organization-SCL	1
X-CrossPremisesHeadersPromoted	BE1PEPF0000056E.DEUP281.PROD.OUTLOOK.COM
X-CrossPremisesHeadersFiltered	BE1PEPF0000056E.DEUP281.PROD.OUTLOOK.COM
X-MS-Exchange-Transport-CrossTenantHeadersStripped	BE1PEPF0000056E.DEUP281.PROD.OUTLOOK.COM
X-MS-PublicTrafficType	Email
X-MS-Exchange-Organization-AuthSource	FR2PEPF000004F0.DEUP281.PROD.OUTLOOK.COM
X-MS-Exchange-Organization-AuthAs	Anonymous
X-OriginatorOrg	viridium-gruppe.com
X-MS-Office365-Filtering-Correlation-Id-Prvs	9c0d346b-7fe9-4fa2-a67e-08dd02f5d92e
X-Microsoft-Antispam	BCL:0;ARA:13230040\|22003199012\|35042699022\|82310400026\|43022699015\|5063199012\|5073199012\|4073199012\|8096899003\|43540500003;
X-Forefront-Antispam-Report	CIP:20.61.161.88;CTRY:NL;LANG:es;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:seg-azure-cl01-node01.de.cancom-mase.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(22003199012)(35042699022)(82310400026)(43022699015)(5063199012)(5073199012)(4073199012)(8096899003)(43540500003);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	12 Nov 2024 08:41:57.6450
X-MS-Exchange-CrossTenant-Network-Message-Id	ff3592f4-3514-4c63-8507-08dd02f5de70
X-MS-Exchange-CrossTenant-Id	7262225e-f96d-41a8-b3c6-739c32b1a9c9
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp	TenantId=7262225e-f96d-41a8-b3c6-739c32b1a9c9;Ip=[20.61.161.88];Helo=[seg-azure-cl01-node01.de.cancom-mase.com]
X-MS-Exchange-CrossTenant-AuthSource	FR2PEPF000004F0.DEUP281.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	HybridOnPrem
X-MS-Exchange-Transport-EndToEndLatency	00:02:50.1889926
X-MS-Exchange-Processed-By-BccFoldering	15.20.8137.022
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420198);
X-Microsoft-Antispam-Message-Info	=?us-ascii?Q?rK35AHTYXyA3ysyYz8ZBfuaVYJQJwkBLuQQgDTV3N5lLo6CcViSgfJV50mW1?=
date	Tue, 12 Nov 2024 09:41:42 +0100

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 16:22:07.685705900 CET	49725	443	192.168.2.9	52.123.255.64
Nov 12, 2024 16:22:07.685734034 CET	443	49725	52.123.255.64	192.168.2.9
Nov 12, 2024 16:22:07.685796022 CET	49725	443	192.168.2.9	52.123.255.64
Nov 12, 2024 16:22:07.686574936 CET	49725	443	192.168.2.9	52.123.255.64
Nov 12, 2024 16:22:07.686587095 CET	443	49725	52.123.255.64	192.168.2.9
Nov 12, 2024 16:22:08.813288927 CET	443	49725	52.123.255.64	192.168.2.9
Nov 12, 2024 16:22:08.813461065 CET	49725	443	192.168.2.9	52.123.255.64
Nov 12, 2024 16:22:08.961790085 CET	49725	443	192.168.2.9	52.123.255.64
Nov 12, 2024 16:22:08.961807966 CET	443	49725	52.123.255.64	192.168.2.9
Nov 12, 2024 16:22:08.962182045 CET	443	49725	52.123.255.64	192.168.2.9
Nov 12, 2024 16:22:08.973690033 CET	49725	443	192.168.2.9	52.123.255.64
Nov 12, 2024 16:22:09.015331030 CET	443	49725	52.123.255.64	192.168.2.9
Nov 12, 2024 16:22:09.281579971 CET	443	49725	52.123.255.64	192.168.2.9
Nov 12, 2024 16:22:09.324335098 CET	49725	443	192.168.2.9	52.123.255.64
Nov 12, 2024 16:22:09.324345112 CET	443	49725	52.123.255.64	192.168.2.9
Nov 12, 2024 16:22:09.394979000 CET	443	49725	52.123.255.64	192.168.2.9
Nov 12, 2024 16:22:09.396023989 CET	49725	443	192.168.2.9	52.123.255.64
Nov 12, 2024 16:22:11.536092997 CET	49725	443	192.168.2.9	52.123.255.64
Nov 12, 2024 16:22:11.536128044 CET	443	49725	52.123.255.64	192.168.2.9
Nov 12, 2024 16:22:11.536143064 CET	49725	443	192.168.2.9	52.123.255.64
Nov 12, 2024 16:22:11.536149979 CET	443	49725	52.123.255.64	192.168.2.9

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 12, 2024 16:22:07.683501959 CET	1.1.1.1	192.168.2.9	0x8811	No error (0)	svc.ha-teams.office.com	svc.ms-acdc-teams.office.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 16:22:07.683501959 CET	1.1.1.1	192.168.2.9	0x8811	No error (0)	svc.ms-acdc-teams.office.com		52.123.255.64	A (IP address)	IN (0x0001)	false
Nov 12, 2024 16:22:07.683501959 CET	1.1.1.1	192.168.2.9	0x8811	No error (0)	svc.ms-acdc-teams.office.com		52.123.242.168	A (IP address)	IN (0x0001)	false
Nov 12, 2024 16:22:07.683501959 CET	1.1.1.1	192.168.2.9	0x8811	No error (0)	svc.ms-acdc-teams.office.com		52.123.242.167	A (IP address)	IN (0x0001)	false
Nov 12, 2024 16:22:07.683501959 CET	1.1.1.1	192.168.2.9	0x8811	No error (0)	svc.ms-acdc-teams.office.com		52.123.242.138	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-11-12 15:22:08 UTC	857	OUT	GET /config/v2/Office/outlook/16.0.16827.20130/Production/CC?&EcsCanary=1&Clientid=%7b9962C6B6-1E82-43E1-A3AC-0545D7C341CB%7d&Application=outlook&Platform=win32&Version=16.0.16827.20130&MsoVersion=16.0.16827.20130&ProcessName=outlook.exe&Audience=Production&Build=ship&Architecture=x86&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=7&LicenseSKU=ProPlus2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bFE390A80-FDE1-426A-82E9-5E77BEC4B996%7d&LabMachine=false HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip If-None-Match: "1RF1//od8140xbOlEQ6ne2KyO35ZCBm2MWx6tQf7JXg=" User-Agent: Microsoft Office 2014 DisableExperiments: false X-ECS-Client-Last-Telemetry-Events: ecs_client_library_name=MSO,ecs_client_app_name=Office,ecs_client_version=16.0.16827.20130 Host: ecs.office.com
2024-11-12 15:22:09 UTC	1154	IN	HTTP/1.1 304 Cache-Control: no-cache,max-age=14400 Content-Type: application/json Expires: Tue, 12 Nov 2024 19:22:09 GMT ETag: "1RF1//od8140xbOlEQ6ne2KyO35ZCBm2MWx6xIr3c9s=" Server: Microsoft-IIS/10.0 request-id: 35436ae8-dbc6-71a3-bacc-68dc88699bb4 X-BackEndHttpStatus: 304 X-Content-Type-Options: nosniff X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; includeSubDomains Report-To: {"group":"NelEcsUpload1","max_age":604800,"endpoints":[{"url":"https://ecs.nel.measure.office.net?TenantId=Office&DesusertionEndpoint=MIRA-WW-PAZ&FrontEnd=MIRA"}],"include_subdomains":true} NEL: {"report_to":"NelEcsUpload1","max_age":604800,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01} X-Proxy-RoutingCorrectness: 1 X-MSEdge-Ref: MIRA: 35436ae8-dbc6-71a3-bacc-68dc88699bb4 PAZP264CA0239 2024-11-12T15:22:09.092Z Alt-Svc: h3=":443";ma=2592000,h3-29=":443";ma=2592000 X-Proxy-BackendServerStatus: 304 X-FirstHopCafeEFZ: ORY X-FEProxyInfo: PAZP264CA0239.FRAP264.PROD.OUTLOOK.COM X-FEEFZInfo: ORY X-Powered-By: ASP.NET X-FEServer: PAZP264CA0239 Date: Tue, 12 Nov 2024 15:22:08 GMT Connection: close

Target ID:	0
Start time:	10:21:57
Start date:	12/11/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg"
Imagebase:	0x440000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	3
Start time:	10:22:06
Start date:	12/11/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BA78306B-BE8B-4ADC-AFC1-E0C5491E75CB" "C7638F03-C93A-432E-8AF2-87C9199972B1" "7504" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff79fc70000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4AFC03B0-1912-4FA9-A6BA-7CAE08C01AE9

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A10679C.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9A596AED.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C3DD0247.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E849DC0A.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{49F181D0-82B8-4585-B962-3A7802D9F2BB}.tmp

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1731424923795103900_FE390A80-FDE1-426A-82E9-5E77BEC4B996.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1731424923796072300_FE390A80-FDE1-426A-82E9-5E77BEC4B996.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241112T1022030539-7504.etl

C:\Users\user\AppData\Local\Temp\~DF9F9EA0DD1E33C82B.TMP

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
Viridium-gruppe shared ''v_iridium-gruppe_441826776_12.11.2024''.msg