Edit tour

Windows Analysis Report
EXTERNAL .msg

Overview

General Information

Sample name:	EXTERNAL .msg
Analysis ID:	1431792
MD5:	bf27dab819ddd1111c45e0e6c12bdee0
SHA1:	e0134d3997295e6afcc792af1e56ba532677bbb4
SHA256:	b3eada106e8859587088d4ed92f9535d0b44300da04a6fac8a6b5fb7753ed816
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Phishing site detected (based on OCR NLP Model)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Sigma detected: Outlook Security Settings Updated - Registry

Stores large binary data to the registry

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 6760 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\EXTERNAL .msg" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 6860 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "63ED5AB2-2F5D-4683-907E-2F29691C3407" "2B0A5043-B5FF-418B-89DD-6FDA9FAB4E85" "6760" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6760, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Sigma detected: Outlook Security Settings Updated - Registry

Source: Registry Key set

Author: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\IZ5MOODG\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6760, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: MSG / EML

ML Model on OCR Text: Matched 94.7% probability on "This email ori inated from OUTSIDE of Desert Diamond. Do not click links oro en attachments unless ou reco nize the sender and know the content is safe. If in doubt click the Re ort Phish button at to ri ht of the Outlook Home Ribbon . "

Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.aadrm.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.aadrm.com/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.cortana.ai
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.office.net
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.onedrive.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://api.scheduler.
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://augloop.office.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://cdn.entity.
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://clients.config.office.net
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://clients.config.office.net/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://config.edge.skype.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://cortana.ai
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://cortana.ai/api
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://cr.office.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://d.docs.live.net
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://dev.cortana.ai
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://devnull.onenote.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://directory.services.
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://ecs.office.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://graph.windows.net
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://graph.windows.net/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://ic3.teams.office.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://invites.office.com/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://lifecycle.office.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://login.windows.local
Source: OUTLOOK_16_0_16827_20130-20240425T1924210168-6760.etl.1.dr	String found in binary or memory: https://login.windows.localMiR
Source: OUTLOOK_16_0_16827_20130-20240425T1924210168-6760.etl.1.dr	String found in binary or memory: https://login.windows.localR
Source: OUTLOOK_16_0_16827_20130-20240425T1924210168-6760.etl.1.dr	String found in binary or memory: https://login.windows.localnull
Source: OUTLOOK_16_0_16827_20130-20240425T1924210168-6760.etl.1.dr	String found in binary or memory: https://login.windows.localnullD
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://make.powerautomate.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://management.azure.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://management.azure.com/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://messaging.office.com/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://ncus.contentsync.
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://officeapps.live.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://onedrive.live.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://outlook.office.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://outlook.office.com/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://outlook.office365.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://outlook.office365.com/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://res.cdn.office.net
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.39
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://settings.outlook.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://staging.cortana.ai
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://substrate.office.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://tasks.office.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://wus2.contentsync.
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: 0F95D951-E92D-4328-8307-1343382D8CDC.1.dr	String found in binary or memory: https://www.yammer.com

Source: classification engine

Classification label: clean2.winMSG@3/21@0/0